Nekuda kwechiziviso chisina kunaka cheBGP, anopfuura 8800 ekunze network prefixes. kuburikidza neRostelecom network, iyo yakakonzera kuparara kwenguva pfupi kwenzira, kukanganiswa kwekubatanidza network uye matambudziko nekuwana kune mamwe mabasa pasi rose. Dambudziko anopfuura 200 anozvimiririra masisitimu ane makambani makuru eInternet uye maratidziro ekutumira zvemukati, anosanganisira Akamai, Cloudflare, Digital Ocean, Amazon AWS, Hetzner, Level3, Facebook, Alibaba uye Linode.
Chiziviso chisina kururama chakaitwa naRostelecom (AS12389) muna Kubvumbi 1 na22:28 (MSK), ichibva yatorwa nemupi wekupa Rascom (AS20764) uyezve neketani yakapararira kuCogent (AS174) uye Level3 (AS3356) , iyo ndima yaifukidza vanenge vese vanopa Internet nhanho yekutanga (). BGP yakakurumidza kuzivisa Rostelecom nezve dambudziko, saka chiitiko ichi chakatora maminetsi gumi (maererano ne mhedzisiro yacho yakaonekwa kweinenge awa).
Ichi hachisi chiitiko chekutanga chinosanganisira kukanganisa kudivi reRostelecom. Muna 2017 mukati me5-7 maminetsi kuburikidza neRostelecom network yemabhangi makuru uye masevhisi emari, anosanganisira Visa neMasterCard. Muzviitiko zvose zviri zviviri, bviro yechinetso inoratidzika kuva basa rine chekuita nekutungamira kwetraffic, semuenzaniso, kuvuza kwemigwagwa kunogona kuitika kana kuronga kutarisisa kwemukati, kuisa pamberi kana girazi retraffic inopfuura neRostelecom kune mamwe masevhisi uye maCDN (nekuda kwekuwedzera kwekuremerwa kwetiweki nekuda kwebasa rakawanda kubva kumba pakupera Kurume nyaya yekudzikisira kukosha kwetraffic yemabasa ekunze vachifarira zviwanikwa zvemumba). Somuenzaniso, makore anoverengeka apfuura kumwe kuedza kwakaitwa muPakistan YouTube subnets pane null interface yakatungamira pakuonekwa kweaya ma subnets muzviziviso zveBGP uye kuyerera kwese YouTube traffic kuenda kuPakistan.
Zvinonakidza kuti zuva risati raitika chiitiko neRostelecom, mupi muduku "New Reality" (AS50048) kubva muguta. kuburikidza neTranstelecom zvaive 2658 prefixes inobata Orange, Akamai, Rostelecom uye network emakambani anopfuura mazana matatu. Kudonha kwenzira kwakakonzera kuti mafungu akati wandei ekudzokororwa kwetraffic atore maminetsi akati wandei. Pamusoro payo, dambudziko rakakanganisa kusvika 300 miriyoni IP kero. Kuvhiringika kwepasirese kwakadziviswa nekuda kwekushandiswa kweTranstelecom nzira dzekurambidza kune mutengi wega wega.
Zviitiko zvakafanana zvinoitika paInternet uye zvichaenderera mberi kusvika zvaitwa kwese kwese BGP zviziviso zvakavakirwa paRPKI (BGP Origin Validation), zvichibvumira kugamuchirwa kwezviziviso chete kubva kuvaridzi venetiweki. Pasina mvumo, chero mushandisi anogona kushambadza subnet ine ruzivo rwekunyepedzera nezvehurefu hwenzira uye otanga mafambiro mukati mayo echikamu chetraffic kubva kune mamwe masisitimu asingashandisi kusefa kwekushambadzira.
Panguva imwecheteyo, muchiitiko chiri kutariswa, cheki inoshandisa iyo RIPE RPKI repository yakave. . Sezvineiwo, maawa matatu isati yadonha nzira yeBGP muRostelecom, panguva yekuvandudza software yeRIPE, 4100 ROA zvinyorwa (RPKI Route Origin Authorization). Iyo dhatabhesi yakadzoreredzwa chete muna Kubvumbi 2, uye nguva yese iyi cheki yakanga isingashande kune vatengi veRIPE (dambudziko harina kukanganisa RPKI repositori yevamwe vanyori). Nhasi RIPE ine matambudziko matsva uye RPKI repository mukati maawa manomwe .
Registry-based kusefa inogona zvakare kushandiswa semhinduro kuvharira kuvuza (Internet Routing Registry), iyo inotsanangura anozvimiririra masisitimu ayo anotenderwa kufambiswa kweakatsanangurwa prefixes. Paunenge uchidyidzana nevashandisi vadiki, kudzikisa kukanganisa kwezvikanganiso zvevanhu, unogona kudzikamisa huwandu hwepamusoro hwezvakagamuchirwa prefixes yeEBGP zvikamu (iyo yepamusoro-prefix kuseta).
Muzviitiko zvakawanda, zviitiko zvinokonzerwa nekukanganisa kwevashandi netsaona, asi munguva pfupi yapfuura kwakave nekurwiswa kwakanangana, panguva iyo vanorwisa vanokanganisa zvivakwa zvevanopa. ΠΈ traffic ye chaiwo masaiti kuburikidza nekuronga kurwiswa kweMiTM kutsiva DNS mhinduro.
Kuita kuti zvinyanye kunetsa kuwana zvitupa zveTLS panguva yekurwiswa kwakadaro, iyo Let's Encrypt certificate chiremera kune-multi-position domain kutarisa uchishandisa ma subnets akasiyana. Kuti upfuure cheki iyi, munhu anorwisa achada panguva imwe chete kuwana nzira yekufambisa kune akati wandei anozvimiririra masisitimu evanopa ane akasiyana uplinks, izvo zvakanyanya kuoma pane kutungamira nzira imwe chete.
Source: opennet.ru