Molo, igama lam nguAlexander Azimov. Kwi-Yandex, ndiphuhlisa iinkqubo ezahlukeneyo zokubeka iliso, kunye nokwakhiwa kwenethiwekhi yezothutho. Kodwa namhlanje siza kuthetha ngeprotocol yeBGP.
Kwiveki edlulileyo, i-Yandex yenza i-ROV (i-Route Origin Validation) kwi-interfaces kunye nabo bonke abalingani boontanga, kunye neendawo zokutshintshiselana kwezithuthi. Funda ngezantsi malunga nokuba kutheni le nto yenziwe kwaye izakuchaphazela njani intsebenziswano nabaqhubi be-telecom.
BGP kwaye yintoni engalunganga ngayo
Mhlawumbi uyazi ukuba iBGP yayiyilwe njengeprothokholi yomzila we-interdomain. Nangona kunjalo, endleleni, inani leemeko zokusetyenziswa zikwazile ukukhula: namhlanje, i-BGP, ngenxa yezandiso ezininzi, iye yajika yaba yibhasi yomyalezo, egubungela imisebenzi evela kumqhubi we-VPN ukuya kwi-SD-WAN efashini ngoku, kwaye sele ifumene isicelo njenge uthutho kumlawuli SDN-ezifana, ukuguqula umgama vector BGP ibe into efanayo amakhonkco wahlala protocol.
Umzobo: 1.
Kutheni i-BGP ifumene (kwaye iyaqhubeka ifumana) ukusetyenziswa okuninzi? Kukho izizathu ezibini eziphambili:
- I-BGP yinkqubo yomthetho kuphela esebenza phakathi kweenkqubo ezizimeleyo (AS);
- I-BGP ixhasa iimpawu kwi-TLV (uhlobo-ubude-ixabiso) ifomathi. Ewe, iprotocol ayiyodwa kule nto, kodwa ngenxa yokuba akukho nto inokuyithatha endaweni yayo ekudibaneni phakathi kwabaqhubi be-telecom, ihlala ijika ibenenzuzo ngakumbi ukuncamathisela enye into esebenzayo kuyo kunokuxhasa iprotocol eyongezelelweyo yomzila.
Kwenzeka ntoni kuye? Ngamafutshane, iprotocol ayinazo iindlela ezakhelwe ngaphakathi zokujonga ukuchaneka kolwazi olufunyenweyo. Oko kukuthi, i-BGP yi-priori trust protocol: ukuba ufuna ukuxelela ihlabathi ukuba ngoku ungumnikazi womnatha we-Rostelecom, i-MTS okanye i-Yandex, nceda!
Isihluzi esisekwe kwi-IRRDB-esona sibi kakhulu
Umbuzo uvela: kutheni i-Intanethi isasebenza kwimeko enjalo? Ewe, isebenza ixesha elininzi, kodwa kwangaxeshanye iqhuma rhoqo, isenze ukuba amacandelo esizwe aphelele angafikeleleki. Nangona umsebenzi we-hacker kwi-BGP nayo iyanda, i-anomalies ezininzi zisabangelwa zizinambuzane. Umzekelo walo nyaka eBelarus, eyenza inxalenye ebalulekileyo ye-Intanethi ingafikeleleki kubasebenzisi beMegaFon kwisiqingatha seyure. Omnye umzekelo - yaphula enye yezona nethiwekhi zikhulu zeCDN kwihlabathi.
Irayisi. 2. Cloudflare traffic interception
Kodwa kunjalo, kutheni le nto i-anomalies isenzeka kanye emva kweenyanga ezintandathu, kwaye kungekhona yonke imihla? Ngenxa yokuba abathwali basebenzisa oovimba beenkcukacha zangaphandle zolwazi lokuhamba ukuze baqinisekise oko bakufumanayo kubamelwane be-BGP. Zininzi ezo nkcukacha zolwazi, ezinye zazo zilawulwa ngababhalisi (i-RIPE, i-APNIC, i-ARIN, i-AFRINIC), abanye ngabadlali abazimeleyo (eyona idumileyo yi-RADB), kwaye kukho isethi epheleleyo yababhalisi beenkampani ezinkulu (i-Level3 , NTT, njalo njalo). Kungumbulelo kolu gcino-lwazi ukuba umzila we-inter-domain ugcina uzinzo oluhambelana nokusebenza kwayo.
Nangona kunjalo, kukho ama-nuances. Ulwazi lomzila lukhangelwe ngokusekelwe kwi-ROUTE-OBJECTS kunye nezinto ze-AS-SET. Kwaye ukuba eyokuqala ithetha ugunyaziso lwenxalenye ye-IRRDB, ngoko kwiklasi yesibini akukho sigunyaziso njengeklasi. Oko kukuthi, nabani na unokongeza nabani na kwiiseti zabo kwaye ngaloo ndlela adlule kwizihluzi zababoneleli abaphezulu. Ngaphezu koko, ukungafani kwegama le-AS-SET phakathi kweziseko ezahlukeneyo ze-IRR akuqinisekiswanga, oku kunokukhokelela kwimiphumo emangalisayo ngokulahleka ngokukhawuleza koqhagamshelwano kumqhubi we-telecom, owathi, ngenxa yakhe, akazange atshintshe nantoni na.
Umngeni owongezelelweyo yipatheni yokusetyenziswa kwe-AS-SET. Kukho amanqaku amabini apha:
- Xa umsebenzisi efumana umxhasi omtsha, iyongeza kwi-AS-SET yayo, kodwa phantse asoze ayisuse;
- Izihluzi ngokwazo ziqwalaselwe kuphela kujongano nabaxhasi.
Ngenxa yoko, ifomati yanamhlanje yezihluzi ze-BGP ziquka izihluzo ezithob' isidima ngokuthe ngcembe kunxibelelwano nabathengi kunye nokuthembela okuphambili kwinto evela kumaqabane oontanga kunye nababoneleli bezothutho be-IP.
Yintoni ebuyisela izihluzo zesimaphambili esisekwe kwi-AS-SET? Eyona nto inomdla kukuba kwixesha elifutshane - akukho nto. Kodwa iindlela ezongezelelweyo ziyavela ezincedisa umsebenzi we-IRRDB-based filters, kwaye okokuqala, oku, kunjalo, i-RPKI.
I-RPKI
Ngendlela elula, i-architecture ye-RPKI inokucingwa njengesiseko sedatha esisasazwayo esineerekhodi ezinokuqinisekiswa ngokufihlakeleyo. Kwimeko ye-ROA (i-Route Object Authorization), umsayini ungumnini wendawo yedilesi, kwaye irekhodi ngokwayo i-triple (isiqalo, i-asn, max_length). Ngokusisiseko, olu ngeniso luthumela oku kulandelayo: umnini wesithuba sedilesi ye-$ prefix ugunyazise inombolo ye-AS $ asn ukuthengisa izimaphambili ezinobude obungekho ngaphezu kwe-$ max_length. Kwaye ii-routers, zisebenzisa i-cache ye-RPKI, ziyakwazi ukujonga ibini ukuthotyelwa isimaphambili - isithethi sokuqala endleleni.
Umzobo 3. Uyilo lweRPKI
Izinto ze-ROA zibekwe emgangathweni ixesha elide, kodwa kude kube kutshanje ziye zahlala kuphela ephepheni kwijenali ye-IETF. Ngokombono wam, isizathu soku sivakala sisoyikisa - ukuthengisa kakubi. Emva kokuba ukubekwa emgangathweni kugqityiwe, inkuthazo yayikukuba i-ROA ikhuselwe ngokuchasene nokuqweqwediswa kwe-BGP - okwakungeyonyani. Abahlaseli banokudlula ngokulula izihluzi ezise-ROA ngokufaka inombolo ye-AC echanekileyo ekuqaleni kwendlela. Kwaye ngokukhawuleza ukuba oku kuqonda kufikile, inyathelo elilandelayo elinengqiqo yayikukuyeka ukusetyenziswa kwe-ROA. Kwaye ngokwenene, kutheni sifuna iteknoloji ukuba ayisebenzi?
Kutheni ilixesha lokutshintsha ingqondo yakho? Kuba oku akuyonyaniso yonke. I-ROA ayikhuseli ngokuchasene nomsebenzi we-hacker kwi-BGP, kodwa ikhusela ekuxhwilweni kwezithuthi ngengozi, umzekelo ukusuka kwi-static ukuvuza kwi-BGP, eya isiba yinto eqhelekileyo. Kwakhona, ngokungafaniyo nezihluzi ezisekelwe kwi-IRR, i-ROV ingasetyenziselwa kuphela kwi-interfaces kunye nabaxhasi, kodwa nakwi-interfaces kunye noontanga kunye nababoneleli abaphezulu. Oko kukuthi, kunye nokuqaliswa kwe-RPKI, i-priori trust iyanyamalala ngokuthe ngcembe kwi-BGP.
Ngoku, ukujonga iindlela ezisekwe kwi-ROA ngokuthe ngcembe ziphunyezwa ngabadlali abaphambili: eyona IX inkulu yaseYurophu sele ilahla iindlela ezingachanekanga; phakathi kwabaqhubi be-Tier-1, kufanelekile ukugqamisa i-AT&T, eyenze ukuba izihluzi zisebenze kwi-interfaces kunye namaqabane ayo oontanga. Abona baboneleli bomxholo abakhulu nabo basondela kwiprojekthi. Kwaye abaqhubi bezothutho abaninzi abaphakathi sele beyiphumezile ngokuzolileyo, bengaxelelanga mntu ngayo. Kutheni bonke aba baqhubi besebenzisa i-RPKI? Impendulo ilula: ukukhusela itrafikhi yakho ephumayo kwiimpazamo zabanye abantu. Yingakho i-Yandex ingomnye wabokuqala kwi-Russian Federation ukubandakanya i-ROV kumda womnatha wayo.
Kuza kwenzeka ntoni emva koko?
Ngoku siye savumela ukujonga ulwazi lwendlela kwiindawo zokujongana neendawo zotshintshiselwano lwetrafikhi kunye nokujonga ngasese. Kwixesha elizayo elingekude, uqinisekiso luyakwenziwa ukuba lusebenze kunye nababoneleli bezithuthi ezinyukayo.
Kwenza wuphi umahluko oku kuwe? Ukuba ufuna ukonyusa ukhuseleko lokuhamba kwetrafikhi phakathi kwenethiwekhi yakho kunye neYandex, sicebisa:
- Sayina indawo yedilesi yakho - ilula, ithatha imizuzu emi-5-10 ngokomyinge. Oku kuya kukhusela uxhulumaniso lwethu kwimeko apho umntu ebeba indawo yakho yedilesi ngokungazi (kwaye oku kuya kwenzeka ngokuqinisekileyo kungekudala okanye kamva);
- Faka enye yemithombo evulekileyo yokugcina indawo ye-RPKI (, ) kwaye wenze ukujonga indlela kumda womnatha - oku kuyakuthatha ixesha elingakumbi, kodwa kwakhona, akuyi kubangela nabuphi na ubunzima bobugcisa.
I-Yandex iphinde ixhase ukuphuhliswa kwenkqubo yokucoca ngokusekelwe kwinto entsha ye-RPKI - (Ugunyaziso loMboneleli weNkqubo oluZimeleyo). Izihlungi ezisekelwe kwizinto ze-ASPA kunye ne-ROA azikwazi nje ukuthatha indawo "evuzayo" ye-AS-SETs, kodwa iphinde ivale imiba yokuhlaselwa kwe-MiTM usebenzisa i-BGP.
Ndiza kuthetha ngeenkcukacha malunga ne-ASPA kwinyanga kwinkomfa elandelayo yeHop. Abalingane abavela kwiNetflix, Facebook, Dropbox, Juniper, Mellanox kunye neYandex nabo baya kuthetha apho. Ukuba unomdla kwi-stack yenethiwekhi kunye nokuphuhliswa kwayo kwixesha elizayo, yiza .
umthombo: www.habr.com