Sawubona, igama lami ngingu-Alexander Azimov. E-Yandex, ngithuthukisa izinhlelo ezihlukahlukene zokuqapha, kanye nezakhiwo zenethiwekhi yezokuthutha. Kodwa namuhla sizokhuluma nge-protocol ye-BGP.
Evikini eledlule, i-Yandex inike amandla i-ROV (Ukuqinisekiswa Kwemvelaphi Yomzila) ezindaweni zokuxhumana nabo bonke ozakwethu abangozakwethu, kanye nezindawo zokushintshana kwethrafikhi. Funda ngezansi ngokuthi kungani lokhu kwenziwa nokuthi kuzothinta kanjani ukuxhumana nabasebenzi bezingcingo.
BGP nokuthi yini engalungile ngayo
Cishe uyazi ukuthi i-BGP yaklanywa njengephrothokholi yomzila wesizinda. Kodwa-ke, endleleni, inani lamacala okusetshenziswa likwazile ukukhula: namuhla, i-BGP, ngenxa yezandiso eziningi, isiphenduke ibhasi lomlayezo, elihlanganisa imisebenzi evela ku-opharetha we-VPN kuya ku-SD-WAN yemfashini manje, futhi ithole ngisho nesicelo njenge ukuthutha kwesilawuli esifana ne-SDN, ukuguqula ivekhtha yebanga i-BGP ibe into efana nephrothokholi ehlezi izixhumanisi.
U-fig. 1.
Kungani i-BGP ithole (futhi isaqhubeka nokuthola) ukusetshenziswa okuningi kangaka? Kunezizathu ezimbili eziyinhloko:
- I-BGP iyona kuphela iphrothokholi esebenza phakathi kwezinhlelo ezizimele (AS);
- I-BGP isekela izibaluli ngefomethi ye-TLV (ubude bohlobo-inani). Yebo, iphrothokholi ayiyona yodwa kulokhu, kodwa njengoba ingekho into engase ithathelwe indawo lapho kuhlangana khona ama-telecom opharetha, kuhlale kuzuzisa kakhulu ukunamathisela enye into esebenzayo kuyo kunokweseka iphrothokholi yomzila eyengeziwe.
Yini engalungile ngaye? Kafushane, iphrothokholi ayinazo izindlela ezakhelwe ngaphakathi zokuhlola ukulunga kolwazi olutholiwe. Okusho ukuthi, i-BGP iyiphrothokholi yokwethenjwa kwe-priori: uma ufuna ukutshela umhlaba ukuthi manje ungumnikazi wenethiwekhi ye-Rostelecom, MTS noma Yandex, sicela!
Isihlungi esisekelwe ku-IRRDB - esingcono kakhulu sokubi kakhulu
Umbuzo uphakama: kungani i-intanethi isasebenza esimweni esinjalo? Yebo, isebenza isikhathi esiningi, kodwa ngesikhathi esifanayo iqhuma ngezikhathi ezithile, okwenza zonke izingxenye zezwe zingafinyeleleki. Nakuba umsebenzi womgebengu we-inthanethi ku-BGP nawo ukhula, ukudideka okuningi kusabangelwa izimbungulu. Isibonelo salo nyaka eBelarus, okwenza ingxenye ebalulekile ye-inthanethi ingafinyeleleki kubasebenzisi beMegaFon isigamu sehora. Esinye isibonelo - uphule elinye lamanethiwekhi amakhulu e-CDN emhlabeni.
Ilayisi. 2. Ukunqamuka kwethrafikhi ye-Cloudflare
Kodwa noma kunjalo, kungani ukungahambi kahle okunjalo kwenzeka kanye njalo ezinyangeni eziyisithupha, hhayi zonke izinsuku? Ngoba abathwali basebenzisa imininingo egciniwe yangaphandle yolwazi lomzila ukuze baqinisekise lokho abakuthola komakhelwane be-BGP. Ziningi lezi zingosi zolwazi, ezinye zazo ziphethwe ababhalisi (i-RIPE, APNIC, ARIN, AFRINIC), abanye abadlali abazimele (owaziwa kakhulu yi-RADB), futhi kukhona nesethi yonke yababhalisi bezinkampani ezinkulu (Level3 , NTT, njll.). Kungenxa yalezi zingosi zolwazi ukuthi umzila phakathi kwesizinda ugcina ukuzinza okuhlobene kokusebenza kwakho.
Nokho, kukhona ama-nuances. Ulwazi lomzila luyahlolwa ngokusekelwe ku-ROUTE-OBJECTS kanye nezinto ze-AS-SET. Futhi uma eyokuqala isho ukugunyazwa kwengxenye ye-IRRDB, kusho ukuthi ekilasini lesibili akukho ukugunyazwa njengekilasi. Okusho ukuthi, noma ubani angakwazi ukwengeza noma ubani kumasethi abo futhi ngaleyo ndlela adlule izihlungi zabahlinzeki abakhuphuka nomfula. Ngaphezu kwalokho, okuhlukile kokuqanjwa kwe-AS-SET phakathi kwezisekelo ezihlukene ze-IRR akuqinisekisiwe, okungaholela emiphumeleni emangalisayo ngokulahleka okungazelelwe kokuxhumeka ku-opharetha we-telecom, okwathi, ngokwengxenye yakhe, akazange ashintshe lutho.
Inselele eyengeziwe iphethini yokusetshenziswa ye-AS-SET. Kunamaphuzu amabili lapha:
- Uma opharetha ethola iklayenti elisha, liyengeza ku-AS-SET yalo, kodwa cishe akalokothi alisuse;
- Izihlungi ngokwazo zicushwa kuphela ezindaweni zokusebenzelana namaklayenti.
Njengomphumela, ifomethi yesimanje yezihlungi ze-BGP iqukethe izihlungi ezehlisa isithunzi kancane kancane ezindaweni zokuhlangana namaklayenti kanye nokwethemba okuza kuqala kozakwethu abangozakwethu nabahlinzeki bezokuthutha be-IP.
Yini emiselela izihlungi zesiqalo ngokusekelwe ku-AS-SET? Okuthakazelisa kakhulu ukuthi esikhathini esifushane - lutho. Kodwa kuvela izindlela ezengeziwe ezihambisana nomsebenzi wezihlungi ezisekelwe ku-IRRDB, futhi okokuqala, lokhu, yiqiniso, i-RPKI.
I-RPKI
Ngendlela eyenziwe lula, i-architecture ye-RPKI ingacatshangwa njengendawo egciniwe esabalalisiwe amarekhodi ayo angaqinisekiswa nge-cryptographically. Esimeni se-ROA (Ukugunyazwa Kwento Yomzila), osayinileyo ungumnikazi wesikhala sekheli, futhi irekhodi ngokwalo liphindwe kathathu (isiqalo, asn, max_length). Empeleni, lokhu okufakiwe kuthumela okulandelayo: umnikazi wesikhala sekheli lesiqalo se-$ ugunyaze inombolo engu-AS engu-$asn ukuthi ikhangise iziqalo ezinobude obungengaphezu kuka-$max_length. Futhi ama-routers, esebenzisa inqolobane ye-RPKI, ayakwazi ukuhlola ipheya ukuthi iyahambisana yini isiqalo - isikhulumi sokuqala endleleni.
Umfanekiso 3. Izakhiwo ze-RPKI
Izinto ze-ROA zimisiwe isikhathi eside impela, kodwa kuze kube muva nje bezihlala ephepheni kuphela kujenali ye-IETF. Ngokubona kwami, isizathu salokhu sizwakala sithusa - ukumaketha okubi. Ngemva kokuphothulwa kokulinganisa, ugqozi kwaba ukuthi i-ROA ivikele ekuduneni kwe-BGP - okwakungelona iqiniso. Abahlaseli bangadlula kalula izihlungi ezisekelwe e-ROA ngokufaka inombolo elungile ye-AC ekuqaleni kwendlela. Futhi ngokushesha nje lapho lokhu kuqaphela kufika, isinyathelo esilandelayo esinengqondo kwaba ukushiya ukusetshenziswa kwe-ROA. Futhi ngempela, kungani sidinga ubuchwepheshe uma kungasebenzi?
Kungani kuyisikhathi sokushintsha umqondo wakho? Ngoba lokhu akulona iqiniso lonke. I-ROA ayivikeli ngokumelene nomsebenzi we-hacker ku-BGP, kodwa ivikela ukudunwa kwezimoto ngephutha, isibonelo kusukela ekuvuzeni okumile ku-BGP, osekuvame kakhulu. Futhi, ngokungafani nezihlungi ezisekelwe ku-IRR, i-ROV ingasetshenziswa hhayi kuphela ezindaweni zokuhlangana namaklayenti, kodwa nasezindaweni zokuhlangana nontanga nabahlinzeki abakhuphuka nomfula. Okusho ukuthi, kanye nokwethulwa kwe-RPKI, i-priori trust iyanyamalala kancane kancane ku-BGP.
Manje, ukuhlola imizila esekelwe ku-ROA kuqaliswa kancane kancane ngabadlali ababalulekile: I-IX enkulu kunazo zonke yaseYurophu isivele ilahla imizila engalungile; phakathi kwama-opharetha we-Tier-1, kufanelekile ukugqamisa i-AT&T, enikeze amandla okokuhlunga ezindaweni zokusebenzelana nabalingani bayo abangontanga. Abahlinzeki abakhulu bokuqukethwe nabo bayasondela kuphrojekthi. Futhi inqwaba yabaqhubi bezokuthutha abanosayizi omaphakathi sebevele bakusebenzisa buthule, ngaphandle kokutshela muntu ngakho. Kungani bonke laba opharetha basebenzisa i-RPKI? Impendulo ilula: ukuvikela ithrafikhi yakho ephumayo emaphutheni abanye abantu. Yingakho i-Yandex ingenye yezokuqala e-Russian Federation ukufaka i-ROV emaphethelweni enethiwekhi yayo.
Kuzokwenzekani ngokulandelayo?
Manje sesivumele ukuhlola ulwazi lomzila ezindaweni zokushintshisana ezinethrafikhi kanye nokubuka okuyimfihlo. Esikhathini esizayo esiseduze, ukuqinisekiswa kuzophinde kunikwe amandla nabahlinzeki bethrafikhi abakhuphuka nomfula.
Kwenza mehluko muni kuwe lokhu? Uma ufuna ukukhulisa ukuphepha komzila wethrafikhi phakathi kwenethiwekhi yakho ne-Yandex, sincoma:
- Sayina indawo yekheli lakho - ilula, ithatha imizuzu engu-5-10 ngokwesilinganiso. Lokhu kuzovikela ukuxhumana kwethu esimweni lapho othile entshontsha indawo yekheli lakho engazi (futhi lokhu kuzokwenzeka nakanjani maduze noma kamuva);
- Faka enye yezinqolobane zomthombo ovulekile we-RPKI (, ) futhi unike amandla ukuhlola komzila emngceleni wenethiwekhi - lokhu kuzothatha isikhathi esiningi, kodwa futhi, ngeke kubangele noma yiziphi izinkinga zobuchwepheshe.
I-Yandex iphinde isekele ukuthuthukiswa kwesistimu yokuhlunga esekelwe entweni entsha ye-RPKI - (Ukugunyazwa Komhlinzeki Wesistimu Ezizimele). Izihlungi ezisekelwe ezintweni ze-ASPA ne-ROA azikwazi nje ukufaka esikhundleni se-AS-SET "evuzayo", kodwa futhi zivale izindaba zokuhlasela kwe-MiTM kusetshenziswa i-BGP.
Ngizokhuluma kabanzi nge-ASPA enyangeni engqungqutheleni ye-Next Hop. Ozakwethu abavela kuNetflix, Facebook, Dropbox, Juniper, Mellanox kanye neYandex nabo bazokhuluma lapho. Uma unentshisekelo kusitaki senethiwekhi nokuthuthukiswa kwaso esikhathini esizayo, woza .
Source: www.habr.com