Njengomphumela wesimemezelo se-BGP esiyiphutha, iziqalo zenethiwekhi yangaphandle ezingaphezu kwezi-8800 ngenethiwekhi ye-Rostelecom, okuholele ekuweni kwesikhashana komzila, ukuphazanyiswa kokuxhumana kwenethiwekhi kanye nezinkinga zokufinyelela kwezinye izinsiza emhlabeni jikelele. Inkinga izinhlelo ezizimele ezingaphezu kuka-200 eziphethwe izinkampani ezinkulu ze-inthanethi namanethiwekhi okulethwa kokuqukethwe, okuhlanganisa i-Akamai, Cloudflare, Digital Ocean, Amazon AWS, Hetzner, Level3, Facebook, Alibaba kanye neLinode.
Isimemezelo esiyiphutha senziwe yi-Rostelecom (AS12389) ngo-April 1 ngo-22:28 (MSK), sabe sesithathwa umhlinzeki u-Rascom (AS20764) futhi ngokuqhubekayo sasakazekela ku-Cogent (AS174) kanye ne-Level3 (AS3356) , inkambu ehlanganisa cishe bonke abahlinzeki be-inthanethi ezingeni lokuqala (). I-BGP yazisa ngokushesha i-Rostelecom ngale nkinga, ngakho-ke lesi sigameko sathatha imizuzu eyi-10 (ngokusho imiphumela yabonwa isikhathi esingangehora).
Lesi akusona isigameko sokuqala esibandakanya iphutha ohlangothini lweRostelecom. Ngo-2017 kungakapheli imizuzu emi-5-7 ngeRostelecom amanethiwekhi amabhange amakhulu nezinsizakalo zezezimali, okuhlanganisa i-Visa ne-MasterCard. Kuzona zombili lezi zehlakalo kuvela ukuthi umsuka wenkinga umsebenzi ohlobene nokuphathwa kwethrafikhi, isibonelo, ukuvuza kwemizila kungenzeka lapho kuhlelwa ukuqapha kwangaphakathi, ukubeka phambili noma ukubukisa kwethrafikhi edlula i-Rostelecom ngezinsizakalo ezithile kanye nama-CDN (ngenxa yokwanda komthwalo wenethiwekhi ngenxa yomsebenzi omkhulu ovela ekhaya ekupheleni Mashi udaba lokwehlisa ukubeka eqhulwini ukuthuthwa kwezinsiza zakwamanye amazwe ngokuvuna izinsiza zasekhaya). Ngokwesibonelo, eminyakeni embalwa edlule kwenziwa umzamo ePakistan Amanethi angaphansi e-YouTube kusixhumi esibonakalayo esingenalutho aholele ekubonakaleni kwalawa mancanyana ezimemezelweni ze-BGP kanye nokugeleza kwayo yonke ithrafikhi ye-YouTube eya e-Pakistan.
Kuyathakazelisa ukuthi ngosuku olwandulela isigameko neRostelecom, umhlinzeki omncane "New Reality" (AS50048) ovela edolobheni. ngokusebenzisa Transtelecom kwaba Iziqalo ezingu-2658 ezithinta i-Orange, i-Akamai, i-Rostelecom kanye namanethiwekhi ezinkampani ezingaphezu kuka-300. Ukuvuza komzila kubangele amagagasi ambalwa okuqondisa kabusha kwethrafikhi athathe imizuzu embalwa. Ekuphakameni kwayo, inkinga ithinte amakheli e-IP afinyelela ezigidini eziyi-13.5. Ukuphazamiseka okubonakalayo emhlabeni jikelele kwagwenywa ngenxa yokusebenzisa kweTranstelecom imikhawulo yomzila kuklayenti ngalinye.
Izehlakalo ezifanayo zenzeka ku-inthanethi futhi zizoqhubeka zize zisetshenziswe yonke indawo Izimemezelo ze-BGP ezisuselwe ku-RPKI (Ukuqinisekiswa Kwemvelaphi ye-BGP), okuvumela ukwamukelwa kwezimemezelo ezivela kubanikazi benethiwekhi kuphela. Ngaphandle kokugunyazwa, noma yimuphi u-opharetha angakhangisa i-subnet enolwazi olungelona iqiniso mayelana nobude bomzila futhi aqalise ukuhamba ngengxenye yethrafikhi evela kwamanye amasistimu angakusebenzisi ukuhlungwa kwezikhangiso.
Ngaso leso sikhathi, kulesi sigameko esicutshungulwayo, kwavela isheke elisebenzisa inqolobane ye-RIPE RPKI. . Ngokuqondana, amahora amathathu ngaphambi kokuvuza komzila we-BGP e-Rostelecom, phakathi nenqubo yokubuyekeza isofthiwe ye-RIPE, Amarekhodi e-ROA angu-4100 (Ukugunyazwa Kwemvelaphi Yomzila we-RPKI). I-database ibuyiselwe kuphela ngo-Ephreli 2, futhi sonke lesi sikhathi isheke lalingasebenzi kumakhasimende e-RIPE (inkinga ayizange ithinte ama-repositories e-RPKI yabanye ababhalisi). Namuhla i-RIPE inezinkinga ezintsha kanye nekhosombe le-RPKI phakathi kwamahora angu-7 .
Ukuhlunga okusekelwe kuRegistry nakho kungasetshenziswa njengesixazululo ukuvimba ukuvuza (I-Internet Routing Registry), echaza amasistimu azimele lapho ukuthuthwa kweziqalo ezithile kuvunyelwe khona. Lapho usebenzisana nama-opharetha amancane, ukuze unciphise umthelela wamaphutha abantu, ungakhawulela inani eliphakeme leziqalo ezamukelwe zezikhathi ze-EBGP (ukulungiselelwa kwesiqalo esiphezulu).
Ezimweni eziningi, izigameko ziwumphumela wamaphutha ezisebenzi ngengozi, kodwa muva nje kube nokuhlaselwa okuqondiwe, lapho abahlaseli bebeka engcupheni ingqalasizinda yabahlinzeki. ΠΈ traffic for amasayithi athile ngokuhlela ukuhlasela kwe-MiTM ukuze kuthathelwe indawo izimpendulo ze-DNS.
Ukwenza kube nzima kakhulu ukuthola izitifiketi ze-TLS phakathi nokuhlaselwa okunjalo, isikhulu sesitifiketi esithi Masibethele ekuhloleni isizinda sezindawo eziningi usebenzisa ama-subnet ahlukene. Ukuze udlule lokhu kuhlolwa, umhlaseli uzodinga ukuzuza ngesikhathi esisodwa ukuqondisa kabusha komzila kumasistimu ambalwa azimele abahlinzeki abanama-uplink ahlukene, okunzima kakhulu kunokuqondisa kabusha umzila owodwa.
Source: opennet.ru