undefined | Better HN

0 pointswalrus015y ago0 comments

I sincerely hope that AS3356 hasn't broken a big chunk of the Internet again.

https://isc.sans.edu/forums/diary/CenturyLink+Outage+Causing...

https://www.zdnet.com/article/centurylink-outage-led-to-a-3-...

0 comments

dahfizz5y ago

My bet is BGP. Its always BGP.

oblio5y ago

It's been a while since I studied routing, but have they fixed BGP security?

I remember reading about the protocol and thinking something like: this seems awfully "hippie-trust" levels of security.

Granted, this was 10 years ago so my recollection of BGP is super fuzzy :-D

walrus01OP5y ago

nope. proper and full implementation of BCP38, MANRS, full RPKI validation of all IP ranges and such is a long distance away.

within trusted groups of ISPs where the admins all know each other, in certain specific geographic regions, it's better than others.. I would say that the number of ISPs I could call "fully compliant" with current best practices, in the Portland-Seattle-Vancouver area, is higher than in many other parts of the world.

ficklepickle5y ago

How is shaw?

Anecdote: I was surprised to find they honour TTLs on their DNS service. Everyone else I have access to seems to return the new IP almost immediately, but shaw waits it out.

curi0sity5y ago

As someone interested in the internal workings of the internet, do you have any further reading on current best practices?

1 more reply

dahfizz5y ago

To be fair, BGP only runs between large network operators. The security / trust of routing agreements is mostly solved through business deals and contracts.

1 more reply

walrus01OP5y ago

Every time this happens I have a mental metaphorical image of somebody tripping over the $5 power strip that has the single point of failure route-server or route-reflector plugged into it.

j / k navigate · click thread line to collapse

0 comments

dahfizz5y ago

My bet is BGP. Its always BGP.

oblio5y ago

It's been a while since I studied routing, but have they fixed BGP security?

I remember reading about the protocol and thinking something like: this seems awfully "hippie-trust" levels of security.

Granted, this was 10 years ago so my recollection of BGP is super fuzzy :-D

walrus01OP5y ago

nope. proper and full implementation of BCP38, MANRS, full RPKI validation of all IP ranges and such is a long distance away.

ficklepickle5y ago

How is shaw?

Anecdote: I was surprised to find they honour TTLs on their DNS service. Everyone else I have access to seems to return the new IP almost immediately, but shaw waits it out.

curi0sity5y ago

As someone interested in the internal workings of the internet, do you have any further reading on current best practices?

1 more reply

dahfizz5y ago

To be fair, BGP only runs between large network operators. The security / trust of routing agreements is mostly solved through business deals and contracts.

1 more reply

walrus01OP5y ago

Every time this happens I have a mental metaphorical image of somebody tripping over the $5 power strip that has the single point of failure route-server or route-reflector plugged into it.

j / k navigate · click thread line to collapse