Understanding the Internet's insecure routing infrastructure
As an incident that we reported on last week shows, the Internet routing system isn't as secure as we want it to be. But how bad is it really?
Let's start with a very short introduction into Internet routing. Routing is based on autonomous systems (ASes) exchanging prefixes (ranges of IP addresses) using the Border Gateway Protocol (BGP). Autonomous systems are first and foremost Internet Service Providers (ISPs). However, some end-user organizations swim with the big fish, usually in order to connect to two or more ISPs at the same time. The IP addresses ISPs give out to their customers are aggregated into a relatively small number of prefixes that cover large address blocks, and these prefixes are "announced" or "advertised" over BGP to other ASes. Prefixes make their way from AS to AS, so eventually the entire Internet knows where to send packets with a given destination address.
The term "Border Gateway Protocol" makes more sense in the context of 20 years ago, when the word "gateway" was used for what we today call a router. So BGP is the protocol used between border routers—the routers that sit at the edge of neighboring autonomous systems