Web of Trust

They say that the internet is just a series of tubes. They’re not entirely wrong, but that’s not all it’s made up of.

It’s also made of a complex series of trust relationships. It is when these trust relationships fall apart for one reason or another that we run into problems.

BGP (Border Gateway Protocol) is a tool used by every internet provider on the planet. Its primary purpose is to allow a router to peer with its neighbors and advertise to them what addresses can be reached through it. Say I’m an internet router for Comcast, I might have peering connections to routers owned by Verizon and by Cox, and I would advertise to those routers that I own Comcast’s IP addresses, and they advertise to me that they own Verizon’s and Cox’s IP addresses, respectively. Now, I might also have a transit agreement in place with Weird Kiwi (we don’t, just using ourselves as an example) that means Comcast will also advertise Weird Kiwi IP addresses (we don’t own any, for what it’s worth). That would mean that Verizon knows that by passing traffic to Comcast, it will reach Weird Kiwi.

There are two types of BGP peering that you should be aware of. They’re often referred to as “Peering” and “Transit.” Transit is the big one, it’s where you advertise your own routes and the provider advertises back most/all of the internet. Peering is much smaller, and only advertises local IP space for the organization you’re peering with and possibly their customers.

Through this protocol, everyone knows how to reach everyone else. How it works in detail isn’t important, but what is important to know is that there is very little in the way of safeguarding built in. Many responsible ISPs will protect their BGP sessions with customers in order to limit what advertisements they will accept. They require LOAs (Letters of Authorization) and utilize router policies to prevent their customers or peers from advertising too many routes, or from advertising routes to IP addresses that they are not authorized to route. Not all ISPs are this responsible. Some ISPs can, have, and will continue to allow anyone to advertise anything, which results in interesting network issues from time to time. Like when Telekom Malaysia advertised a significant portion of the internet to Level 3, who accepted and propagated it. Or when Indosat in Indonesia did much the same thing. Usually these issues are much smaller, like when someone accidentally advertises IP space they don’t own — it just gets tricky when it’s IP space owned by Amazon.

The point is, BGP is one of the very base layers of the internet, and it is entirely based on mutual trust between internet service providers to properly advertise themselves and to properly vet and limit their customers.

This isn’t unique. Just about the entire internet is based on trust — trust that when you send some message you will get a response, and trust that the response you receive is appropriately accurate. Think of e-mail. When you send a message to a mail server, you expect it to send back appropriate codes. The most important is “250 OK” — this indicates that the mail server has validated that it can deliver to the recipient, that it has vetted your server is not malicious by most standard tests (PTR, DNSBL, IP- or Domain-based reputation tests), and that the message is not malicious or containing spam. This is all possible to test prior to sending back the “250 OK” message, so it is trusted on the sending side that if “250 OK” is returned, that the message was accepted and will be properly delivered. Some mail providers however, choose not to do this. They prefer, for some reason, to accept the message as normal and then classify Spam or Junk mail later. It’s entirely possible for mail to be “properly accepted” at the gateway, and then silently dropped at some point before it would reach the end user’s inbox.

Being a user of the internet involves bestowing, and being bestowed with, a significant amount of trust in the remainder of the internet. Trust that you won’t advertise via BGP any IP addresses you don’t own. Trust that you keep your devices and networks appropriately secured. Trust that you won’t attempt to violate the security of other people’s devices or networks. Trust that you won’t, knowingly or unknowingly, participate in a Denial of Service attack of any kind. But what happens when you do? It’s still a web of trust. Another one of the standing conventions of the internet is that ISPs will make public their preferred method for receiving complaints of abuse from their networks. Typically this is an email address, and even more commonly that email address is something like abuse@(domain). Trust comes to play when sending an abuse complaint that the receiving party will receive it, review it, and respond to it. Either respond by taking some kind of action (notifying their customer, suspending their service, fixing their own security problems) or by responding to the complainant requesting clarification or additional detail.

There is no obligation on the part of the receiving party to actually do anything, you just trust that they will do the Right Thing.

Leave a Reply