Tag Archive for BGP

| April 30, 2015
Comments Off on Romania Leads IPv4 Market

Romania Leads IPv4 Market

Romania Leads IPv4 MarketI first wrote about the grey market in IPv4 addresses when Microsoft (MSFT) bought Nortel‘s IPv4 IP block back in 2011. A  recent article from CircleID proves the market has caught up with Bach Seat. In the CircleID article, Doug Madory, Director of Internet Analysis at Dyn reports that the market for IPv4 addresses is heating up especially in Europe.

RIPE’s IPv4 transfers

According to Dyn, statistics from RIPE, the European registrar, show that the IPv4 market has heated up. RIPE’s table of transfers of provider aggregatable (PA) IPv4 address clearly shows a rapidly increasing rate of transfers of IPv4 address blocks and unique IPv4 addresses.  In fact:

  • increasing rate of transfers of IPv4 address blocksFebruary 2015 saw the most organizational transfers (373).
  • November 2014 saw the most unique address transfers (nearly 2 million).
  • The number of transfers in the RIPE region far outpaces any other region.

Romania is a key player in IPv4

An analysis of the RIPE data by the author finds that Romania is a key player in the IPv4 market.

  • Romania Leads IPv4 MarketDuring 2014/15 1,069 (58%) transfers came from Romanian organizations.
  • 947 (51%) of all the blocks transferred in the RIPE region were from a single Romanian organization, namely, Jump.ro.
  • Jump is willing to sell large blocks of IPv4 address space (around $10/address) or lease smaller blocks for $0.50/address/year.
  • Of the 4,656 routed prefixes that make up the Saudi Arabia part of the Internet, 1,498 or almost a third of them were Romanian just a few months ago.
  • The Syrian state telecom got 5.155.0.0/16 from Romania’s Nav Telecom last August and Iranian telecoms bought over 1 million unique IP addresses in 85 transfers over the past year (80% from Jump.ro).
  • Saudi Telecom received 17 IPv4 transfers since September last year representing over 1.5 million IP addresses: 14 were from Romanian sources and the other 3 were from
  • Ukraine.  At $10/address, those addresses would have cost Saudi Telecom $15 million.

A side-effect of the IPv4 gray market is abetting the growth of global routing tables to dangerous levels. The first effects of this were seen in August 2014 when BGP routing tables grew to over 512,000 routes when many older routers could no longer properly track the routes. ZDNet explains that routes are typically kept in a specialized kind of memory called Tertiary Content Addressable Memory (TCAM) which has a limited capacity which fails when it is full.

The author asks what are the implications of all this? Now that the Romanians have demonstrated that there is a lucrative business to be had in selling off IPv4 address space, will we see ISPs in developing countries rush to sell off their address space for some quick cash?  If such sales result in the IPv4 space getting sliced more and more thinly, we can surely expect the global routing table to increase in size, perhaps dramatically, as a result.

Will this cause more router meltdowns?

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , ,
| July 28, 2009
Comments Off on Feds to Test IPv6

Feds to Test IPv6

Feds to Test IPv6NetworkWord is reporting that the U.S. government has reportedly launched a comprehensive product testing program for IPv6. The new program, USGv6 Test Program, will be run by the National Institute of Standards and Technology (NIST) will require all network hardware and software vendors to pass IPv6 compliance and interoperability tests before they can sell their products to the U.S. federal government market.

NIST logo

The NIST IPv6 test plan covers basic IPv6 functionality as well as related standards such as IP Security (IPsec), Internet Key Exchange (IKEv2 ), Dynamic Host Configuration Protocol (DHCPv6), Open Shortest Path First (OSPFv3), Border Gateway Protocol (BGP4+) and multicast requirements in MLDv2.

The USGv6 program will allow vendors to run IPv6 compliance tests in their own labs as long as it is accredited by NIST, but they must run IPv6 interoperability testing in someone else’s lab. Erica Johnson, Director of the University of New Hampshire InterOperability Laboratory told NetworkWorld, “The way that the NIST profile is going to work is that conformance testing can be done in an accredited first-party [vendor], second-party [buyer] or third-party [independent] lab…But the interoperability testing must be done in a second-party or third-party lab.”

The time frame for the USGv6 Test Program is tight. NIST is expected to publish this week [July 31] the final version of its IPv6 test specifications aka Special Publication 500-273 and to finalize its test plan in November 2009. Testing labs are to be accredited before the end of the calendar year. Network vendors will have six months to get their routers, operating systems, firewalls and other security systems through IPv6 testing before the federal government’s July 2010 acquisition deadline.

By July 2010, federal agencies will be required to buy only hosts, routers, and network security systems that have been tested for IPv6 compliance. Vendors must issue a “Suppliers’ Declaration of Conformity” that states host and router products have been tested for IPv6 compliance and interoperability, while security products must undergo functional IPv6 testing. All of the testings must be done in NIST-accredited labs.

rb-

It’s about time – I have included IPv6 requirements in RFP’s for over 6 years. It is amazing to watch the vendors tap-dance around what IPv6 compatibility means. Only some of these products from Cisco or Foundry Brocade are IPv6 compatible depending on the image you buy. I guess the real trick will be to get a “Suppliers’ Declaration of Conformity” if you are not a Fed.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| November 16, 2008
Comments Off on Online Security Threats Growing

Online Security Threats Growing

Online Security Threats GrowingDarkReading is reporting that Ann Arbor-based Arbor Networks has issued its fourth Worldwide Infrastructure Security Report. The global report is based on responses from 70 lead security engineers worldwide. Some of the report’s findings are that DDoS attacks have grown a hundredfold since 2000 and the newest threat is increasing service-level attacks

Arbor Networks logoRespondents to the survey said the main threat vectors for attacks experienced during August 2007 to July 2008, were:

  • external, brute force attacks (61%)
  • known vulnerabilities (12 %)
  • social engineering (3%)
  • misconfiguration (3%)
  • none from zero-day threats.

Brute force attacks, such as DDoS, jumped 67 percent over the last year. ISPs reportedly spent most of their available security resources combating distributed denial of service (DDoS) attacks. Flood-based attacks represented 42 percent of the attacks reported and protocol exhaustion-based attacks at 24 percent last year. DDoS attacks have grown from megabit levels in 2000 to 40-gigabit attacks this year. Nearly 60 percent of ISPs worldwide say they experienced DDoS attacks larger than 1 gigabit-per-second (Gbps) to a record 40 Gbps, according to Arbor’s report. Arbor also indicates the growth in attack size continues to significantly outpace the corresponding increase in underlying transmission speed and ISP infrastructure investment according to Danny McPherson, chief security officer for Arbor Networks.

Bandwidth bottleneckThe report indicates that the ISPs surveyed are less worried about DDoS attacks than they were a year ago. This year ISPs describe a far more diversified range of threats, more than half are battling an increase in service-level attacks which accounted for 17 percent of all attacks, that attempt to exploit vulnerabilities and limitations of computing resources. New attacks are being directed at new services, as ISP’s work to diversify their income sources by expanding into content distribution, VoIP or other managed services. These new threats include:

  • domain name system (DNS) spoofing
  • border gateway protocol (BGP) hijacking
  • spam.

Almost half of the surveyed ISPs now consider their DNS services vulnerable. Others expressed concern over related service delivery infrastructure, including voice over IP (VoIP) session border controllers (SBCs) and load balancers. Several ISPs reported multi-hour outages of prominent Internet services during the last year due to application-level attacks.

Botnets are still a big problem for ISPs. Botnets continue their expansion across the Internet. ISP’s report that botnet used for:

  • SPAM (36%)
  • DDoS (31%)
  • phishing (28%)
  • ID fraud (>5%)
  • click fraud (>5%)

Rob Malan, founder and chief technology officer of Arbor Networks explained that, with application-based attacks, bot-infected computers worldwide make connections to a targeted site, then “use an application protocol to deliver a perfectly valid request, not a vulnerability, not something that an IDS or other type of firewall would necessarily flag”. For example, a botnet might instruct its zombie computers worldwide to do a back-end query off a database. “By itself, it’s not bad but, if you have multiple such requests, then you tie up the application – in this case, database – resources on the back-end,” he said.

Even the newest technologies are not secure, 55 percent of ISPs see the scale and frequency of IPv6 attacks increasing. “They are asked to deploy V6, but they don’t feel they can have security [with it],” Dr. Craig Labovitz chief scientist for Arbor Networks says. Today’s IPS/IDS, firewall, and other tools don’t have the proper visibility into IPv6 networks to secure them, he says. Arbor Networks released an earlier study in August 2008 which revealed negligible IPv6 usage.

The response capability of the respondents is mixed. The majority of ISPs report that they can detect DDoS attacks using tools. This year also shows significant adoption of inline mitigation infrastructure and a migration away from less discriminate techniques like blocking all customer traffic (including legitimate traffic) via routing announcements. Many ISPs also report deploying walled-garden and quarantine infrastructure to combat botnets.

Despite the tools, on hand, only a few of the surveyed ISPs said they have the capability to mitigate DDoS attacks in 10 minutes or less. Even fewer providers have the infrastructure to defend against service-level attacks or this year’s reported peak of a 40-gigabit flood attack.

Even less of an emphasis is placed on finding the criminals responsible for these attacks. Arbor Networks found that ISPs have faith in law-enforcement bodies. Nearly two-thirds of respondents indicated that they do not believe law enforcement has the means to act upon the information they provide about attacks or other security incidents. “It’s hard on carriers,” said Malan. “They get paid on traffic, not to do forensic analysis. So it’s hard from their perspective to make the economics work.”

The Arbor Networks 2008 Worldwide Infrastructure Security Report describes a networked world where DDoS attacks growth has outpaced the ability of firms to respond to them and new service level attacks are driven by botnet’s are matching the firm’s efforts to diversify their service offerings to customers. These facts when combined with the current economic recession, the networked world still appears to be a difficult place to do business.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,