>disruption was minimized by Telegram’s use of RPKI
Telegram has spread their hosting across the three big cloud providers; AWS, Azure, and Google Cloud. It is most likely the cloud providers who have enabled RPKI as a default.
Looks like Telegram has its own asn (https://bgp.he.net/AS62041) so they are announcing the space through the cloud providers. So they would announce their space to was, hcp, azure, etc with the rpki.
I didn't know either but I found this little snippet:
Resource Public Key Infrastructure (RPKI) is a security framework by which network owners can validate and secure the critical route updates or Border Gateway Protocol (BGP) announcements between public Internet networks. BGP is essentially the central nervous system of the Internet and one of its fundamental building blocks. The main function of BGP is to facilitate efficient routing between Autonomous Systems (AS), by building and maintaining the Internet routing table. The Internet routing table is effectively the navigation system of the Internet and without it, traffic would be unable to flow between its constituent networks. Unfortunately, routing equipment alone cannot distinguish between legitimate and malicious routing announcements, but network operators who implement RPKI validation and filtering can choose to reject announcements from networks not authorized to advertise those resources. In other words, RPKI is essentially a secure identification system for the BGP route information between autonomous systems.
Before RPKI, any network on the internet could announce any prefix (e.g. 2001:630::/32) to any neighbour, whether they had the right to or not. With RPKI, the owner of the prefix has to authorize a network to announce the route, so this helps to prevent networks from hijacking prefixes. One caveat is that it depends upon networks checking the RPKI database when receiving prefixes from neighbours, but pretty much all the major networks do this now.
Many will likely never use it. ARIN, for example, does not allow "legacy" networks to use RPKI unless they sign a registration agreement (and start paying for the privilege.)
Similar to CAs on the web in RPKI a TA (Trust Anchor) will sign a ROA (Route Origin Authorization X.509 certificate) to certify an ASN can originate routes within an address space.
There are five TAs which are RIRs (Regional Internet Registries) AFRINIC, APNIC, ARIN, LACNIC, and RIPE.
So similar to how your web browser can determine a website is valid or not by checking the certificate is signed by a CA. A network can determine a route is valid or not by checking the ROA is signed by a TA.
Basically, RPKI is to BGP as things like DKIM are to email, or DNSSEC is to the DNS system.
Different AS's announce route prefix's to attract packets from other AS's. Orgs like ARIN and such act as trust anchors (CA's, in Web of Trust parlance) for Network operators who use RPKI clients to validate incoming BGP announcements cryptographically against the trust anchor list.
The idea would be that an Iraqi telco could announce they terminate a prefix they don't, blackholing the traffic originating from within their network to those prefixes, but they wouldn't get the cryptographic vouch by their RIR, so other AS's would ignore altering their routing tables. Insulating the damage to essentially inside the network that was making the fraudulent announcement.
It could even still be worked around by people internal to that network as long as they cross into another AS's routing domain, say by VPN, which would then allow traffic to route as normal.
There is the argument to be made that RPKI is only as useful as the numbering authorities are capable of maintaining a strict position of neutrality. Thus is the way of all of all Trust. It is alas, the best we have.
The way routing works on the internet very simply is a network (like an ISP or connectivity provider) will announce IP prefix and "the origin" - where to send packets matching the prefix. This mechanism is also frequently used by national ISPs to block specific destinations (like Telegram nodes) - they will announce Telegram IP prefixes to be sent to them and then will just toss the packets or try to snoop on sessions. This is known as the "BGP hijack".
These announcement typically only intended for downstream providers (regional Iraqi ISPs in this case) but sometimes "leak" upstream - erroneously announced to the open internet which sometimes cause outages for the whole world. This is what famously happened with YouTube when Pakistan tried to do the same thing in 2008.
In this case the routes "leaked" upstream again like what happened before but seems like outage was mostly prevented by something called RPKI which is basically a technology to attest who really owns which prefix.
The internet doesn't interpret anything - it's a just a bunch of networks and technologies to pass packets around with some level of redundancy (originally to withstand nuclear strikes on the comms centers).
Ok sure but if router rules say “send these packets over there” that’s where they will go (to die). There are no way to “interpret” if the packets are going to the right destination for downstream devices which are totally oblivious to this process if that makes sense
What you are homing in on is the problem of trust.
And yes. It is a problem. If your upstream does skulduggerous things, you can't "route around it" from the standpoint of being an endpoint. Your packets will go where your ISP says they go.
Unless...
You take a bit of the routing decision out of their hands, which takes a bit of footwork on your part. For instance, setting up a VPN to a network zone unpolluted by the faulty prefix announcement, which is basically going to be any non downstream of the hostile ISP provider.
Once you're out of that routing zone, normal network visibility is restored. Odds are even a national scale backbone provider is not going to be able to effectively block traffic that's routing out to a proxy, so all the the ISP has really done is made life more difficult for people unaware of how to set up such an arrangement.
Which now that you know about this, it is your duty to spread the knowledge of how to do so far and wide. If someone wants to block it, then that's all the justification needed for frustrating those efforts.
VPN traffic is trivially blocked at the ISP level which has been proven by china, russia and others. So no you can't really prevent mass censorship with technology.
As is stated in the link I posted, you don't have to run your own bridge. With snowflake, there are more entry nodes than ever, and you don't need to know anything about them in advance.
Yes and it’s been classified and blocked before (though not for long). Eventually they will just start blocking fastly completely or whoever else will agree to domain front them and that’s that
TBH, that is a quote from several decades ago that hasn't kept up with modern censoring technology. When Gilmore originally coined it he was embroiled in a legal dispute with his ISP, I doubt he had BGP hijacks by national governments in mind.
The original comment was a remark on Usenet newsgroup message filtering. Usenet had a degree of decentralization, a single news server couldn't control the entire network. If the message is filtered at a particular path by a server, at least some other nodes would still receive their own copies via an alternative path, which may then propagate the messages further downstream.
Today's highly-centralized server-client Web architecture does not have this property. Some P2P protocols are closer to the spirit of this quote.
Conclusion: architecture of "the Net" matters a lot (the original quote didn't use the term "Internet").
Seeing as how the entire internet doesn't still block youtube: no. It routed around it.
The quote has nothing to do with automatically and invisibly routing around censorship, e.g. a techno-system that somehow always works to oppose censorship. It's just that people will reconnect stuff eventually, bypassing any block somehow. At worst there are always sneakernets.
If this node has been known to publish unreliable routes in the past, wouldn't any upstream nodes just put some preventative rules to ignore it / blocklist it? Or is that not feasible?
Yes before RPKI especially and still now this technique is commonly used but not even every T1 (backbone) network had done that correctly in the past, hence outages.
Ah I used to be so jealous of people with their T1 connections while I was stuck on a 56k dial up connection trying to play Unreal Tournament '99. Good times.
Once a ISP goes hostile, all that remains is mesh networking, and navigating data- by having encrypted packages, jump from phone to phone, based upon the wifi location the phone has been near in recent history.
Then you need a zero-day, install software that turns almost all phones into nodes and there is nothing any authority can do to prevent communication ever.
As long as there is no phone/device in that network outside Iraq that will not work for Internet.
If there is, the ISP/Government can fingerprint the traffic and block the IP of any device outside Iraq.
Just like how China FW block VPN traffic.
Well, you don't send it in.. you just bring it in? Like something smuggled physically? Its slow, admitted, but better having that data come in on some truck driver-smuggled-ssd and reach you by hopping from phone to phone, then not at all.
How does that work across oceans? There's a severe lack of mesh nodes on the high seas and all high-bandwidth links across the ocean highly centralized in just a couple of companies.
Also, most people would definitely not appreciate their personal devices being hijacked as a mesh network for their neighbors teen watching tiktoks or whatever. Any such zero day exploit would be patched pretty quickly.
Well aiport traveling nodes connect across the oceans regularly. You can even predict that travel and make it a sort of routing announcement.
Example: Guy living in NY on the regular, traveling once a year to cuba and back. So somebody with a message to cuba, passes it along - it rides to the airport, and hops from a employee cellphone to the guy boarding his holiday plane. Add the transmission software being a virus for plausible deniability..
Gotta ask again: how much GB of storage on their phone do you think the average air traveler would be willing to donate to people so that their transoceanic fellows would be able to watch tiktoks from their homeland? How about porn? And given that GP seemed to dream of communications uncensorable by governments, how long would it be until a mandatory phone scan would be required before boarding a flight? For that matter, why would a government like Iran or North Korea even let phones into their country without a thorough cleansing of non-sanctioned information beforehand?
I'm all for balancing the power of governments with the power of their citizens but mesh networks have so many practical downsides that they are just Not The Way tbh.
GB? This is textmessages and pictures only.. So 0.1 Gb? Its unattractive for porn by default - to slow, to unreliable, but for messages that could never get there the other way.. its okay.
41 comments
[ 3.1 ms ] story [ 89.3 ms ] threadTelegram has spread their hosting across the three big cloud providers; AWS, Azure, and Google Cloud. It is most likely the cloud providers who have enabled RPKI as a default.
Resource Public Key Infrastructure (RPKI) is a security framework by which network owners can validate and secure the critical route updates or Border Gateway Protocol (BGP) announcements between public Internet networks. BGP is essentially the central nervous system of the Internet and one of its fundamental building blocks. The main function of BGP is to facilitate efficient routing between Autonomous Systems (AS), by building and maintaining the Internet routing table. The Internet routing table is effectively the navigation system of the Internet and without it, traffic would be unable to flow between its constituent networks. Unfortunately, routing equipment alone cannot distinguish between legitimate and malicious routing announcements, but network operators who implement RPKI validation and filtering can choose to reject announcements from networks not authorized to advertise those resources. In other words, RPKI is essentially a secure identification system for the BGP route information between autonomous systems.
For more information, there is a good article here: https://phoenixnap.com/kb/rpki
Many will likely never use it. ARIN, for example, does not allow "legacy" networks to use RPKI unless they sign a registration agreement (and start paying for the privilege.)
There are five TAs which are RIRs (Regional Internet Registries) AFRINIC, APNIC, ARIN, LACNIC, and RIPE.
So similar to how your web browser can determine a website is valid or not by checking the certificate is signed by a CA. A network can determine a route is valid or not by checking the ROA is signed by a TA.
Basically, RPKI is to BGP as things like DKIM are to email, or DNSSEC is to the DNS system.
Different AS's announce route prefix's to attract packets from other AS's. Orgs like ARIN and such act as trust anchors (CA's, in Web of Trust parlance) for Network operators who use RPKI clients to validate incoming BGP announcements cryptographically against the trust anchor list.
The idea would be that an Iraqi telco could announce they terminate a prefix they don't, blackholing the traffic originating from within their network to those prefixes, but they wouldn't get the cryptographic vouch by their RIR, so other AS's would ignore altering their routing tables. Insulating the damage to essentially inside the network that was making the fraudulent announcement.
It could even still be worked around by people internal to that network as long as they cross into another AS's routing domain, say by VPN, which would then allow traffic to route as normal.
There is the argument to be made that RPKI is only as useful as the numbering authorities are capable of maintaining a strict position of neutrality. Thus is the way of all of all Trust. It is alas, the best we have.
These announcement typically only intended for downstream providers (regional Iraqi ISPs in this case) but sometimes "leak" upstream - erroneously announced to the open internet which sometimes cause outages for the whole world. This is what famously happened with YouTube when Pakistan tried to do the same thing in 2008.
In this case the routes "leaked" upstream again like what happened before but seems like outage was mostly prevented by something called RPKI which is basically a technology to attest who really owns which prefix.
And yes. It is a problem. If your upstream does skulduggerous things, you can't "route around it" from the standpoint of being an endpoint. Your packets will go where your ISP says they go.
Unless...
You take a bit of the routing decision out of their hands, which takes a bit of footwork on your part. For instance, setting up a VPN to a network zone unpolluted by the faulty prefix announcement, which is basically going to be any non downstream of the hostile ISP provider.
Once you're out of that routing zone, normal network visibility is restored. Odds are even a national scale backbone provider is not going to be able to effectively block traffic that's routing out to a proxy, so all the the ISP has really done is made life more difficult for people unaware of how to set up such an arrangement.
Which now that you know about this, it is your duty to spread the knowledge of how to do so far and wide. If someone wants to block it, then that's all the justification needed for frustrating those efforts.
Today's highly-centralized server-client Web architecture does not have this property. Some P2P protocols are closer to the spirit of this quote.
Conclusion: architecture of "the Net" matters a lot (the original quote didn't use the term "Internet").
The quote has nothing to do with automatically and invisibly routing around censorship, e.g. a techno-system that somehow always works to oppose censorship. It's just that people will reconnect stuff eventually, bypassing any block somehow. At worst there are always sneakernets.
Then you need a zero-day, install software that turns almost all phones into nodes and there is nothing any authority can do to prevent communication ever.
edit: Adding China FW
Also, most people would definitely not appreciate their personal devices being hijacked as a mesh network for their neighbors teen watching tiktoks or whatever. Any such zero day exploit would be patched pretty quickly.
Example: Guy living in NY on the regular, traveling once a year to cuba and back. So somebody with a message to cuba, passes it along - it rides to the airport, and hops from a employee cellphone to the guy boarding his holiday plane. Add the transmission software being a virus for plausible deniability..
I'm all for balancing the power of governments with the power of their citizens but mesh networks have so many practical downsides that they are just Not The Way tbh.