Glad to hear. Thank you for your services.

Those are Jira ticket numbers right???? ... Right?

@@riodweber Lol! Jokes aside this is on our docket but I'll be honest, this is only the 2nd communication company I've worked for, but both has one critical issue. Lack of communication. I wouldn't be surprised if we don't see any progress from us for many many years

@@TemplePate01 lol

Eh, first time I see such early estimates. They usually just don't bother estimating anything that would be deployed by their grand-children.

Well, there's no other routing protocol that can handle the scale of the Internet as BGP can. Most people take "Internet" for granted, but it's basically a universe and we have just managed to make it work somehow.

@@valltzuI wouldn’t say we “managed to make it work somehow”. The internet and networking as a whole is fundamentally built upon the aspects of interopribily, if everyone isn’t on the same page on how to talk to each other, you can’t talk to each other. Because of this tons of research and work has to go into these protocols to make them as bullet proof as can be

That’s how I feel all the time working with infrastructure. It’s a giant house of cards.

you're not supposed to look behind the curtain, you fool. That's how the magic werks, just don't look. Next thing you'll be questioning where the value of fiat currency comes from. At that point the house of cards just collapses.

@@thespexks2565 "interopribily" if we want things to keep working, it's vital that we don't make silly little mistakes because we're desperate to press the reply button before we've properly checked our spelling.

make one

​@@akshaysrivastava4304 why don't you

It's not a perfect protocol but it's also heavily monitored, is it?

BGP cant be replaced. The new protocol would have to be 100% compatible to the current BGP. So rollout would take forever, just like IPv6.

Yea what you gonna do route redistribution between protocols?

Not rolling out IPv6 saved everyone's bacon recently. Most home ISPs in the U.S. are still delivering IPv4 only addresses, which means IPv6 packets can't reach those networks, which means those networks and machines were immune to the recent Microsoft TCP stack vulnerabilities involving IPv6.

@@privacyvalued4134 So you're saying first switch everyone to Linux, then finish the IPv6 rollout?

@@privacyvalued4134 Jokes on you, all my machines are linux lol

@@privacyvalued4134 Recently I watched electronic engineer on his YT channel, ( _he lives in Canada and apparently working on some company_ ) his computer in back of screen was running Windows 7, this guy is smarter/technique than most of his bosses, but he still uses vulnerable OS

I have IPv6 but I can't run a webserver for some reason. Why should I care about having a global static IP address when the ISP blocks ICMP packets?

😂😂 best quote, cracked me up that.

😂

yeah, pure gold XD

The quality of this video is to be applauded.

I understand mainly because I had a good teach (I was lucky af) and worked in a data center. At first it was a bit weird, but with time is just like the pieces fit together. (and it really does talking about the OSI model)

Two weeks 😮.they spent 20 minutes in mine.

@@TheBelrick I haven't worked with BGP extensively for 15 years or so but I think there's some misleading info in here. BGP is much older than 25 years, it DOES have some basic authentication mechanisms, albeit not for every single route advertisement - though even that can be configured to only accept routes that you're expecting to receive - which we always did (and which means you can't pass on bad routes if you don't accept them in the first place). And it isn't a fundamental part of the TCP/IP protocol stack as was stated when showing that jenga tower image, in fact that image is misleading it just shows random protocols written anywhere. Instead BGP literally runs like any regular application over the top of TCP/IP between two systems. It's traffic is encapsulated in regular TCP segments, which is different from some other routing protocols that have their own IP protocol number and transport scheme (which don't use TCP). Since I haven't worked with it a long time I appreciated learning about the newer authentication scheme but the quality here was not 100%.

@@chocolate_squiggle Thankyou for your time spent educating us with your knowledge.

It's was pre planned by the USA government. It was a agenda.

@@frankdrebinn what

@SuperM789 it's all was pre planned by the USA government. It was an agenda.

@@frankdrebinn you do realize balls is a real word? plus, the phrase he's using has been around for like a century. your point makes no sense

It was a national tragedy, 911.

Same story with utf8

i wish pne day to attain the skills to pull off napkin ideas on a whim like that

In their defense, I doubt they expected their work to be the backbone of all human knowledge (and idiocy). I bet they just wanted the job done.

@@mfaizsyahmi Same story with geo-stationary communication satellites.

Much of the early internet was like that. Designed surprisingly well by just a handful of people. And then we have the massive steaming piles created by committees -- IPv6, OSPF, SIP...

Was looking for this 😅

Cap. You were only figuratively waiting for it.

​@@Dannnneh‘Literally’ has two definitions.

Today is the day.

happy anniversary

​@@Dannnneh and a Cap is a type of lid.

Yeah I was wondering about that, "if its so easy to misuse BGP as this video says, why isnt everyone absolutely banging it down to the ground and abusing it?", thank you for your comment!

The core issue with BGP is one of trust: anyone can announce anything, and it's very difficult to know if they're lying. (which is why RPKI was invented, but few have bothered with it.) The BGP configurations I've managed over the decades have had explicit allowed prefix lists for each and every peer. (except for our transits which are our "0/0" path, those have explicit deny lists - basically they can't announce our own and customer spaces back to us.) And our upstreams maintained similar lists. However, many build those lists with automated tools based on routing registries (radb) which run into the same trust problem.

​​@@jfbeam Yes misconfigurations are the bigger issue because they can and do occur more often. You do have to trust your peering AS. As for the the RKPI feature it can stop advertisement for routes outside of an AS, but not completely stop misconfiguration for prefixes associated to that AS

It's because nowadays there's too much abstraction on top of everything. even C as a programming language regarded as "low level" is one hell of an abstraction.

The entire world has agreed on and uses BGP good luck doing that again on such a fundamental aspect to how the internet works.

lol good luck

​@@DeadlyDragon_ Obsolete was not the best word choice. You can layer them if you want to. But SCION can prevent the BGP attacks that he is talking about in the video. I think it is real attractive for ISPs. Some ISPs even support it already.

@@NoerLuin I'll look into it, on a quick read of the homepage it doesn't have much in terms of technical details. I'd need to see exactly what it is doing before I could speak with a more informed opinion of it.

@@DeadlyDragon_ They have a lot of resources under the publications tab. There is an open source implementation as well (netsec-ethz/scion).

70% fixed

You think we in Europe are all good if America gets taken out? 😂

Reminds me of DNSSEC. Heavily used in my country and has been for years, while the rest of the world is slowly catching up.

@@jonathanclyde4725 mostly yeah

The EU will destroy our economy but at least our protocols are slightly better and we forced Apple to put USB-C on iPhones. I'd call that a good deal.

Congratulations on your PHD

Thanks!

Could you share more information, or maybe your articles on this? Why is RPKI not enough? No offence - i am genuinely curious :)

@@arkadiuszniedziela3605 yt will block links but there’s papers about downgrade attacks on rov. Just block the AS running the rpki and rov will do nothing

Forged origin hijacks etc bypass it

sorry buddy you're going to have to do the CCNP-SP to really learn about it

@@williamjohnson4297 Well, Im still a junior so there is much to learn about everything before I know what to dig into. Besides right now I prefer to work as a consultant and get experience instead of sitting at an ISP.

@@williamjohnson4297 sounds like something that when if think you understand it, you really don't and there's so much more lol

Retired from breathing is dope. Thank you

Never attribute to malice what you can explain by laziness. The US internet existed LONG before anyone could spell s-e-c-u-r-i-t-y, so there isn't any, and no one can be bothered to do anything about it. (until someone steals your netblocks...)

@@jfbeam That's a great lie, the "Never attribute to malice what you can explain by laziness" thing. You should start looking at yourself.

@@jfbeam Yes, super smart people and huge companies didn't fix a glaring issue that has caused massive outages because of "laziness", not because someone is benefiting from it... Just like how the US is too lazy to shut down onion routing right?

It's less likely nowadays due to some other security features in other protocols (HTTPS, DNSSEC, etc.). Even if you can hijack the routes, the certificate will be invalid or DNSSEC verification will fail. There are probably other security features too in place. Less likely, cause theoretically you can still get a CA to issue you a new certificate, and force the domain registrar to remove/update the DA record (or just disable DNSSEC) - but that's a huge effort. I agree with @jfbeam, just like IPv6, this seems to be more of a case of laziness since the onus is onto the ISPs and companies to implement it. Sure, the US can enforce it but why will they ever do that?

​​@@jfbeam I don't think that's a good principle to go by, though in this case I think either option is possible. We just didn't think of security back then if we compare it with today... But it's also possible someone from the government was up to no good. EDIT: I guess the laziness one may be more likely in this case (in my opinion, anyway), just saying the other option wouldn't be surprising either. It was just par for the course back then to ignore security.

Your mom.

While 35 years is correct, the internet existed before BGP. EGP, Exterior Gateway Protocol, was the older version of basically the same thing

​@@dannyarcher6370 wtf

@@jmickeyd53 Correct. By "start taking off", I was refering to the 90s. BGP began it's life in 1989.

@@jmickeyd53 arpanet IMNOTTRYNABETHATGUY i know it's a semantical thing im js im js !!

Why?

3:01

Thank you, everyone forgets this. I feel like rpki is more for trying to get all LIRs into administrative order. RPKI protocol currently feels too bulky and odd in its implementation. We need to sign witch autonomous systems are allowed to peer with each other in the ROAs.

@@bulko89 rpsl/irrd solved all of this long ago. but the US domestic ISPs deemed themselves too important to express their routing policy explicitly. they literally have little idea how to do so in rpsl so they claim it shouldn't be needed. despite the entire purpose of it to be preventing of rogue asn attacks. if your filters are based on accepted rpsl you would see them update their rpsl policy before their live network changes and detect the problem a priory. now think about why you would not want that security as a baseline. now you know why it hasn't changed.

Not only that, ARIN disabled RPKI and IRR for anyone with "legacy ip blocks". So if your company (IE every major ISP) had a large block assignment before 1999, RPKI is not available to you.

RPKI RTR version 2 addresses this by adding ASPA support as PDU type 11. ASPA holds tables of AS customers and their providers. It uses this table to validate the AS path of the announcement. I'm in the middle of implementing this for my network.

I just installed Kludges on my system last week. It is great.

I even forget yesterday was 9/11 lol

There are a whole lot of easier ways for governments to hijack routes than this 😂

i work at an ISP and i can confirm, there's no way RPKI is being fully implemented before something like ipv6 which has actual real world application to keep customers online. truth is you're often stuck with the cards you're dealt. no business owner in their right mind will want to purchase, labtest, configure, replace, equipment that can go from 100k all the way to the millions, guaranteeing degraded operations during it's replacement, all for the sake of adding a small extra layer of security when the shitty system we have is already proven to be "secure enough" most of the time. the bigger the ISP the bigger the cost and self risk associated with replacing infrastructure, and it's also the big ISPs that have the biggest risk and impact to others when something does go wrong. thankfully the biggest ISPs are also less likely do have something go wrong, whether maliciously or accidentally. for reference, the boxes responsible for routing in the Tbps that terminate sea cables are so expensive that you only afford the minimum reasonable redundancy, and you absolutely never want to take it down for maintenance unless you absolutely need to. in short, i really really doubt RPKI is ever going anywhere globally because of logistics on actually implementing it and the perceived "not really necessary" aspect. personally i hope someone makes something better built on top of BGP itself without a requirement for external validation tools.

@@BattousaiHBr that has been happening since a lot of time, they just change things when market obliterates them or when government has a bomb on top of them, aside that, those people are not going to change any wire to get those billion bonuses for their "work".

Lets be honest, there is way. It's the government paying for it. Because that's what all of these kind of companies do: avoid spending any more money on their infrastructure for as long as possible to get as much profit from it as can get -> wait for the government to pay for the upgrade themselves once is big enough an issue -> pretend was them that made the upgrade for the good of their customers -> repeat.

@@Vaeldarg Last time the government tried paying for it, the ISPs took the money and ran with it. They upgraded nothing and never had to pay the money back.

@@Daktyl198 Why do you think these companies like having the government pay for it so much? It's exactly because sometimes the government messes up with the fine print and it lets them do that ON TOP of getting free upgrades. The problem stays needing to be fixed, so the government is forced to just have to give more money anyway.

Having control of this FQDN, they could quickly have a brand new TLS certificate issued for it via certbot since all you need to get certified is to prove that you have control of the FQDN. They had this control because they hijacked the DNS records (Route 53 is the AWS DNS service). Certbot basically just communicates with LetsEncrypt via the ACME protocol which will send an HTTP-01 challenge to the FQDN at port 80 and see if your server responds appropriately. So, if someone can override your DNS, they can steal your TLS certification as well. You can prevent this by issuing your own TLS certificates and installing your Root or Intermediate CA certificate in the browsers that are allowed to visit your site, but this proves to be practically ludicrous if you want anyone to be able to access your site.

I don't know why my previous comment doesn't show, so I'll repeat it here. To get a TLS certificate issued to your server you usually use something like certbot. All certbot does is communicate with LetsEncrypt via the ACME protocol. LetsEncrypt tests your server by sending it an HTTP-01 challenge on port 80. This challenge is drected at the FQDN you claim to own. The very same FQDN that your DNS (Route 53 is the AWS DNS service) is resolving to your servers IP address. So, if they've hijacked the DNS records that resolve the given FQDN to their malicious server, then they can easily convince LetsEncrypt to issue them a brand new TLS certificate saying they are the FQDN owners. Your browser will happily check the malicious site as secure. The only way to prevent this is to issue your own TLS certificates and to install your Root or Intermediate CA certificates in all of the browsers that are allowed to have access to your site. If you need random people to be able to sign up and use your site, this is obviously impractical and no-one does it.

If someone overrides your DNS record that maps the trusted FQDN to your sites IP address, they can just issue a new TLS certificate for their server and your browser will happily mark it as safe.

This is super simple to do in like less than 5 seconds if their server is prepped with certbot.

The only way to stop this with HTTPS (TLS) is to issue your own certificates and to manually install your Root or Intermediate CA certs in all the browsers that are allowed access to your site.

3:01

The most recent Veritasium video suggests that the phone network suffers from the same "trust me bro" vulnerability

Here's another one: Freddie Wong

Well, clearly a 9/11 reference/joke at 03:01