Route diffusion technology

One of the most important ways to work with GFW is to block IP addresses at the network layer. In fact, GFW uses a much more efficient Access Control method than the traditional Access Control List (ACL)-routing diffusion technology. Before analyzing this new technology, let's take a look at the traditional technology and introduce several concepts. The access control list (ACL) ACL can work on the Layer 2 (Link Layer) or Layer 3 (Network Layer) of the network. The basic principle is as follows: to control access to an IP address using an ACL (for example, a cut-off) on a vro, you only need to add the IP address to the ACL through configuration, and define a control action for this IP address, such as the simplest discard action. When a packet passes through the router, the ACL is matched before the packet is forwarded. If the destination IP address of the packet exists in the ACL, perform operations based on the control actions defined in the previous ACL for the IP address, such as discarding the packet. In this way, access to this IP address can be cut off through ACL. The ACL can also be used to control the source address of a message. If the ACL works on the second layer, the ACL-controlled object changes from the IP address of the third layer to the MAC address of the second layer. According to the working principle of ACL, the ACL inserts an ACL-matching operation in the normal packet forwarding process, which will definitely affect the packet forwarding efficiency, if you need to control a large number of IP addresses, the ACL list will be longer, and the time required to match the ACL will be longer, so the forwarding efficiency of the packets will be lower, which is intolerable for some backbone routers. The Network Control Method of GFW is to use the redistribution function of OSPF and other routing protocols, it can be said that this is a normal function. The dynamic routing protocol is a brief introduction to the dynamic routing protocol before route redistribution. Under normal circumstances, various routing protocols on the router, such as OSPF, IS-IS, and BGP, calculate and maintain their own route tables, route entries generated by all protocols are finally summarized into one routing management module. For a destination IP address, various routing protocols can calculate a route. However, the routing calculated by the protocol used for forwarding specific packets is selected by the Routing Management Module Based on certain algorithms and principles, and finally a route is selected, used as the route entry. Compared with the dynamic route entries calculated by the dynamic routing protocol, static routes are manually configured by the Administrator instead of the routing protocol, this is the so-called Static Routing. This route entry has the highest priority. When there is a static route, the routing management module selects a static route first, instead of a dynamic route calculated by the routing protocol. Routing redistribution just now said that under normal circumstances, each routing protocol only maintains its own route. However, in some cases, for example, there are two AS (Autonomous Systems). The AS uses the OSPF protocol, and the OSPF between the AS cannot interwork, the routes between the two AS cannot interwork. To enable the communication between the two AS instances, you need to run a BGP protocol between the two AS instances and configure the routes calculated by OSPF in the two AS instances, it can be redistributed between the two through BGP. BGP will advertise the routes inside the two AS nodes to the same AS nodes, and the two AS nodes can communicate with each other. In this case, the OSPF route entries are redistributed through the BGP protocol. In another case, the administrator configures a static route on a vro, but this static route can only work on this vro. If you want it to work on another vro, the most stupid way is to manually configure a static route on each vro, which is very troublesome. A better way IS to re-distribute the static route through dynamic routing protocols such as OSPF or IS-IS. In this way, the static route IS re-distributed to other routers through dynamic routing agreement, saves the trouble of manually configuring routers one by one. The working principle of GFW routing diffusion technology is described as "misuse". Normally, static routing is a route provided by the Administrator based on the network topology or for other purposes, at least if this route is correct, you can guide the router to forward packets to the correct destination. The static route used in GFW's route diffusion technology is actually an incorrect route and is intentionally incorrectly configured. The purpose is to direct all packets originally sent to an IP address to a "black hole server" instead of forwarding them to the correct destination. The black hole server can do nothing, so that the packets will be lost silently. More, you can analyze and count these packets on the server to obtain more information, or even make a false response. With this new method, each IP address previously configured in the ACL can be converted into a static route information that is intentionally incorrectly configured. This static route information directs the corresponding IP packets to the black hole server. Through the routing redistribution function of the dynamic routing protocol, these incorrect routing information can be published to the entire network. In this way, the router is only performing a regular packet forwarding action based on this route entry, and no ACL matching is required. Compared with the old method, the packet forwarding efficiency is greatly improved. The router forwards the packets to the black hole router, which improves the efficiency and control the packets. This technology is not used in normal network operations, and the wrong routing information will disturb the network. Normal network operations and control systems vary greatly, and the control system needs to block more IP addresses. ACL entries in normal network operations are usually fixed, with a small change and a small number, which will not have a big impact on forwarding. This technology directly modifies the backbone route table frequently. If a problem occurs, it will cause a backbone network failure. Therefore, GFW uses the route diffusion technology. Under normal circumstances, no carrier will spread a wrong route information. Or, compared with normal network operations, GFW is a clever way to apply routing diffusion technology. The normal routing protocol function has been abused so far, and it is very practical and efficient ,? Chao is truly a talented person in this respect. The GFW dynamic routing system is summarized as follows: manually configuring the Static Routing (r) of the (c) Sample router (sr) to the egress router (or) of each ISP) spread this route (r) to transfer specific network traffic to the black hole server (fs) for record. Therefore, items that can be measured include: (r) blocked IP list: user reports can be collected through the collaboration report mechanism, or by scanning the site with a name; (rumor: the capacity of the GFW Dynamic Routing System is several hundred thousand Rules) (or) ISP portal router affected by GFW: It can be measured by collaboration with traceroute on nodes in multiple ISPs in the wide area; (or) -(c) latency from Keyword Effectiveness to dynamic routing effectiveness: Establish a honeypot and submit it to GFW and observe its response. (fs) robustness of the black hole Server: fill the black hole server with pseudo-Source Noise Traffic and observe its response.