Pages

Saturday, 29 September 2012

In-depth Understanding of GFW — Routing Diffusion


GFW is one of the important work at the network layer for IP-blocking. In fact, GFW than using a traditional Access Control List (ACL) to control access to much more efficient way – routing diffusion technology. Analysis of this new technology before you take a look at traditional techniques, and introduce a few concepts.
Access Control List (ACL)
ACL can work in the network layer (link layer) or three (network layer) to work in three of the ACL, for example, the basic principle is as follows: would like to use a router ACL control (for example, is cut off ) to access an IP address, so long as the IP address configured into the ACL, and the requirement for the IP address of a control action, for example, the simplest discarded. When a packet through this router, forwarding packets in the ACL before the first match, if the packet destination IP address exists in the ACL, the ACL before then according to the IP address defined for the control of movement to operate, example, the packet is discarded. This can cut through the ACL for the IP access. ACL could also be the source address for packets to control. If the ACL work on the second floor, then the ACL objects from the IP address into a three-layer MAC address. Works from the ACL can be seen, ACL is in the normal packet forwarding process to insert a matching ACL operation, which will certainly affect the efficiency of packet forwarding, the IP address if you need more control, then the ACL list will be longer, and take longer to match the ACL, then the packet forwarding efficiency will be lower, which in terms of some backbone routers is intolerable.
Routing protocols and route redistribution
The GFW network control method is to use the OSPF routing protocol such as route redistribution function can be said to be “Distorted Use” this could have been a normal function.
Dynamic routing protocols
Said routing briefly before re-distribute under dynamic routing protocol. Under normal circumstances a router on a variety of routing protocols such as OSPF, IS-IS, BGP, etc., calculate and maintain their own routing table, all entries in the routing protocol to generate the final summary to a routing management module. IP address for a particular purpose, various routing protocols can be calculated by the path through. However, the specific packet forwarding which protocol is used when the route calculated by the routing management module according to certain algorithms and principles of selection, the final choice out of a route, as the actual use of routing entries.
Static Routing
Relative to the calculated by the dynamic routing protocol dynamic routing entries, there is a route is not calculated by the routing protocol, but manually configured by the administrator go, this is called static routing. This route entry with the highest priority, there is the case of static routing routing management module will give priority to static routing, rather than dynamic routing protocols calculate routes.
Route Redistribution
Just said that under normal circumstances, each routing protocol is only to maintain their own routing. However, in some cases, such as two AS (Autonomous System), AS is used within the OSPF protocol, and OSPF can not be exchanged between the AS, then the route between the two AS will not communicate. To allow interoperability between the two AS, the AS to run between the two inter-domain routing protocol BGP, configured so that both the AS calculated by the OSPF routing, BGP through redistribution between the two . BGP routing within the AS will each two notices to the other AS, two AS on the route to achieve interoperability. This situation is re-distributed by BGP, OSPF routing protocol entry.
Alternatively, the administrator of a router configured with a static routing, static routes, but this can only work on this router. If you also want it to work on other routers, the most stupid way is to manually configure each router on a static route, which is very troublesome. Better way is to OSPF or IS-IS routing protocols such as dynamic re-distribution of this static routing, dynamic routing protocols that put this static route re-distributed to other routers, eliminating the need for manual configuration of router-by- trouble.
GFW Routing Diffusion Technology Principle
Said earlier, is “Distorted Use” under normal circumstances by the administrator based on static routing is based on network topology or other purposes, given a route, this route at least if the correct, you can guide the router to forward packets to the correct destination. The GFW diffusion technology used in routing the static route is a wrong route, and is interested in configuration errors. Its purpose is to should have been sent to an IP address of the message all lead to a “Black Hole Server”, rather than forward them to the correct destination. The Black Hole can do nothing on the server, so the message would be silently lost. More, the server can analyze these messages and statistics to get more information, or even make a false response.
Evaluation
With this new method, previously configured in the ACL for each IP address can be converted into a static error deliberately configure routing information. This information will the corresponding static routing IP packets directed to the black hole on the server, dynamic routing protocols through the re-distribution function, these false routing information can be published to the entire network. This router is concerned for now only by the entry under this route to make a regular packet forwarding action, no further ACL match, and before the old methods, greatly improving the efficiency of packet forwarding. The router forwards the action of this routine, the packet is forwarded to the black hole router, so that not only improves efficiency, but also to achieve the purpose of the control packet, means more clever.
This technology which in the normal network operations is not used, the error will disrupt the network routing information. Normal network operation and control system requirements vary greatly, management and control system needs to mask the IP address will be more and more. Normal network operation in the ACL entry is generally fixed, little changed, a small number, will not significantly affect the forwarding. The frequent changes of this technology directly to the backbone routing table, if there are problems, will result in the backbone network failure.
So GFW is crooked route with the proliferation of technology, under normal circumstances is not an error that operators will route messages to spread everywhere, which is totally crooked brains. Or relative to the normal operation of the network is, GFW spread of technology for routing is a little wise. Normal function of the routing protocol being abused now, but also very practical and efficient, Tian move in this regard is really talented.
Measuring
  • GFW dynamic routing system can be summed up: manual configuration (c) Samples router (sr) of the static route (r), entrance to all the ISP’s router (or) diffusion of this route (r), network traffic to a particular black hole server ( fs) for recording. Therefore, the project can be measured:
  •     (R) is the blocked IP list: You can report a mechanism to collect user through a collaborative report can also be obtained by scanning the famous sites; (rumor: GFW dynamic routing capacity of the system is hundreds of thousands of rules)
  •     (Or) the ISP affected by the GFW entrance router: ISP through the WAN multi-node collaboration within the traceroute can be measured;
  •     (Or) – (c) to take effect from the words dynamic routing delay effect: by creating honeypot and submitted to the GFW then observe the response;
  •     (Fs) black hole server robustness: the noise source with a pseudo-server traffic to fill the black hole, observing its response.
References
Liu Gang, Yun Xiaochun, Bin-Xing Fang, Ming-Zeng Hu. “DESIGN AND RESEARCH OF A LARGE-SCALE NETWORK ACCESS
CONTROL SYSTEM WITH HYBRID ROUTER CONFIGURATION
” Journal of Communication, 24 (10): 159-164, 2003.
Li Lei, Qiaopei Li, Chen Xun Xun. “An IP access control technology to achieve.” Information Technology, (6), 2001.

来自  http://gfw.rixtox.com/?p=184