Ensuring Election Integrity: The Case for Temporary Internet Shutdowns by ISPs

-

 Objective :-

In light of the escalating violence during elections fueled by social media, imposing an internet ban at the ISP level becomes a crucial measure. Platforms such as Facebook, Twitter, and WhatsApp, while valuable for communication and political engagement, have been increasingly misused to spread misinformation, incite hatred, and organize violent activities. The rapid and unchecked dissemination of inflammatory content poses significant threats to public safety and democratic processes. Therefore, a temporary internet shutdown by ISPs, though drastic, is necessary to prevent further unrest, ensure public order, and protect the integrity of the electoral process.
 

 Fig : 1 No internet at user end

 
How to do it at ISP end let’s check deep and dive with explanation of Scenario.
 
Scenario-1 In France, president election is going on. Due to threat of separatists Orange ISP wants to shutdown internet service across France during election period (96 hrs approx.)  how to do it?
 
Basic Overview of BGP: -

 

BGP protocol is used for internet. It’s an AS-by-AS routing protocol. Every ISP has peering connection towards upstream provider which acts as a crucial role for internet reach ability.

 

How internet connectivity works at user end ?

 

Tier-3 to Tier-1 ISP interconnectivity for Internet access: -

 

Tier-3 to Tier-1 ISP inter connectivity is a foundational aspect of providing seamless internet access worldwide. Tier-3 ISPs are local providers that serve end-users, such as homes and small businesses, often relying on regional Tier-2 ISPs for broader connectivity. These Tier-2 ISPs, in turn, connect to Tier-1 ISPs, which are the backbone of the internet, offering the most extensive networks and global reach. Tier-1 ISPs peer with each other to exchange traffic without cost, forming the core of the internet’s infrastructure. This hierarchical inter connectivity ensures that data from a user in a small town (Tier-3) can efficiently reach servers or users across the globe (Tier-1), facilitating robust, scalable, and reliable internet access.

 

Fig : 2 Inter connectivity of Tier-3 ISP to Tier-1 for internet access 

 

Generally default-route is used for upload traffic and different policy is defined in BGP for upload and download traffic.

Import-policy: Download the data-traffic

 

In the context of networking and Internet Service Providers (ISPs), an "import policy" typically refers to rules and configurations applied to incoming data traffic, meaning it pertains to downloading data. This involves the policies that an ISP or network administrator sets to manage and control the data that is received from other networks.

 

1. Download Traffic: Import policies primarily govern the data being downloaded to the network. This can include filtering, prioritizing certain types of traffic, or blocking unwanted traffic.

2. Routing Decisions: Import policies can influence routing decisions, determining which routes are accepted into the routing table from external sources, affecting how and where data is received.

3. Security Measures: These policies often include security measures to protect the network from malicious traffic, such as DDoS attacks, spam, or unauthorized access attempts.

 An ISP might implement an import policy to ensure that only legitimate and necessary routes are accepted into their network from peering agreements with other ISPs. This helps in maintaining network stability, security, and efficient data flow for their customer.

Therefore, in networking terminology, "import policy" generally pertains to the handling and management of incoming or downloaded data traffic.

Export-policy: Upload the data-traffic

 In the context of networking and Internet Service Providers (ISPs), an "export policy" refers to the rules and configurations applied to outgoing data traffic, meaning it pertains to uploading data. This involves the policies that an ISP or network administrator sets to manage and control the data that is sent from their network to other networks.

1. Upload Traffic: Export policies primarily govern the data being uploaded or sent out from the network. This includes deciding which data or routes are shared with external networks.

2. Routing Decisions: Export policies can influence which routes are advertised to other networks. This can affect how data exits the network and how the network is perceived by peers and upstream providers.

3. Traffic Management: These policies can manage traffic flow, prioritize certain types of data, and ensure efficient use of bandwidth when sending data to other networks.

4. Security Measures: Export policies can include security measures to prevent the network from sending out malicious traffic, ensuring that the network is not a source of attacks or unauthorized data.

An ISP might implement an export policy to ensure that only necessary and optimized routes are advertised to their peers or upstream providers. This helps in maintaining network efficiency, security, and good relationships with other networks.

Therefore, in networking terminology, "export policy" generally pertains to the handling and management of outgoing or uploaded data traffic. It is essential for controlling how data is shared with external networks and maintaining the overall health and efficiency of the network.

Prefix-advertisement towards Upstream: -

Different user block has been advertised towards associated ISP upstream providers end for reach ability purpose. Different BGP attributes is used to manipulate traffic as per seamless response at user end.

Local-preference:  It is used for influencing the routing decisions of incoming (download) traffic within a network. It helps network administrators manage and optimize how traffic enters their network, ensuring efficient and reliable data flow.

AS-Path Prepend: It is a strategic tool in BGP for influencing the direction of outbound traffic by making specific paths appear longer and less desirable to other networks. This helps in achieving traffic engineering goals such as load balancing and optimizing network performance.

Now back to our scenario ---

Orange ISP have 2 upstream providers:

 

 Fig : 3 Up stream provider of Orange ISP

As-by-As route propagation is here with :

 


 Fig : 4 AS-by-AS route propagation in Orange ISP

User-prefix block for sake an example:

u*>i  172.26.8.0/24

u*>i  172.26.14.76/30

u*>i  172.26.14.80/30

u*>i  172.26.22.0/28

u*>i  172.26.22.16/28

u*>i  172.26.22.24/29

u*>i  172.26.22.32/27

u*>i  172.26.22.64/27

u*>i  172.26.22.96/27

u*>i  172.26.22.160/27

u*>i  172.26.22.176/28

u*>i  172.26.22.192/27

u*>i  172.26.27.0/25

u*>i  172.26.39.32/27

u*>i  172.26.44.0/29

u*>i  172.26.50.128/26

u*>i  192.168.243.0/25

-------------------------------------------------------------------------------

Here u*>i denotes best routes received in BGP route-table

To block Gi traffic (internet traffic) routes which is advertised towards MPBN need to be block.

Here, above 17 prefix blocks has been advertised towards both up-stream provider end in normal condition to get reach ability for internet access. We can manipulate with Local-preference and AS path prepend as per user request to get seamless response for download and upload traffic respectively.

Step-1 : Drop default-route towards MPBN end.

1.      Check MPBN peer ip in BGP neighbor first.

 Before

*B:France-router-1>config>router>policy-options# policy-statement "policy-default"

*B: France-router-1>config>router>policy-options>policy-statement# info

----------------------------------------------

                entry 10

                    from

                        prefix-list "prefix-default"

                    exit

                    action accept

                    exit

                exit

                default-action drop

                exit

----------------------------------------------

 After

*B: France-router-1>config>router>policy-options>policy-statement "policy-default"

----------------------------------------------

               entry 10

                    from

                        prefix-list "prefix-default"

                    exit

                    action drop-----------------------------------------------------------------need to drop

                    exit

    default-action drop

    exit

 

----------------------------------------------

Step-2 remove import policy so, automatically advertised prefix block deny traffic in peer.

*B: France-router-1>config>router>bgp

BEFORE

               group "to_FR-Internet-Primary"

                    next-hop-self

                    type external

                    multihop 5

                    remove-private

                    export "deny-all"

                    local-as 60410

                    peer-as 4755

                    neighbor 154.0.176.252

                        description "to_FR-Internet-Primary"

                        authentication-key "5ywEP73dR5vNoAYbu/H27FRIOxsFF4GVV7yb" hash2

                    exit

                exit

 

 After

*B: France-router-1>config>router>bgp        

      group "to_FR-Internet-Primary"

                    next-hop-self

                    type external

                    multihop 5

                    remove-private

                    import "deny-all"------------------------------------need to remove import policy

                    export "deny-all"

                    local-as 60410

                    peer-as 4755

                    neighbor 154.0.176.252

                        description "to_FR-Internet-Primary"

                        authentication-key "5ywEP73dR5vNoAYbu/H27FRIOxsFF4GVV7yb" hash2

                    exit

                exit


 Note : Authentication key is applied here authentication purpose in security side same way neighbor IP is used as per BGP peer formation and peer-as indicates far-end neighbor AS details. Normally in every ISP primary and secondary 2 routers are used. so, same process is repeated for router-2 to achieve define objective. when we want to resume internet connectivity need to change action "accept" from action "drop" in policy-default and same way import policy accept all in place of deny all.

 


 

 

 

 


 

Comments

Post a Comment

Popular posts from this blog

Step-by-Step Guide: Password Recovery for Nokia Routers

-
Image
 Objective :- If admin and system admin password of Nokia router is forgotten and you can’t login through red interface then you may need to go for password recovery process. This usually involves accessing the router through management port or console connection depending on the model. Nokia routers limit administrative access through management (mgmt.) interface or specific secure channels to prevent unauthorized access. Make sure “admin” user credentials are correct and red interface is configured to allow administrative access. In many cases physical access to the device is required along with credentials for recovery or reset. how to retrieve access of router, we need to follow process as below with the help of technician on site.     Password recovery process for “admin” on device with the help of technician. 1.    Power off the device. 2.    Remove stand by CPM card. 3.    Ensure that console cable is plugged to the de...
Read more

Configuring NNI Interface Policies and Container Integration in Nokia SR and Juniper AG Networks

-
Image
 Objective: - This blog aims to give a comprehensive overview of the process for integrating containerized network services in a multi-vendor setting, specifically using Nokia Service Routers (SR) and Juniper Aggregation Routers (AG). It emphasizes the importance of NNI interface policies for facilitating smooth communication between different network segments and provides guidance on configuring management interfaces and routing to optimize connectivity and traffic flow. The goal of this guide is to help network engineers implement scalable and interoperable solutions while making complex network operations easier to manage. Scenario :- In Vodafone ISP, Pune location 2 SR non-production devices need to be launched in production. Router R1 acts as a primary and Router R2 acts as a secondary back up router. Both routers aggregate traffic combines at uplink Nasik Aggregate router. This uplink is connected with IXR router at Mumbai location. To automate process flow AWS containers are...
Read more

Designing a Secure Multi-VPC Architecture with AWS Transit Gateway and IGW

-
Image
 Preface In an AWS cloud Proof of Concept (PoC), Transit Gateway (TGW) and Internet Gateway (IGW) are key to secure, scalable and efficient communication between different VPCs and external networks. Transit Gateway (TGW) is a central routing hub where multiple VPCs can communicate without the complexity of multiple VPC peering connections. It simplifies network management, scales and enforces security policies through route tables to control traffic between connected VPCs. Internet Gateway (IGW) is required for outbound and inbound internet access for resources in public subnets. It allows public facing workloads like web servers and APIs to talk to external services while keeping private subnets secure through NAT Gateways . Together TGW and IGW provide a structured and controlled networking environment, so critical workloads are secure, isolated when needed and connected efficiently in a multi-VPC architecture. POC  The proposed Proof of Concept (PoC) focuses on estab...
Read more