Indeed, how do you find out there is a route in the first place?
The solution found was disappointingly simple: since most addresses are allocated in bulk (blocks), those who sit at the “gateway” of such blocks (called autonomous systems or AS) can maintain and publish tables of all the networks (prefixes) they route packets to (and any additional routes existing between them).
However, the de-centralized and inherently trusting nature of this arrangement (most anyone can publish a BGP table), a number of problems have arisen in practice.
The most recent is the one found and demonstrated by Anton Kapela and Alex Pilosov – a random AS on the Internet can falsely advertise routes so as to be selected as part of the best route between two arbitrary points (be they hosts or sub-networks) by every other AS. This amounts to push-button eavesdropping.
Solving such issues is, again, a matter of switching from an implicit trust model, such as the one used currently, to some other, more robust one. Additions to the protocol are proposed that would have routers cryptographically sign their routing tables, as well as sign for any tables published by routers “living” within their sub-net.
The rub, as always, is in the economic side of the equation: the existence of problems with BGP is known since at least Y2K, but the fix is very expensive (think replacing every border router at every ISP and more).
Moreover, unless and until everyone uses the new protocols, no-one is protected, because everyone must still accept unauthenticated routing info, to prevent the ‘net from falling to pieces. In other words, the first guy to buy the new hardware and implement the new software takes a financial hit for nothing, so does the second, and everyone keeps spending money for nothing until the one who’s the biggest cheapskate of them all finally decides that yes, it’s time to fix some glaring holes that have been there since time began.
There is only one way out of this conundrum, but it ain’t pretty: unless and until the cost of NOT implementing the fix are bigger than the costs of implementing it, nothing will happen.
We look forward to the inevitable eavesdropping lawsuits where spied-upon companies and individuals demand compensation from their ISPs for not implementing the features that would have made eavesdropping impossible. <obligatory_car_analogy>There’s precedent – motorists have won suits against city councils and road companies for damages in accidents caused by potholes. </obligatory_car_analogy>