Back | eWEEK.com | Search
In the Obama Era, Routing Has to Change, Too
By: Larry Seltzer
2009-02-13
There are 4 user comments on this Network Security & Hardware story.
Receive eWeek news alerts on your mobile device.
Get the latest breaking news with mobile-formatted article links.
Click here to subscribe
E-mail
Print
PDF Version
If you're looking for the really serious security issues to address, ones that might need government help, securing BGP should be on the short list.
If you were in charge of the nation's cyber-security what would youfocus on? One really scary problem that doesn't get enough attention isthe insecurities in BGP, the router protocol of the Internet. BGP hasbeen getting some attention as of late from Homeland Security, but it'sstill way down the list of sexy computer problems.
The Obama administration has begun its promised cyber-security initiative by appointing Melissa Hathaway to the National Security Councilfrom where she will head the effort. Hathaway will begin with a 60-dayreview of the Bush administration's five-year, $30 billionComprehensive National Cyber Security Initiative, which she helped todevelop. During the campaign Obama promisedthat he would "make cyber-security the top priority that it should bein the 21st century. I'll declare our cyber-infrastructure a strategicasset, and appoint a national cyber-adviser, who will report directlyto me." Hathaway will be a few rungs down the ladder from that, but onehopes she has real authority anyway.
Many of you may have wondered from time to time about the bigattacks we don't discover. The really sophisticated cyber-attacks gounnoticed, with all their tracks covered up at the end. I'm sure suchattacks occur, especially in espionage where you are only collectinginformation and not causing any real damage. And I would bet that theseunnoticed attacks use BGP injection.
Hardening the BGP infrastructure was on the agenda at the Department of Homeland Security recently.We're all a little more familiar lately with DNS cache poisoning, whichenables DNS spoofing, but BGP spoofing is even worse. There'sessentially no defense against it. If I execute a well-designed spoof Ican impersonate anything on the Internet. You may have no way to tellthe difference.
About a year ago, overreacting in an effort to disable some YouTube videos, Pakistan Telecom used BGP injection to spoof YouTubein order to block access to it inside the country. It's an interestingenough story just for what it says about the actors involved, but itshows the power of BGP abuse. Pretty much anyone in Pakistan who wentto YouTube connected instead to a different page with some messageabout it being unavailable.
I should note that DNSSEC is also an important initiative that deserves government attention. It has gotten some, even if they are running behind schedule on it.DNSSEC works by using public key cryptography to let clients verify theidentities of DNS servers they deal with. The need for DNSSEC becamemore clear last year after the revelation of the Kaminsky bug
The main ideas for how to fix BGP work along the same lines: use PKIand sign router communications. Some are calling it BGPSec, some RPKI.Geoff Huston of APNIC says of the problem:" All these attacks rely onone feature of BGP: the ability for a party to 'lie' in routing and forthe lie to propagate across the entire network and not be readily andautomatically detected as a lie. The RPKI is an essential component ofa mechanism that allows such routing lies to be readily identifiable byeveryone else using automated processes"
DNSSEC has been around for about 10 years and has barely eeked intothe real Internet. RPKI is far behind that. Unlike DNSSEC, there isn'ta standard or even an agreed-upon approach. Steve Bellovin of Columbia University, one of the experts on this subject, notes that there are two primary secure BGP proposals and neither has consensus behind it.Bellovin thinks that both proposals are flawed and that a better onemay be needed. If this is an area where DHS money could help, then it'stime to open the taps and let the money flow.
I wonder whether an opportunity was missed in recent years, in that routers have recently begun adding support for 32-bit ASN numbers.Each network on the Internet has a unique identifying number. Untilrecently these were 16-bit integers, but this pool will run out soon,so the IANA began distributing 32-bit ASN numbers. It would have beennice if a secure BGP spec had been available to add at the same time.
If I'm expecting the federal government to focus only on the reallybig problems then this is one of them. If the Obama administrationmakes cyber-security progress on nothing but DNSSEC and securing BGPthen they will have done a good job.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.
© 2009 Ziff Davis Enterprise, Inc.
Mobilized by mDog.com
