Forgot your password?
typodupeerror
The Internet Security United States

Feds Plot Massive Internet Router Security Upgrade 101

Posted by timothy
from the let's-like-totally-upgrade dept.
BobB-nw writes "The U.S. federal government is accelerating its efforts to secure the Internet's routing system, with plans this year for the Department of Homeland Security to quadruple its investment in research aimed at adding digital signatures to router communications. DHS says its routing security effort will prevent routing hijack attacks as well as accidental misconfigurations of routing data. The effort is nicknamed BGPSEC because it will secure the Internet's core routing protocol known as the Border Gateway Protocol (BGP). (A separate federal effort is under way to bolster another Internet protocol, DNS, and it is called DNSSEC.) Douglas Maughan, program manager for cybersecurity R&D in the DHS Science and Technology Directorate, says his department's spending on router security will rise from around $600,000 per year during the last three years to approximately $2.5 million per year starting in 2009."
This discussion has been archived. No new comments can be posted.

Feds Plot Massive Internet Router Security Upgrade

Comments Filter:
  • by PixelThis (690303) on Thursday January 15, 2009 @10:00PM (#26477497)
    This plan to upgrade router security is a plot? Are there some nefarious evil masterminds behind it?
    • by MooseMuffin (799896) on Thursday January 15, 2009 @10:07PM (#26477547)

      Wrong meaning of plot. This is referring to a small patch of land.

      • by conureman (748753)

        I've a plot that wants securing. Stones & grapestakes are all I have to do it with.

      • Wrong meaning of plot. This is referring to a small patch of land.

        Weird. I thought they were talking about a storyline. Go figure.

    • Re:It's a plot! (Score:4, Interesting)

      by spazdor (902907) on Thursday January 15, 2009 @10:07PM (#26477549)

      I guess it depends on whether they're planning on submitting an RFC, or just creating a new Sekrit Routing Protocol that only Unca Sam's buddies will know how to implement.

      I dearly hope the DHS is at least smart enough to get this one right.

    • Re:It's a plot! (Score:4, Interesting)

      by ScrewMaster (602015) * on Thursday January 15, 2009 @10:08PM (#26477553)

      This plan to upgrade router security is a plot? Are there some nefarious evil masterminds behind it?

      Yeah, that sure put a negative spin on it, didn't it? Fact is, a good chunk of core Internet functionality continues to work only because nobody's yet made a concerted effort to break it on a significant scale. Eventually somebody will, either via a state-sponsored attack of some kind, or a tech-savvy terrorist outfit looking to make a name for itself (the two can't always be easily separated, when you get right down to it.) Either way, hardening this stuff is a good idea. Whether or not the Feds are doing to do it competently is another issue entirely.

    • by dmomo (256005)

      I also thought the word "plot" was a little odd. I think "Caper" would have been better than "Upgrade".

      Maybe it's our fault for associating the word with villainy when in fact in this case it merely means "to map out". Maybe all map makers were sinister back in the day. Who knows, but I'm sure they will begin to conspire, er... plot a racket to get their word back.

    • Re: (Score:3, Funny)

      by CarpetShark (865376)

      This plan to upgrade router security is a plot? Are there some nefarious evil masterminds behind it?

      No, just a bunch of colored pens.

    • Dictionaries plot [dict.org] to educate about the meanings of words.
      • by MrNaz (730548) *

        Given my observations of the use of language, it would seem that their evil machinations are not welcome here on Slashdot.

    • Its a trap! [youtube.com] SSBB reference

      Had to sorry regulars.

    • by Sleepy (4551)

      Well, I'm sure China considers this a plot to hamper their technology acquisition efforts. :)

  • by JoshuaZ (1134087) on Thursday January 15, 2009 @10:04PM (#26477533) Homepage
    For those of who aren't experts on this sort of thing, will this only increase security at things that are .gov? That's the impression I get but I don't know enough technically to be sure.
    • by Klootzak (824076) on Thursday January 15, 2009 @10:18PM (#26477635)

      will this only increase security at things that are .gov? That's the impression I get but I don't know enough technically to be sure.

      Pretty much... it means that when Router A says to Router B "I have a new path to this network." the routers will first authenticate eachothers identity utilizing Digital Signatures [wikipedia.org].

      Basically it's applying elements of PKI [wikipedia.org] to router communications, so the router receiving the information knows it can trust other router's updates. If you didn't do it I could (potentially) spoof updates and say "this network exists here now" and all the information destined for that network would then be routed to me to packet-sniff to my heart's content.

      This type of stuff (in addition to SSL/TLS [wikipedia.org] encryption of sensitive data communication channels) has been used internally in (most) Banking networks for awhile now, I'm actually surprised they didn't have something like it in place already.

      • by Anonymous Coward on Thursday January 15, 2009 @11:06PM (#26477957)

        If you didn't do it I could (potentially) spoof updates and say "this network exists here now" and all the information destined for that network would then be routed to me to packet-sniff to my heart's content.

        Couldn't you just not do that? Why do the Feds have to roll out a $600k program because of you? That is taxpayers money for gods sake!

        • +1 Funny! :) (Score:3, Interesting)

          by Klootzak (824076)

          Couldn't you just not do that? Why do the Feds have to roll out a $600k program because of you? That is taxpayers money for gods sake!

          I wouldn't do it (I don't even have an AS to play with anymore), and it's rather more complicated than my explination made out...

          I think a possible way to implement this would be a Hierarchical model where IANA [iana.org] has a top-level certificate for the trust and then it signs each regional NICs certificate, and they sign AS's which sign their subnets, then IANA could ask various NICs to revoke the Certificates of AS's that do dodgy things (like advertise subnets that aren't theirs), still it would require alot m

          • Re:+1 Funny! :) (Score:5, Insightful)

            by guruevi (827432) <evi@smo k i n g c ube.be> on Friday January 16, 2009 @12:20AM (#26478447) Homepage

            then IANA could ask various NICs to revoke the Certificates of AS's that do dodgy things

            Sounds like a great way to implement censorship or force traffic to follow certain (compromised) routes. Simply say: Wikipedia does something dodgy, they allow free speech and free information, let's revoke their cert (since IANA can be controlled by a government).

            The biggest 'problem' with all these 'old' protocols like DNS, SMTP, TCP/IP... is that they were built primarily (by the military) for allowing decentralized communication protecting against massive failures (due to atomic bombs) and secondary (as soon as the academics jumped on) to allow free communications, free speech and research (science) to flourish through open, decentralized, ungoverned communications (the message will get there one way or another) and censorship would be treated as damage and routed around.

            The 'problem' is that free speech also includes spam and other 'nasty' things to go through. To protect against that you need to start censoring the communications channels. As soon as you do that you destroy the original purpose of the Internet for what? Terrorists? Children? Hackers? Not really, the only people that would be able to successfully pull that off (rerouting major traffic through their own DNS or BGP-routers) against a clean subnet would have to be large enough to influence your life or make you do what they want without being deceptive which are currently, the ones that own the lines (but they won't do it because they would instantly lose their business) on the other hand they would like to clean house so they can oversell even more without adding capacity and governments (which have proved do anything to remain in control no matter the legality).

            Don't give up your free speech and the open nature of the Internet just because you are inconvenienced. If you are really inconvenienced by spam, just let the machine learn to ignore it. My mail server is set up to do so and there are wonderful tools that help you with that.

            • Re:+1 Funny! :) (Score:5, Insightful)

              by Klootzak (824076) on Friday January 16, 2009 @12:55AM (#26478605)

              Sounds like a great way to implement censorship or force traffic to follow certain (compromised) routes. Simply say: Wikipedia does something dodgy, they allow free speech and free information, let's revoke their cert (since IANA can be controlled by a government).

              Preaching to the converted here my friend...

              I immediately thought of this topic [theage.com.au] when I was reading the BGP article and thinking about the implications of a hierarchal structure (incidentally, they can pretty much "disconnect" direct connections between eachother NOW if they want to... but of course we can route around it, if required - adding encryption/PKI doesn't make all that much of a difference if people don't enforce it).

              See, Governments are still duking it out (Diplomatically and Militarily) while their populations talk to eachother on the net' - the wonderful thing about this is I can talk to you, not knowing if you're White, Black, Green, Yellow, Blue, Purple, Male, Female, American, French, Canadian, Belgian or Martian... if you call me an idiot, I can't say "You called me an idiot because I'm (insert racial/gender type here)", well, I CAN, but you can reply... "I didn't know that, but I still just think you're an idiot!".

              The concept of a Worldwide Global Communications network with almost ubiquitous availability is something we really haven't had for along time, it's going to take the Governments of the world a bit of time to get their head around it... Personally I think the Politicians/Diplomats of the world should read The Truth [wikipedia.org] by Terry Pratchett (if they haven't already), as it has alot of similar concepts regarding local, social, and geo-political issues in it, just with a different "new" Technology.

            • Woah, boy! (Score:3, Insightful)

              by mcrbids (148650)

              Ease off that hair trigger a bit, eh?

              I think you missed something rather fundamental - in the case of PP "dodgy" behavior meant doing illogical things with routing paths, not publishing unpopular or dissenting content!

        • Or maybe they want the protocol done in a way that NSA CAN subvert any router detouring it's packets through their own computers, sniffing and injecting (cocaine & herion?) to their hearts content.

          Just because I'm paranoid doesn't mean they aren't out to get you.

          (He says, from his satellite connected hide-away in rural Alberta, 500 km from the nearest chunk of American soil)

      • Exactly. This has been standard practice by me. All it took was one person to bring in their own wireless router with RIP enabled and broadcasting. That router exchanged routes with my routers and it caused quite a bit of confusion. Since then, it's been all OSPF with authentication and ACLs on my corporate network.
      • Probably because of the price of the upgrade, they are like the oil companies....
        "Yes..let's make billions of dollars PROFIT each year, but never upgrade our infrastructure, or even remotely maintain it...or even just build another few plants just in case hurricanes wipe out our Texas locations again...no,no,no...let's just keep things the way they are, and justify why we have total control to up the gas price at will, when ever we want just because my grandmother sneezed!"

    • Re: (Score:1, Informative)

      by Anonymous Coward

      This would apply to the backbone of the internet.
      BGP is a different kind of routing protocol compared to others.....
      You have two varient iBGP (internal) eBGP (external), eBGP is the one used for internet traffic.

      With BGP, there is no real knowledge where particular networks are.....they just hand off traffic to the next Autonomous Domain or AS (Autonomous System) that will get the traffic to the right place.

      So that is the fear with the protocol, people can go out there and start setting up the protocol in A

  • by dmomo (256005) on Thursday January 15, 2009 @10:06PM (#26477541) Homepage

    I don't know much about security and cost, but the 600k does indeed seem fairly small to me for something like this. Even 2.x million seems like a sizzle in the pan. Can anyone speak to the costs involved?

    • You're failing to take into account the 2-3 times the project will be extended and the quadrupling in cost. That's just SOP for a government contract. Sad, but true.

    • That costs a lot less than rolling out new hardware/software.
    • Re: (Score:1, Offtopic)

      by isBandGeek() (1369017)
      You're right. Compared to the size of the recent bailout, 600k is a drop in the bucket. Even 100x this would still be almost trivial for the government.
    • > Can anyone speak to the costs involved?

      Salaries, obviously. Sounds like a couple of guys are going to study the problem full-time. How many women would you assign to the task of gestating that baby?

    • by Morty (32057) on Thursday January 15, 2009 @11:42PM (#26478201) Journal

      They're talking about funding research, not deployment. RTFA. The dollar amounts in question sound about right.

      Note also that this goes way beyond SSL. This is not about identifying your BGP peers -- that's a relatively simple problem that can easily be solved with MD5 [or one of the hash algorithms that is replacing MD5, since MD5 is problematic.] This is about validating that your BGP peers have the right to announce what they are announcing. This is a much harder problem than SSL.

      That is, let's say you have a router that peers with $someco's router. It's easy to use MD5 [or replace it with something better] so you are sure that you are talking to $someco's router. It might also be possible to set up SSL instead, so you are even more sure you are talking to $someco. But even if you know you are talking to $someco, how do you know you can trust what $someco is telling you? What if $someco's router says it's a good path to get to a chunk of address space that belongs to $otherco -- should you believe it? BGP is full of settings that let you limit how much you trust your peers, but how do you know what you should set them to? Note that this is not a simple question of "is address space X associated with the $someco that is announcing it" -- even if address space X belongs to $otherco, it's possible that $someco is a legitimate transit network rather than a malicious third party.

      Sounds like DHS is funding research to try to solve this.

      This is somewhat different than the DNSSEC push. The DNSSEC effort is looking to deploy an existing but unpopular technology across the US federal government. The BGPSEC effort seems to be about creating a new technology for possible future deployment.

      • by dmomo (256005)

        Thank you. I have to admin, reading the fa, my eyes kind of glazed over! Your post was easier to digest.

      • Re: (Score:3, Informative)

        by m0i (192134)

        It exists already, it is called a routing registry. The most famous is RADB [radb.net] but they can use IRRd [irrd.net] to have their own private version (which they probably do already).

        • by jmilne (121521)

          Do you really trust the routing registry? And I'm talking about more than just using an SSL cert to verify their information. How frequently do they update their entries? I saw a number of problems dealing with RADB when I worked at Sprint a few years back. Customers get assigned blocks that used to be assigned to other customers, and RADB didn't always reflect that change in usage in a timely manner.

          That's where your money's going to go. Creating a secure registry, and the infrastructure to handle the amou

  • put all the top workers under full secret service protection and don't fire any one or will may see a under siege 2.

  • router signing (Score:2, Offtopic)

    by Speare (84249)
    [tinfoil] Sure, and adding signatures to all routers couldn't possibly be trying to make Thomas Paine [lulu.com] roll over in his grave, now, could it? [/tinfoil]
  • Just imagine... (Score:1, Redundant)

    by msimm (580077)
    A few short years ago we managed to live without the DHS and now we accept them like we don't foot the bill. Just another group of people sucking tax dollars off the American people in the name of protection.
    • > A few short years ago we managed to live without the DHS...

      I have no love for the DHS, but it was created by smushing a bunch of existing agencies together. They do little that wasn't being done before. In their absence this work would probably be being funded by one of the agencies that was destroyed to create them.

    • In the grand scheme of things a million a year isn't something to bitch about. I mean the... 'defense acquisition university' gets 120million... We spend 16billion dollars to fight IEDs. We spend 430million for 'polar research' ... The office on violence against women gets 280million. Oh and my favourite 9.7Billion freaking dollars for air traffic control. Honestly that could be done by computers for several million dollars.

      Really we should pay everyone there a million dollars a year just b

      • Re: (Score:3, Insightful)

        by Detritus (11846)

        Oh and my favourite 9.7Billion freaking dollars for air traffic control. Honestly that could be done by computers for several million dollars.

        That might pay for a requirements analysis, but that's about it. A real system is going to be much more expensive.

        • Keeping track of and navigating a few million planes could be done on one server if it was well coded. Which would really cost like 500,000. I'm sure there are a bunch of other things that need doing but i'm so far off of 10billion that i've no idea how they got it that high.

          • Keeping track of and navigating a few million planes could be done on one server if it was well coded. Which would really cost like 500,000. I'm sure there are a bunch of other things that need doing but i'm so far off of 10billion that i've no idea how they got it that high.

            You're living up to your name?

            Let's talk about some of the issues:

            - Radar is an inexact medium of information. Transponders help a lot, but they only have 4 digits and can be disabled or break. GPS transponders (where the aircr
          • Are you serious? You want one, crash prone, computer to manage all air traffic in the skies of the United States? You realize that this computer would be tracking millions of objects a second, in a three dimensional space, analyzing all of their current courses for collisions in the next say 5-10 minutes (you wouldn't want to cut it closer than that and honestly even more warning that that would be good), scheduling take-offs and landing from thousands of airstrips, accepting interrupts for emergency requ

            • Lol well obviously It'd be redundant but keep in mind the price tag is still .005% of what is currently being spent. Make the system as big and redundant as you want 10x what i said.... .05%. And the processing isn't that bad, they are just paths in 3d space which computers are very well equipped at figuring out. Especially GPUs and such.
              For emergency situations they have coded numbers for situations like cops and everyone else. If there is a misunderstanding then it can be bumped instantly to a human (if c

              • Computers already track the planes. Most airports past "decent" sized and even a lot of small ones have computer assistance for the air traffic controllers. Planes can be tracked based on transponders and even GPS in some cases. People are still necessary for everything else though. Not all planes (especially small personal planes) are equipped with transponders, and fairly few are equipped with GPS transponders. Radar at most airports is not sensitive enough for exact locations, so eye balls are still

  • by nwssa (993577)
    Most troubling is that problems like these were basically known about for years but nothing is done until after threats are displayed at sec conferences.
    • by Iowan41 (1139959)
      Maybe it took them this long to get the backdoors and packet tracing software into the router upgrades.
  • by Anonymous Coward

    The U.S. federal government is accelerating its efforts to secure the Internet's routing system

    Did I miss something?

    I thought China had all the control.

  • A separate federal effort is under way to bolster another Internet protocol, DNS, and it is called DNSSEC.

    That's the name of a set of protocols [wikipedia.org] that predates the DHS, not their effort.

    • Re: (Score:1, Troll)

      by geekmux (1040042)

      A separate federal effort is under way to bolster another Internet protocol, DNS, and it is called DNSSEC.

      That's the name of a set of protocols [wikipedia.org] that predates the DHS, not their effort.

      Wow, the RFC that DNSSEC is based on is only 10 years old, so moving at the speed of .gov, they're "right on time". Punctual bunch, aren't they?

      And what's this "they're calling it DNSSEC" crap? Damn 10-year old RFC and they're prancing around like they came up with the idea 3 months ago. Who's in charge of this, Al Gore? It would make sense, I mean after all, he invented the Internet, right?

      • Re:DNSSEC (Score:5, Informative)

        by Morty (32057) on Friday January 16, 2009 @12:45AM (#26478563) Journal

        They're not claiming that they invented it, they're just trying to help it along. While DNSSEC has been around a while, the overwhelming majority of zones, including the root zone and .com, are not signed yet. It may look like the US government is late to the party, they're actually ahead of most of the US commercial sector on this one.

        So how does this "bolster" DNSSEC? Answer: the government is hoping that a large-scale implementation by a major buyer will push vendors to properly support DNSSEC. Many vendors don't support DNSSEC at all, or only support part of it; Microsoft, for example, only has minimal DNSSEC support. How do you think vendors will respond when .gov customers start telling them "we can't buy your product because it doesn't support DNSSEC. We'll have to go with one of your competitors."

        RTFA.

        • by slydder (549704)

          ... the government is hoping that a large-scale implementation by a major buyer will push vendors to properly support DNSSEC. Many vendors don't support DNSSEC at all, or only support part of it; Microsoft, for example, only has minimal DNSSEC support. ...

          and there is good reason why it's a 10 year old technology that is still not widely available.

          because the idea is flawed and doomed to failure or will force the big players to invest a lot more in infrastructure than is actually needed for a protocol such as DNS.

          whatever idiot came up with the idea of adopting DNSSEC now should be slapped and sent back to school. afterwards we should get on with adopting DNSCURVE and be done with until a more permanent and secure solution is available.

          • by slydder (549704)

            oh. and almost forgot. I just HOPE that BGPSEC, in whatever form it takes in the end, is a better idea than DNSSEC or we could just forget that as well.

    • by jd (1658)

      I was beginning to wonder if the IETF had been bought up or kidnapped by the DHS. That would explain where this "plot" business comes in, anyway.

  • This is what we need. I am glad that action is being taken on the router and DNS vulnerabilities. These are very serious issues that are a danger to everyones security and privacy. Especially rerouting attacks for download and software is a perfect way to redirect users into downloading virus loaded software, and into giving confidential information to fake websites. Its about time something is done to improve the security of these systems, and they are doing the right things it appears by addressing true t

    • Re: (Score:3, Informative)

      by jd (1658)

      Well, yes, it is about time. Especially as the actual protocols needed were defined a long time ago. (To give you a frame of reference, the DoD were releasing Open Source IPSEC implementations in 1997. Ok, that specific protocol wasn't finalized at that point, but that tells you when the Government was sufficiently capable of and expert at encrypting router communications that they'd admit to it.)

      That BGP, DNS and other mission-critical protocols aren't secure even twelve years later says a lot for the extr

  • we really want to use new protocols from the government. They may put "warrantless wiretap" capabilities in...

    • by darkonc (47285)
      We're not just talking about the government. This is Homeland Security -- the group that repeatedly got a D- on their network security. .... and these guys want to tell the rest of the internet how to secure their protocol against some serious hackers?

      The fact that they may actually want to add backdoors to the protocol doesn't help their case that much.

    • May?

      Are you sure it's not already in place?

  • Made in China (Score:2, Interesting)

    by binaryseraph (955557)
    So does that mean we are going to buy MORE fake routers [zdnet.com.au] from china with hardwired security issues?
  • Reads made in China Laughs
  • Now all they have to do is upgrade that damn firewall protecting our air traffic, water distribution, and electrical generation control systems. It's only a matter of time before terroraxxors take over our country and crash planes into each other!

  • I was wondering when they were going to start this. There was a lot of discussion about this a coupl years ago. One of the best ways to upgrade security on the net is to upgrade the routers. You can actually do a lot there, including an easier method to track and stop attacks at their source, as well as identify the originating machines. I hope there is more to the upgrade then stated there. It would be expensive, and some would probably say that there may be some constitutional issues. Hopefully they

Truly simple systems... require infinite testing. -- Norman Augustine

Working...