Feds Plot Massive Internet Router Security Upgrade 101
BobB-nw writes "The U.S. federal government is accelerating its efforts to secure the Internet's routing system, with plans this year for the Department of Homeland Security to quadruple its investment in research aimed at adding digital signatures to router communications. DHS says its routing security effort will prevent routing hijack attacks as well as accidental misconfigurations of routing data. The effort is nicknamed BGPSEC because it will secure the Internet's core routing protocol known as the Border Gateway Protocol (BGP). (A separate federal effort is under way to bolster another Internet protocol, DNS, and it is called DNSSEC.)
Douglas Maughan, program manager for cybersecurity R&D in the DHS Science and Technology Directorate, says his department's spending on router security will rise from around $600,000 per year during the last three years to approximately $2.5 million per year starting in 2009."
Re:+1 Funny! :) (Score:5, Insightful)
then IANA could ask various NICs to revoke the Certificates of AS's that do dodgy things
Sounds like a great way to implement censorship or force traffic to follow certain (compromised) routes. Simply say: Wikipedia does something dodgy, they allow free speech and free information, let's revoke their cert (since IANA can be controlled by a government).
The biggest 'problem' with all these 'old' protocols like DNS, SMTP, TCP/IP... is that they were built primarily (by the military) for allowing decentralized communication protecting against massive failures (due to atomic bombs) and secondary (as soon as the academics jumped on) to allow free communications, free speech and research (science) to flourish through open, decentralized, ungoverned communications (the message will get there one way or another) and censorship would be treated as damage and routed around.
The 'problem' is that free speech also includes spam and other 'nasty' things to go through. To protect against that you need to start censoring the communications channels. As soon as you do that you destroy the original purpose of the Internet for what? Terrorists? Children? Hackers? Not really, the only people that would be able to successfully pull that off (rerouting major traffic through their own DNS or BGP-routers) against a clean subnet would have to be large enough to influence your life or make you do what they want without being deceptive which are currently, the ones that own the lines (but they won't do it because they would instantly lose their business) on the other hand they would like to clean house so they can oversell even more without adding capacity and governments (which have proved do anything to remain in control no matter the legality).
Don't give up your free speech and the open nature of the Internet just because you are inconvenienced. If you are really inconvenienced by spam, just let the machine learn to ignore it. My mail server is set up to do so and there are wonderful tools that help you with that.
Re:It's a plot! (Score:5, Insightful)
OK smartass...
I'll give you a BGP packet, and you have to replace it with another working BGP packet (with addresses that you want) that has the same hash.
Go ahead. I'll wait for you. Well, not really - I'm sure the universe will reach heat-death before you find one.
Now, assuming you do find one... find some for the whole communication. Also, you only have a few milliseconds to do it.
Starting to sound difficult?
Don't spout off bullshit when you KNOW you have no idea what you are talking about.
Re:+1 Funny! :) (Score:5, Insightful)
Sounds like a great way to implement censorship or force traffic to follow certain (compromised) routes. Simply say: Wikipedia does something dodgy, they allow free speech and free information, let's revoke their cert (since IANA can be controlled by a government).
Preaching to the converted here my friend...
I immediately thought of this topic [theage.com.au] when I was reading the BGP article and thinking about the implications of a hierarchal structure (incidentally, they can pretty much "disconnect" direct connections between eachother NOW if they want to... but of course we can route around it, if required - adding encryption/PKI doesn't make all that much of a difference if people don't enforce it).
See, Governments are still duking it out (Diplomatically and Militarily) while their populations talk to eachother on the net' - the wonderful thing about this is I can talk to you, not knowing if you're White, Black, Green, Yellow, Blue, Purple, Male, Female, American, French, Canadian, Belgian or Martian... if you call me an idiot, I can't say "You called me an idiot because I'm (insert racial/gender type here)", well, I CAN, but you can reply... "I didn't know that, but I still just think you're an idiot!".
The concept of a Worldwide Global Communications network with almost ubiquitous availability is something we really haven't had for along time, it's going to take the Governments of the world a bit of time to get their head around it... Personally I think the Politicians/Diplomats of the world should read The Truth [wikipedia.org] by Terry Pratchett (if they haven't already), as it has alot of similar concepts regarding local, social, and geo-political issues in it, just with a different "new" Technology.
Re:Just imagine... (Score:3, Insightful)
That might pay for a requirements analysis, but that's about it. A real system is going to be much more expensive.
Woah, boy! (Score:3, Insightful)
Ease off that hair trigger a bit, eh?
I think you missed something rather fundamental - in the case of PP "dodgy" behavior meant doing illogical things with routing paths, not publishing unpopular or dissenting content!
Re:It's a plot! (Score:4, Insightful)
Not too long ago, this MD5 crack [events.ccc.de] allowed a trusted SSL CA cert to be created.
Although it's not "in the wild", the listed steps are such that pretty much anybody can do the same thing today. Plus, the actual hack required using real, live CA servers, and not just lab systems.