Feds Plot Massive Internet Router Security Upgrade 101
BobB-nw writes "The U.S. federal government is accelerating its efforts to secure the Internet's routing system, with plans this year for the Department of Homeland Security to quadruple its investment in research aimed at adding digital signatures to router communications. DHS says its routing security effort will prevent routing hijack attacks as well as accidental misconfigurations of routing data. The effort is nicknamed BGPSEC because it will secure the Internet's core routing protocol known as the Border Gateway Protocol (BGP). (A separate federal effort is under way to bolster another Internet protocol, DNS, and it is called DNSSEC.)
Douglas Maughan, program manager for cybersecurity R&D in the DHS Science and Technology Directorate, says his department's spending on router security will rise from around $600,000 per year during the last three years to approximately $2.5 million per year starting in 2009."
Question for the experts (Score:4, Interesting)
Re:It's a plot! (Score:4, Interesting)
I guess it depends on whether they're planning on submitting an RFC, or just creating a new Sekrit Routing Protocol that only Unca Sam's buddies will know how to implement.
I dearly hope the DHS is at least smart enough to get this one right.
Re:It's a plot! (Score:4, Interesting)
This plan to upgrade router security is a plot? Are there some nefarious evil masterminds behind it?
Yeah, that sure put a negative spin on it, didn't it? Fact is, a good chunk of core Internet functionality continues to work only because nobody's yet made a concerted effort to break it on a significant scale. Eventually somebody will, either via a state-sponsored attack of some kind, or a tech-savvy terrorist outfit looking to make a name for itself (the two can't always be easily separated, when you get right down to it.) Either way, hardening this stuff is a good idea. Whether or not the Feds are doing to do it competently is another issue entirely.
Most troubling about this (Score:2, Interesting)
Re:It's a plot! (Score:5, Interesting)
I think it's actually referring to S-BGP [bbn.com]. I also thought it was just the MD5 signature option, but it's not.
Then again, one of the comments in TFA is that it won't require any new software or hardware to be installed, so maybe it IS just the MD5 option. The features didn't sound like it; it sounded like they were establishing a whole PKI.
+1 Funny! :) (Score:3, Interesting)
Couldn't you just not do that? Why do the Feds have to roll out a $600k program because of you? That is taxpayers money for gods sake!
I wouldn't do it (I don't even have an AS to play with anymore), and it's rather more complicated than my explination made out...
I think a possible way to implement this would be a Hierarchical model where IANA [iana.org] has a top-level certificate for the trust and then it signs each regional NICs certificate, and they sign AS's which sign their subnets, then IANA could ask various NICs to revoke the Certificates of AS's that do dodgy things (like advertise subnets that aren't theirs), still it would require alot more overheads in terms of processing and memory than BGP currently requires.
I should also mention, I haven't worked with BGP in around 7 years now.
Made in China (Score:2, Interesting)