Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Networking Encryption Security

Why Is It Taking So Long To Secure Internet Routing? 85

CowboyRobot writes: We live in an imperfect world where routing-security incidents can still slip past deployed security defenses, and no single routing-security solution can prevent every attacks. Research suggests, however, that the combination of RPKI (Resource Public Key Infrastructure) with prefix filtering could significantly improve routing security; both solutions are based on whitelisting techniques and can reduce the number of autonomous systems that are impacted by prefix hijacks, route leaks, and path-shortening attacks. "People have been aware of BGP’s security issues for almost two decades and have proposed a number of solutions, most of which apply simple and well-understood cryptography or whitelisting techniques. Yet, many of these solutions remain undeployed (or incompletely deployed) in the global Internet, and the vulnerabilities persist. Why is it taking so long to secure BGP?"
This discussion has been archived. No new comments can be posted.

Why Is It Taking So Long To Secure Internet Routing?

Comments Filter:
  • by NFN_NLN ( 633283 ) on Tuesday September 16, 2014 @07:24PM (#47922897)

    The internet is in production. No one wants to touch anything that's already in production unless they literally can't make it any worse.
    Otherwise we would have IPv6 as well.

    • by Anonymous Coward

      Exactly. The point of the Internet is to interconnect. If you introduce a new, incompatible protocol (more secure though it may be) and refuse to accept updates via the old one, you risk depeering on a massive scale. Remember when the global routing table tipped the scales? And how people freaked out because they couldn't watch their favorite cat video - or conduct meaningful e-commerce? Yeah, expect that type of reaction x 1 million while every major ISP figures out how to rebuild the Internet from scra

      • by Bengie ( 1121981 )
        Yeah, thanks Verizon. They just had to suddenly public their huge number of internal routes and crash the Internet.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      BGP works just fine as is.
      Problem is, the operators are stupid and screw up their filters, configs, and management systems, and just fatfinger stuff.
      And they're still going to keep on doing that whether you drop elite PKI and whatever other sort of overhead you want on them.
      It's the operators, not the technology.

      • by gweihir ( 88907 )

        Indeed. Also, a medium-sized ISP head of network engineering once told me "most non-peering traffic is default route anyways". BGP seems to be used mostly internally and by some enterprising individuals. Might be the reason why we have seen only very few BGP based attacks. An they have a high risk of being detected immediately, while attackers that invest time (as opposed to automated attackers) want to be detected as late as possibly and preferably never. I mean, even adding a single hop with a BGP attack

        • Also, a medium-sized ISP head of network engineering once told me "most non-peering traffic is default route anyways".

          Your "medium sized ISP" is a cheapskate. Either they have only one upstream or they have multiple upstreams but aren't really taking advantage of the resiliance it gives them.

          BGP seems to be used mostly internally and by some enterprising individuals.

          BGP is how all the major internet providers exchange routes with their customers, upstreams and peers.

          A cheapskate ISP may chose to ignore the BGP information from their upstream(s) and use default routes instead. This means they can use cheaper routers but it means if they have more than one upstream they can't determine which upstrea

    • by dnavid ( 2842431 )

      The internet is in production. No one wants to touch anything that's already in production unless they literally can't make it any worse. Otherwise we would have IPv6 as well.

      Lots of people want to touch production systems. In the case of the internet and BGP, however, evolution has weeded out the people who like to touch production systems, and the only people with administrative rights are still getting over having to support 32-bit AS numbers and wondering where their pet dinosaur went.

  • trust (Score:5, Insightful)

    by dremspider ( 562073 ) on Tuesday September 16, 2014 @07:34PM (#47922967)
    Most of these solutions require some sort of central authority to manage the security of all the routes. Sounds great until you realize that there is no one that all the users of the Internet can trust. I am not even sure that users can trust their own governments to manage this without exploiting users for the sake of surveillance let alone other countries trust one another. If you can't trust one another the best thing to do is remain insecure but watch each other like hawks for any foul play.
    • "So from now on I guess the operational phrase is 'Trust no-one.'" "No. Trust Ivanova, trust yourself, anybody else: shoot them."
      • Have you ever surfed the Net Bro?

        You should be doing the Trust Ivanova, Trust yourself and shoot everyone else to begin with.

        If you trust the net your data will be copied. whether you want it to be or not.

    • Re: (Score:2, Interesting)

      by BradMajors ( 995624 )

      An untrusted central authority is better than no security.

      • Re:trust (Score:4, Insightful)

        by WaffleMonster ( 969671 ) on Tuesday September 16, 2014 @11:35PM (#47924105)

        An untrusted central authority is better than no security.

        Peers have to trust each other to act rationally. Filtering and sanity checking of crap from your downstreams and maintenance of physical links with rational actors whom you trust to act professionally is worth more than central authorities.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      I agree and would add that most of the "security" practices so far have actually made the Internet much less robust. Egress filtering to block spoofing has made routing an ISP-only privilidge, and a legal risk to everyone else. Port blocking and ISPs' "for your protection" firewalls have made the network useless for telephony, to name only one application. QoS and buffering have increased latency.

      Long story short, it's better to have a fluid network with distributed authority than a centralized and fragile

    • Erm where the hell do you think the IP's come from? Yep the central internet registries. APNIC, RIPE, AfriNIC, LACNIC and ARIN.

      There is your trusted central authorities. If you don't trust them then hand your IP's over.

      • by Gr8Apes ( 679165 )
        I only have to trust them to hand out the IP once. That's all, certainly not with any other details.
        • The only issue here is people saying they control IP's that they don't own.

          If everyone trusts these organisations to give out IP's then tying BGP filtering to that is a logical extension.

  • which means they are bought and used for many years if not a decade or longer
    your $50 or whatever you pay your ISP a month is not enough to afford new equipment every year

    • by jd2112 ( 1535857 )

      which means they are bought and used for many years if not a decade or longer your $50 or whatever you pay your ISP a month is not enough to afford new equipment every year

      It would be, but bribing a bunch of congressmen and FCC officials takes a big chunk out of the budget.

    • by Bengie ( 1121981 ) on Tuesday September 16, 2014 @09:13PM (#47923535)
      You're just talking about BGP, which is done in software. A quick update will allow nearly all hardware that uses BGP to support the new protocol, assuming the code is small enough to fit in the firmware.

      And what do you mean by edge routers? You mean the last mile or for peering? My ISP pays Level 3 to handle peering. If you're talking about last mile, then your ISP should have invested into fiber, which is easily and cheaply upgraded. At $100/port for a 500-1gb port chassis that can support 3tb/s, it's not that expensive. How long does it take to pay off $100? Actually, network equipment represents about 40% of an ISP's costs, the bulk of the cost is in customer support. Phone centers are expensive with an average cost of $1/minute that a customer is connected. A single truck roll can cost an ISP much much more.
      • by dgatwood ( 11270 )

        I keep thinking that if an ISP really wanted to cut costs, they could proactively monitor their network for problems:

        • Provide the CPE preconfigured, at no additional cost to the customer. (Build the hardware cost into the price of service.)
        • Ensure that the CPE keeps a persistent capacitor-backed log across reboots. If the reboot was caused by anything other than the customer yanking the cord out of the wall or a power outage, send that failure info upstream. Upon multiple failures in less than a few week
  • When it comes down to it, the main reason is cost. Telcos (or any big business) HATE spending money, and if they feel they can get away without doing so they will.
  • by Greyfox ( 87712 ) on Tuesday September 16, 2014 @08:44PM (#47923403) Homepage Journal
    How much financial penalty is there for having insecure routes (or routers?) Hmm... None, basically. Ok. How much is this upgrade going to cost? Wow...that much? Well, there's your problem!
    • by Bengie ( 1121981 )
      Depends on your customers. If you're a transit provider and your customer has an SLA that states 100% uptime and 1ms jitter and your insecure routing causes the route to become longer and the jitter goes above 1ms, suddenly you're paying your customer for not meeting the SLA.
      • Afaict ISP SLAs only cover the quality of the route to the ISPs border, what happens to the traffic beyond that is not (and can't really be) specified.

        If you want "100% uptime and 1ms jitter" to a specific place then you buy a direct connection to that specific place you don't use the internet. If you want "100% uptime and 1ms jitter" to the whole internet that is not going to happen.

  • by statemachine ( 840641 ) on Tuesday September 16, 2014 @09:15PM (#47923545)

    Except "Attacker" in this case is the administrator at the peer, and the peers are entire companies, multinationals, and governments. We're not talking about your average basement-dweller script kiddie.

    If your peers are messing with you, or their peers are messing with them, how do you defend against an attack where the whole system is based on trust?

    You could go to a no-trust solution, but then that would need a central authority that would need to pre-calculate all the routes from every single AS. If a route breaks, that'll be slow to adjust to a backup route. If a new route needs to be added, the ISP would need to apply to a central authority with bureaucracy and red tape.

    If a route needed to be blackholed because of a DDOS, and that action had to be approved of by a central authority, which could take days to weeks for a ruling, nothing could be done because routers would not accept changes to any route until then.

    Essentially, the answer to security is to effectively lock out the AS ISPs from their own routers.

    You either trust the AS administrators or you don't. And since they're humans, they'll make mistakes, be malicious, or be affected by politics. This won't be solved by (trusting) a central bureaucracy similar to the UN, at least not in a manner you'll prefer.

    • by DarkOx ( 621550 )

      The thing is AS admins have been lazy. Broadly speaking I agree with what you have to say and I agree a central authority would very likely cause more problems than it solves. AS admins do need to take a middle ground though, and implement some route filters. For instance if you have a route that sits on transpacific cable in California you should probably be filtering routes with at least a few broad rules like; !ARIN

      A little direction for a central authority like IANA that laid down some rules like fil

    • by sjames ( 1099 )

      Or, you go with signed routes. That is, you use a public key system to prove that you have the right to broadcast a route for a particular subnet.

      In practice, it will probably mean some router upgrades. No more router cpus that were considered a bit underpowered for a calculator in the '90s. However, as an interim measure, it could be used to set some BGP filters to limit the potential damage.

    • If a route needed to be blackholed because of a DDOS, and that action had to be approved of by a central authority, which could take days to weeks for a ruling, nothing could be done because routers would not accept changes to any route until then.

      Why would you need permission to blackhole a route?
      The problem is adding good routes, not dropping bad ones.

    • You could have a system of signed routes. When you pass a route to an upstream you would add a signed statement to that affect to the route. When receiving a route from a customer or peer you would check for a valid chain of signatures leading from the owner of the IP block to the entity sending you the route.

      Obviously you'd still have to trust your upstreams but you can't really avoid that. You'd also have to have some kind of central database that recorded the owners of IP blocks and the corresponding pub

  • by BitZtream ( 692029 ) on Tuesday September 16, 2014 @10:20PM (#47923843)

    Its not actually a problem, thats why. The submitter doesn't actually understand what he's suggesting and why the current method of dealing with this issue works fine.

    You know who is doing the damage and 'attacking' you, they are easy to identify, and you just stop talking to them. They're only going to connect to a relatively small number of people so disconnecting bad players is trivial, then you never talk to them again. They bare the cost of having all the money invested in setting up the original connections they used to 'attack' with being lost. And lets be clear, BGP attacks aren't done via virtual connections, they're done across physical connections so you know EXACTLY who is doing them and which cable to unplug to solve the problem.

    Do you upgrade every router running BGP, or just turn off the 2 connections to the bad guy? Its just not worth the effort to 'fix the problem' with a technical solution when good old fashion common sense tactics work just as well and for far less cost (read: effort for everyone involved) Even if it were a major backbone provider, the number of connections to cut is still trivial compared to even upgrading all the routers that the single largest backbone providers connect to.

    This is a stupid question to ask and just illustrates not understanding the actual problem. The costs of 'fixing' the problem technical FAR outweighs the benefits of doing so (not having to manually disconnect troublesome players).

    • Whats really bothersome is that so many of the comments hop on the "NSA thats why" or "corporate greed" bandwagons despite having no functional knowledge of the issue.

      Thought people here were supposed to be rationally minded geeks; guess not.

    • The costs of 'fixing' the problem technical FAR outweighs the benefits of doing so

      +1. We see this in so many cases where someone asks 'Why don't they fix this or that?'

  • There are more than 600 million Web sites, according to NetCraft. Who is going to maintain a list like that? It's going to cost a lot of money...who is going to pay for it? Who is going to have the power to decide who gets in, and who doesn't? What about appeals, for those who feel they have been unjustly removed from the list? What about opposing points of view? Does the US get to decide which Chinese sites get to be on the list, or vice versa?

  • The headline made me do a double-take. It's like asking "why is it taking so long to develop an invisibility cloak?" or "why is it taking so long to develop flying cars?".

  • 'Nuff said. Can't get shit done with his constant bullshit spouting.

  • I train massive numbers of people in BGP every year. The best would go for it. The average are just happy to peer and move on.

    IT completely lacks process. ITIL is a joke. People insist on wasting time doing the same thing over and over. The best networking companies I know with the absolute best people are rarely more professional than a bunch of script kiddies. The best of the best hack away on networking and routing like and orangoutang playing with a toy piano. Modern IT is rarely better off than a bunch

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...