Why Is It Taking So Long To Secure Internet Routing? 85
CowboyRobot writes: We live in an imperfect world where routing-security incidents can still slip past deployed security defenses, and no single routing-security solution can prevent every attacks. Research suggests, however, that the combination of RPKI (Resource Public Key Infrastructure) with prefix filtering could significantly improve routing security; both solutions are based on whitelisting techniques and can reduce the number of autonomous systems that are impacted by prefix hijacks, route leaks, and path-shortening attacks. "People have been aware of BGP’s security issues for almost two decades and have proposed a number of solutions, most of which apply simple and well-understood cryptography or whitelisting techniques. Yet, many of these solutions remain undeployed (or incompletely deployed) in the global Internet, and the vulnerabilities persist. Why is it taking so long to secure BGP?"
It's a production system (Score:5, Insightful)
The internet is in production. No one wants to touch anything that's already in production unless they literally can't make it any worse.
Otherwise we would have IPv6 as well.
Re:It's a production system (Score:5, Informative)
And if you look at IPv6 BGP filtering is a lot better.
Re: (Score:3)
CEO Voice: "So you're saying if we *upgrade*, we get new *features*. I like what I'm hearing."
Re:It's a production system (Score:5, Insightful)
CEO Voice: "So you're saying if we *upgrade*, it will cost us money. I don't like what I'm hearing."
FIFY.
It's a production system (Score:1)
Exactly. The point of the Internet is to interconnect. If you introduce a new, incompatible protocol (more secure though it may be) and refuse to accept updates via the old one, you risk depeering on a massive scale. Remember when the global routing table tipped the scales? And how people freaked out because they couldn't watch their favorite cat video - or conduct meaningful e-commerce? Yeah, expect that type of reaction x 1 million while every major ISP figures out how to rebuild the Internet from scra
Re: (Score:2)
Re: (Score:2, Insightful)
BGP works just fine as is.
Problem is, the operators are stupid and screw up their filters, configs, and management systems, and just fatfinger stuff.
And they're still going to keep on doing that whether you drop elite PKI and whatever other sort of overhead you want on them.
It's the operators, not the technology.
Re: (Score:2)
Indeed. Also, a medium-sized ISP head of network engineering once told me "most non-peering traffic is default route anyways". BGP seems to be used mostly internally and by some enterprising individuals. Might be the reason why we have seen only very few BGP based attacks. An they have a high risk of being detected immediately, while attackers that invest time (as opposed to automated attackers) want to be detected as late as possibly and preferably never. I mean, even adding a single hop with a BGP attack
Re: (Score:3)
Also, a medium-sized ISP head of network engineering once told me "most non-peering traffic is default route anyways".
Your "medium sized ISP" is a cheapskate. Either they have only one upstream or they have multiple upstreams but aren't really taking advantage of the resiliance it gives them.
BGP seems to be used mostly internally and by some enterprising individuals.
BGP is how all the major internet providers exchange routes with their customers, upstreams and peers.
A cheapskate ISP may chose to ignore the BGP information from their upstream(s) and use default routes instead. This means they can use cheaper routers but it means if they have more than one upstream they can't determine which upstrea
Re: (Score:2)
The internet is in production. No one wants to touch anything that's already in production unless they literally can't make it any worse. Otherwise we would have IPv6 as well.
Lots of people want to touch production systems. In the case of the internet and BGP, however, evolution has weeded out the people who like to touch production systems, and the only people with administrative rights are still getting over having to support 32-bit AS numbers and wondering where their pet dinosaur went.
Re: (Score:1)
How can government and LEO's surveil us if everything is locked down?
Yes
trust (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Have you ever surfed the Net Bro?
You should be doing the Trust Ivanova, Trust yourself and shoot everyone else to begin with.
If you trust the net your data will be copied. whether you want it to be or not.
Re: (Score:2, Interesting)
An untrusted central authority is better than no security.
Re:trust (Score:4, Insightful)
An untrusted central authority is better than no security.
Peers have to trust each other to act rationally. Filtering and sanity checking of crap from your downstreams and maintenance of physical links with rational actors whom you trust to act professionally is worth more than central authorities.
Re: (Score:3, Insightful)
I agree and would add that most of the "security" practices so far have actually made the Internet much less robust. Egress filtering to block spoofing has made routing an ISP-only privilidge, and a legal risk to everyone else. Port blocking and ISPs' "for your protection" firewalls have made the network useless for telephony, to name only one application. QoS and buffering have increased latency.
Long story short, it's better to have a fluid network with distributed authority than a centralized and fragile
Re: (Score:2)
Erm where the hell do you think the IP's come from? Yep the central internet registries. APNIC, RIPE, AfriNIC, LACNIC and ARIN.
There is your trusted central authorities. If you don't trust them then hand your IP's over.
Re: (Score:1)
Re: (Score:2)
The only issue here is people saying they control IP's that they don't own.
If everyone trusts these organisations to give out IP's then tying BGP filtering to that is a logical extension.
Edge routers are expensive (Score:2)
which means they are bought and used for many years if not a decade or longer
your $50 or whatever you pay your ISP a month is not enough to afford new equipment every year
Re: (Score:1)
Re: (Score:1)
which means they are bought and used for many years if not a decade or longer your $50 or whatever you pay your ISP a month is not enough to afford new equipment every year
It would be, but bribing a bunch of congressmen and FCC officials takes a big chunk out of the budget.
Re:Edge routers are expensive (Score:4, Interesting)
And what do you mean by edge routers? You mean the last mile or for peering? My ISP pays Level 3 to handle peering. If you're talking about last mile, then your ISP should have invested into fiber, which is easily and cheaply upgraded. At $100/port for a 500-1gb port chassis that can support 3tb/s, it's not that expensive. How long does it take to pay off $100? Actually, network equipment represents about 40% of an ISP's costs, the bulk of the cost is in customer support. Phone centers are expensive with an average cost of $1/minute that a customer is connected. A single truck roll can cost an ISP much much more.
Re: (Score:2)
I keep thinking that if an ISP really wanted to cut costs, they could proactively monitor their network for problems:
Re: (Score:2)
First, I'm not talking about adding any additional gear. There's no reason that what I'm talking about can't be handled entirely in the DSLAM or head end or whatever and in the existing CPE hardware that talks to it.
Second, I wasn't really talking about changing the CPE for business customers with fiber connections anyway. They're not (usually) the ones who are constantly on the phone with tech support saying "The Internet is down" when really, they just accidentally unplugged something. I'm talking abo
Re: (Score:1)
Re: (Score:2)
The network was originally developed and used by the dept of defense to connect military bases in case of nuclear war. It later spread to academic as well as corporate presences.
I don't think you understand capitalism or socialism. Capitalism is an economic system based on the generation, purchase, sale, and ownership of property amongst private parties. Socialism is a government model that imposes itself on individual rights and choices for the sake of what the leadership thinks is the common good. The
Re: (Score:2)
Strawman.
Re: (Score:2)
The problem is, we're tipped over into corporatism where the net is controlled by a very few very large legal sictions tha tthe courts insist are somehow people.
You worry about the bad old government censoring the net but forget to worry about the ISPs censoring the net.
I can't imagine why you think the overmetered network protects us from the market cornering legislation and the pompous asses. Without proper net neutrality, we get all of the above and nowhere to turn.
Re: (Score:2)
When you say "cruising on empty", how do you explain the huge number of top-tier tech companies that are US based? Intel, Apple, Microsoft, Red Hat, Google, nVidia, AMD, Qualcom...
Dunno, I kind of think capitalism does quite fine at providing ideas. Let me know when everyone else catches up to Intel's current process tech, till then maybe we shouldnt write off capitalism as "cruising on empty".
Re: (Score:2)
They open offices overseas because theyre global companies, not because the US sucks. If the US sucked they wouldnt be headquartered here.
Re:NSA Tampering (Score:4, Informative)
They don't have to. They have CALEA ports.
Re: (Score:3)
Only in the USA. In other parts of the world the NSA collaborates with like-minded agencies from allies like the UK and Germany, and in parts of the world that are unfriendly they do rely heavily on backdoors.
We ran out of IPv4. #1 OS is Android (Score:2)
> and then suddenly we completely ran out of IPv4 addresses, so everyone, even Microsoft, had no choice but to get moving on IPv6
Ftfy . Most computing devices sold in the last three years don't run Windows. Microsoft is now a minority player. Android is #1, iOS #2.
So which companies have influence? Android is the most popular operating system, so it's support of IPv6 is important. Most end points that need new addresses get those addresses assigned by one of the major mobile carriers, while olde
Re: (Score:2)
In the consumer space yes. In the corporate world no-one's manipulating huge spreadsheets or writing 500 page legal documents on an iPad.
nor misusing spreadsheets where databases are need (Score:2)
> In the corporate world no-one's manipulating huge spreadsheets or writing 500 page legal documents on an iPad.
I'm guessing that in your corporate world, nobody HAS huge spreadsheets because they're putting the huge stuff in the RDMS whre it belongs. iPads aren't the right tool for significant datasets, and neither is Excel. In my world, most people do not use the right tool for the job.
Cost (Score:2)
Well Let's See (Score:3)
Re: (Score:3)
Re: (Score:2)
Afaict ISP SLAs only cover the quality of the route to the ISPs border, what happens to the traffic beyond that is not (and can't really be) specified.
If you want "100% uptime and 1ms jitter" to a specific place then you buy a direct connection to that specific place you don't use the internet. If you want "100% uptime and 1ms jitter" to the whole internet that is not going to happen.
Attacker is your Peer (Score:5, Insightful)
Except "Attacker" in this case is the administrator at the peer, and the peers are entire companies, multinationals, and governments. We're not talking about your average basement-dweller script kiddie.
If your peers are messing with you, or their peers are messing with them, how do you defend against an attack where the whole system is based on trust?
You could go to a no-trust solution, but then that would need a central authority that would need to pre-calculate all the routes from every single AS. If a route breaks, that'll be slow to adjust to a backup route. If a new route needs to be added, the ISP would need to apply to a central authority with bureaucracy and red tape.
If a route needed to be blackholed because of a DDOS, and that action had to be approved of by a central authority, which could take days to weeks for a ruling, nothing could be done because routers would not accept changes to any route until then.
Essentially, the answer to security is to effectively lock out the AS ISPs from their own routers.
You either trust the AS administrators or you don't. And since they're humans, they'll make mistakes, be malicious, or be affected by politics. This won't be solved by (trusting) a central bureaucracy similar to the UN, at least not in a manner you'll prefer.
Re: (Score:2)
The thing is AS admins have been lazy. Broadly speaking I agree with what you have to say and I agree a central authority would very likely cause more problems than it solves. AS admins do need to take a middle ground though, and implement some route filters. For instance if you have a route that sits on transpacific cable in California you should probably be filtering routes with at least a few broad rules like; !ARIN
A little direction for a central authority like IANA that laid down some rules like fil
Re: (Score:2)
Or, you go with signed routes. That is, you use a public key system to prove that you have the right to broadcast a route for a particular subnet.
In practice, it will probably mean some router upgrades. No more router cpus that were considered a bit underpowered for a calculator in the '90s. However, as an interim measure, it could be used to set some BGP filters to limit the potential damage.
Re: (Score:2)
If a route needed to be blackholed because of a DDOS, and that action had to be approved of by a central authority, which could take days to weeks for a ruling, nothing could be done because routers would not accept changes to any route until then.
Why would you need permission to blackhole a route?
The problem is adding good routes, not dropping bad ones.
Re: (Score:2)
You could have a system of signed routes. When you pass a route to an upstream you would add a signed statement to that affect to the route. When receiving a route from a customer or peer you would check for a valid chain of signatures leading from the owner of the IP block to the entity sending you the route.
Obviously you'd still have to trust your upstreams but you can't really avoid that. You'd also have to have some kind of central database that recorded the owners of IP blocks and the corresponding pub
Re: (Score:2)
If that was a serious question, and not trolling:
The in-addr.arpa DNS zone is used for reverse DNS.
Basically, you forward-map hostnames to IP addresses. At the same time, you can reverse-map IP-addresses to hostnames.
The forward mapping is done via 'A' records.
The reverse mapping is done via 'PTR' records, and it's done in the in-addr.arpa hiearchy.
How Many Nails Does it take to seal a coffin? (Score:1)
Nine.
Not a Problem, submitter doesn't understand (Score:5, Insightful)
Its not actually a problem, thats why. The submitter doesn't actually understand what he's suggesting and why the current method of dealing with this issue works fine.
You know who is doing the damage and 'attacking' you, they are easy to identify, and you just stop talking to them. They're only going to connect to a relatively small number of people so disconnecting bad players is trivial, then you never talk to them again. They bare the cost of having all the money invested in setting up the original connections they used to 'attack' with being lost. And lets be clear, BGP attacks aren't done via virtual connections, they're done across physical connections so you know EXACTLY who is doing them and which cable to unplug to solve the problem.
Do you upgrade every router running BGP, or just turn off the 2 connections to the bad guy? Its just not worth the effort to 'fix the problem' with a technical solution when good old fashion common sense tactics work just as well and for far less cost (read: effort for everyone involved) Even if it were a major backbone provider, the number of connections to cut is still trivial compared to even upgrading all the routers that the single largest backbone providers connect to.
This is a stupid question to ask and just illustrates not understanding the actual problem. The costs of 'fixing' the problem technical FAR outweighs the benefits of doing so (not having to manually disconnect troublesome players).
Re: (Score:2)
Whats really bothersome is that so many of the comments hop on the "NSA thats why" or "corporate greed" bandwagons despite having no functional knowledge of the issue.
Thought people here were supposed to be rationally minded geeks; guess not.
Re: (Score:2)
The costs of 'fixing' the problem technical FAR outweighs the benefits of doing so
+1. We see this in so many cases where someone asks 'Why don't they fix this or that?'
White list? Really? (Score:2, Redundant)
There are more than 600 million Web sites, according to NetCraft. Who is going to maintain a list like that? It's going to cost a lot of money...who is going to pay for it? Who is going to have the power to decide who gets in, and who doesn't? What about appeals, for those who feel they have been unjustly removed from the list? What about opposing points of view? Does the US get to decide which Chinese sites get to be on the list, or vice versa?
Why is it taking so long for flying cars? (Score:2)
The headline made me do a double-take. It's like asking "why is it taking so long to develop an invisibility cloak?" or "why is it taking so long to develop flying cars?".
APK is why it takes so long (Score:1)
'Nuff said. Can't get shit done with his constant bullshit spouting.
Why bother? (Score:2)
IT completely lacks process. ITIL is a joke. People insist on wasting time doing the same thing over and over. The best networking companies I know with the absolute best people are rarely more professional than a bunch of script kiddies. The best of the best hack away on networking and routing like and orangoutang playing with a toy piano. Modern IT is rarely better off than a bunch