If you're looking for the really serious security issues to address, ones that might need government help, securing BGP should be on the short list.
If you were in charge of the nation's cyber-security what would you
focus on? One really scary problem that doesn't get enough attention is
the insecurities in BGP, the router protocol of the Internet. BGP has
been getting some attention as of late from Homeland Security, but it's
still way down the list of sexy computer problems.
The Obama administration has begun its promised cyber-security initiative by appointing Melissa Hathaway to the National Security Council
from where she will head the effort. Hathaway will begin with a 60-day
review of the Bush administration's five-year, $30 billion
Comprehensive National Cyber Security Initiative, which she helped to
develop. During the campaign Obama promised
that he would "make cyber-security the top priority that it should be
in the 21st century. I'll declare our cyber-infrastructure a strategic
asset, and appoint a national cyber-adviser, who will report directly
to me." Hathaway will be a few rungs down the ladder from that, but one
hopes she has real authority anyway.
Many of you may have wondered from time to time about the big
attacks we don't discover. The really sophisticated cyber-attacks go
unnoticed, with all their tracks covered up at the end. I'm sure such
attacks occur, especially in espionage where you are only collecting
information and not causing any real damage. And I would bet that these
unnoticed attacks use BGP injection.
Hardening the BGP infrastructure was on the agenda at the Department of Homeland Security recently
We're all a little more familiar lately with DNS cache poisoning, which
enables DNS spoofing, but BGP spoofing is even worse. There's
essentially no defense against it. If I execute a well-designed spoof I
can impersonate anything on the Internet. You may have no way to tell
About a year ago, overreacting in an effort to disable some YouTube videos, Pakistan Telecom used BGP injection to spoof YouTube
in order to block access to it inside the country. It's an interesting
enough story just for what it says about the actors involved, but it
shows the power of BGP abuse. Pretty much anyone in Pakistan who went
to YouTube connected instead to a different page with some message
about it being unavailable.
I should note that DNSSEC is also an important initiative that deserves government attention. It has gotten some, even if they are running behind schedule on it
DNSSEC works by using public key cryptography to let clients verify the
identities of DNS servers they deal with. The need for DNSSEC became
more clear last year after the revelation of the Kaminsky bug
The main ideas for how to fix BGP work along the same lines: use PKI
and sign router communications. Some are calling it BGPSec, some RPKI.
Geoff Huston of APNIC says of the problem:" All these attacks rely on
one feature of BGP: the ability for a party to 'lie' in routing and for
the lie to propagate across the entire network and not be readily and
automatically detected as a lie. The RPKI is an essential component of
a mechanism that allows such routing lies to be readily identifiable by
everyone else using automated processes"
DNSSEC has been around for about 10 years and has barely eeked into
the real Internet. RPKI is far behind that. Unlike DNSSEC, there isn't
a standard or even an agreed-upon approach. Steve Bellovin of Columbia University
, one of the experts on this subject, notes that there are two primary secure BGP proposals and neither has consensus behind it
Bellovin thinks that both proposals are flawed and that a better one
may be needed. If this is an area where DHS money could help, then it's
time to open the taps and let the money flow.
I wonder whether an opportunity was missed in recent years, in that routers have recently begun adding support for 32-bit ASN numbers
Each network on the Internet has a unique identifying number. Until
recently these were 16-bit integers, but this pool will run out soon,
so the IANA began distributing 32-bit ASN numbers. It would have been
nice if a secure BGP spec had been available to add at the same time.
If I'm expecting the federal government to focus only on the really
big problems then this is one of them. If the Obama administration
makes cyber-security progress on nothing but DNSSEC and securing BGP
then they will have done a good job.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.