In the Obama Era, Routing Has to Change, Too

By Larry Seltzer  |  Posted 2009-02-13 Print this article Print

If you're looking for the really serious security issues to address, ones that might need government help, securing BGP should be on the short list.

If you were in charge of the nation's cyber-security what would you focus on? One really scary problem that doesn't get enough attention is the insecurities in BGP, the router protocol of the Internet. BGP has been getting some attention as of late from Homeland Security, but it's still way down the list of sexy computer problems.

The Obama administration has begun its promised cyber-security initiative by appointing Melissa Hathaway to the National Security Council from where she will head the effort. Hathaway will begin with a 60-day review of the Bush administration's five-year, $30 billion Comprehensive National Cyber Security Initiative, which she helped to develop. During the campaign Obama promised that he would "make cyber-security the top priority that it should be in the 21st century. I'll declare our cyber-infrastructure a strategic asset, and appoint a national cyber-adviser, who will report directly to me." Hathaway will be a few rungs down the ladder from that, but one hopes she has real authority anyway.

Many of you may have wondered from time to time about the big attacks we don't discover. The really sophisticated cyber-attacks go unnoticed, with all their tracks covered up at the end. I'm sure such attacks occur, especially in espionage where you are only collecting information and not causing any real damage. And I would bet that these unnoticed attacks use BGP injection.

Hardening the BGP infrastructure was on the agenda at the Department of Homeland Security recently. We're all a little more familiar lately with DNS cache poisoning, which enables DNS spoofing, but BGP spoofing is even worse. There's essentially no defense against it. If I execute a well-designed spoof I can impersonate anything on the Internet. You may have no way to tell the difference.

About a year ago, overreacting in an effort to disable some YouTube videos, Pakistan Telecom used BGP injection to spoof YouTube in order to block access to it inside the country. It's an interesting enough story just for what it says about the actors involved, but it shows the power of BGP abuse. Pretty much anyone in Pakistan who went to YouTube connected instead to a different page with some message about it being unavailable.

I should note that DNSSEC is also an important initiative that deserves government attention. It has gotten some, even if they are running behind schedule on it. DNSSEC works by using public key cryptography to let clients verify the identities of DNS servers they deal with. The need for DNSSEC became more clear last year after the revelation of the Kaminsky bug.

The main ideas for how to fix BGP work along the same lines: use PKI and sign router communications. Some are calling it BGPSec, some RPKI. Geoff Huston of APNIC says of the problem:" All these attacks rely on one feature of BGP: the ability for a party to 'lie' in routing and for the lie to propagate across the entire network and not be readily and automatically detected as a lie. The RPKI is an essential component of a mechanism that allows such routing lies to be readily identifiable by everyone else using automated processes"

DNSSEC has been around for about 10 years and has barely eeked into the real Internet. RPKI is far behind that. Unlike DNSSEC, there isn't a standard or even an agreed-upon approach. Steve Bellovin of Columbia University, one of the experts on this subject, notes that there are two primary secure BGP proposals and neither has consensus behind it. Bellovin thinks that both proposals are flawed and that a better one may be needed. If this is an area where DHS money could help, then it's time to open the taps and let the money flow.

I wonder whether an opportunity was missed in recent years, in that routers have recently begun adding support for 32-bit ASN numbers. Each network on the Internet has a unique identifying number. Until recently these were 16-bit integers, but this pool will run out soon, so the IANA began distributing 32-bit ASN numbers. It would have been nice if a secure BGP spec had been available to add at the same time.

If I'm expecting the federal government to focus only on the really big problems then this is one of them. If the Obama administration makes cyber-security progress on nothing but DNSSEC and securing BGP then they will have done a good job.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel