Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


In the Obama Era, Routing Has to Change, Too



 By: Larry Seltzer
2009-02-13
Article Rating:starstarstarstarstar / 2


There are 4 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
If you're looking for the really serious security issues to address, ones that might need government help, securing BGP should be on the short list.

If you were in charge of the nation's cyber-security what would you focus on? One really scary problem that doesn't get enough attention is the insecurities in BGP, the router protocol of the Internet. BGP has been getting some attention as of late from Homeland Security, but it's still way down the list of sexy computer problems.

The Obama administration has begun its promised cyber-security initiative by appointing Melissa Hathaway to the National Security Council from where she will head the effort. Hathaway will begin with a 60-day review of the Bush administration's five-year, $30 billion Comprehensive National Cyber Security Initiative, which she helped to develop. During the campaign Obama promised that he would "make cyber-security the top priority that it should be in the 21st century. I'll declare our cyber-infrastructure a strategic asset, and appoint a national cyber-adviser, who will report directly to me." Hathaway will be a few rungs down the ladder from that, but one hopes she has real authority anyway.

Many of you may have wondered from time to time about the big attacks we don't discover. The really sophisticated cyber-attacks go unnoticed, with all their tracks covered up at the end. I'm sure such attacks occur, especially in espionage where you are only collecting information and not causing any real damage. And I would bet that these unnoticed attacks use BGP injection.

Hardening the BGP infrastructure was on the agenda at the Department of Homeland Security recently. We're all a little more familiar lately with DNS cache poisoning, which enables DNS spoofing, but BGP spoofing is even worse. There's essentially no defense against it. If I execute a well-designed spoof I can impersonate anything on the Internet. You may have no way to tell the difference.

Resource Library:

About a year ago, overreacting in an effort to disable some YouTube videos, Pakistan Telecom used BGP injection to spoof YouTube in order to block access to it inside the country. It's an interesting enough story just for what it says about the actors involved, but it shows the power of BGP abuse. Pretty much anyone in Pakistan who went to YouTube connected instead to a different page with some message about it being unavailable.

I should note that DNSSEC is also an important initiative that deserves government attention. It has gotten some, even if they are running behind schedule on it. DNSSEC works by using public key cryptography to let clients verify the identities of DNS servers they deal with. The need for DNSSEC became more clear last year after the revelation of the Kaminsky bug.

The main ideas for how to fix BGP work along the same lines: use PKI and sign router communications. Some are calling it BGPSec, some RPKI. Geoff Huston of APNIC says of the problem:" All these attacks rely on one feature of BGP: the ability for a party to 'lie' in routing and for the lie to propagate across the entire network and not be readily and automatically detected as a lie. The RPKI is an essential component of a mechanism that allows such routing lies to be readily identifiable by everyone else using automated processes"

DNSSEC has been around for about 10 years and has barely eeked into the real Internet. RPKI is far behind that. Unlike DNSSEC, there isn't a standard or even an agreed-upon approach. Steve Bellovin of Columbia University, one of the experts on this subject, notes that there are two primary secure BGP proposals and neither has consensus behind it. Bellovin thinks that both proposals are flawed and that a better one may be needed. If this is an area where DHS money could help, then it's time to open the taps and let the money flow.

I wonder whether an opportunity was missed in recent years, in that routers have recently begun adding support for 32-bit ASN numbers. Each network on the Internet has a unique identifying number. Until recently these were 16-bit integers, but this pool will run out soon, so the IANA began distributing 32-bit ASN numbers. It would have been nice if a secure BGP spec had been available to add at the same time.

If I'm expecting the federal government to focus only on the really big problems then this is one of them. If the Obama administration makes cyber-security progress on nothing but DNSSEC and securing BGP then they will have done a good job.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.





  Reader Comments: In the Obama Era Routing Has to Change Too
>>> Post your comment now!
A user comment on this article
To me it seems hard to believe that the security of the internet, the thing that everyone and our economy relies on, is based on each provider using...
Posted At: 03-09-09
By: Tom K
Kaminsky
Another consensus opinion about the Kaminsky attack was that it was just a matter of time before a similar weakness was found that didn't have an...
Posted At: 02-17-09
By: Larry Seltzer
They may care, but do we want them "fixing" it?
Government's track record on things like this isn't all that good -- though if they had a "competition" like they did to choose AES, it might work...
Posted At: 02-17-09
By: c2
BGPSec, DNSSEC, Politics
Hi, I'm Larry Seltzer. Do you worry about the security of the routing infrastructure? Do you think the administration cares?
Posted At: 02-13-09
By: Larry Seltzer
>>> Post your comment now!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Larry Seltzer
 


xr80VӮc*d[.kʶ<<ձ $)RCRսω}}.Kurw&D"H@goOD.\ݴt͙M5>5dRr[da=ʲnMw3a[]ޡlwGZ*մ*rM)֎╇o[©̝ wΨn?ڽPʪ)J{>ΑGAmkh[Jv^׵Vlt|n]\[@$HcA~Nw& LT)Jj\(ML0h5 :fv}j_"ty[nkMюR=2,gfVҐ gUUj,qT~6zvEzv ;l,aR422V,]鮘ȏAժ}uڹ풳 9m}n _ܙGd@M Wh2s Nկ=?o!qb{ dPp9LwjT{dN;'/-2Odp"˧S0omYn]H.)ލT|Y|ěy30si2)ߦI&@w - :urͪZ*F`Kc7I3뾞;nZK=0[=RFƺ\ Дaלذ 1"% hJ@{e $}ВEtBAͨO%ތEr\P|2Z9<L&0`DMWwK@b!LTM}P@X\7 >)SPlm^l}``1 5g%qJi0xzO dQJ ds 4.gP)AH =k \99 ŊI^KHX-Vpp(ݞHpGn_-KEs㙰TL٣XB YX/_23CCɴaX9{DMfT`B[ụLKak`F^rA+ŲMCAII\ZUj5YQ%gCӡ3#ϖ߅#fF TXfRhjUVL-F*|( +ҵ瓩; Ң{Z^SvԻ~l2ݴZ!0\0|pT30`-eO)]&ٰ\R ~j"yd\s˰e0Ȧ\Q݂+6E)'!5 cd]Xz@4`D N.Lb4>\Pbr>+ eT)5*IM86abI߰VT!rB3]?w2_!挮~t!VBLQQT*8+ :?C*(Si)5}w88>΁x}ˬ7? g_ZRz냽ܮ;K9s3/'x/ ƌ1;h'0^+'o@|V?>]Ik01Sle`Sxt b=*䪢#?݀Ν.#Џ]!.~1X@P A6+8SӞ-5Z,Y~B)'؁ޯќ)E`9\Q˶SL*H@8܎:y>-)W` >N=2Ǩk 01-tp]U*jAe߯Y+^t m(5#c #2pgrh)hj*8UoF* ϛ=G$1*@7Z Sғe4 "lGIV`]z<->p7poj%O@(1N=9~܄yeb@my@?몦]}2YhSYpg#HٚIu* <Wk*kzďun6Oe*r1#_?L] [L4zɖ0`OO- v uhՂrO'(3ߥrf>k5VΚ>9lv''< hrõm7f>;"c'۽>RdsM-lu*%\.Yi 1ctSe}{c27OwoUUAS<:h3$P@hOXM\ X?k78$2ML laƭbR/\f ?+:TfDU }5Oӑ?>nVɍGZV/fIC{EY(..n$mP*jIIz,`wU素vdi&x9L5Lfl'P`Q(S&ZD}Rx*+nQ/ew>Q? &i^IW:.Wky*1n%vem"X׵I78CְS##nƝj`.ӪV$,: ()td* ek'#塺1&5 \:`Q Sup7߁؉ ?O.yros78Jn-sDܩV7]vYf?yxXDbvUG i^}靃&-_ |2$?[С{#|$~>xFM>xuS意G 95gy S:7vkm,b20)}~k_㆟yP1nglL'#I"ɫ:w7}\8%++Tx|1q/n%P2Y;pOҠcÙc}d<ݸw[f1vfoY>]bwP{_xŞYiIU/J\-"Pn'ZZ|W%0.ցːu9['@թWG=vwC|dK~jgol]EZxCmx ]a5/XIHY˶H٧AǑS 49?>'oaIL]_@32%,d?Ljue".[Fw6QJG,d(΀[,8SAR h|t(P6·o13a*BȂr A}(bC! mC[Q8Mymi2DxN?SEW?;ۊ=-&:*bKbXM?2^;O-b%ދ,xNDndIds+V$e%Ɛ^Alr &qmIT-8E*Iƈ܋yՄ]d:$Ky1婗yTK n &ȯ/6L:8a2P&;ZQJՊp5r 7 ͛/G8yj=Re`@ -FA_.~t^RZ)ؠIqy#H?b[PQ1T=$L~098B#ݓ.H@ҹ;XwFT;Fjd!b0r}ۏ@{osj/d>D9!riєL; W7ޠI*o=32Z01tS_ T:p- -bG-o~+S,7F*)KtZcXtL R T);zPK:KIDk$|YԂ2>A3ݠt  ,3@80Yz-yfn[cS'6mY:9q칤j*)57\ڷ`a  FTM< ߖyEBb<)HZӇwyPxš0\܃ݙݙݙݙ"X_O1=Űܥ6Lg6X̥,f?p9c-2/|{oۃGbx#1<:R[?0Q/HuHƓ_ݒ^'يIJҋ$!Z?m6;ŒR<̠&ǛYl B$D Hb͎.{r-ۓ(x[\ᕵYӢP҅v׃D<.dL̿ym e^7%'A2}0RiR sJ7MYiVRChcC8AD_M!=5Sx0[9QEZݺ:GJ*1 tzbNN${7L3ڵ-,kbxHx@-N zX+_+_f^L%'_A[^ xĂCSjw%vXm Kdj³@I ,mح50;3n~{cN/RwlSBJ́; MYn݂c.K]2)&tzCcKg4B#phH?.F:O"I)o}m7i:D+jX2,ʵkCy<}f^ShMGmb¶ks/ QxyG¡YKj|!&RJD:`W3VD 24Jf63̡h` >l.'?=k҃>?w}Lg{2(P>k~ eK /QiHc-1_}q/rx׻a3@a]$o,S e=aD)1; (oqfw1Vs[2VR Q?Ey ~ oH?I5?O:߃%-x7Q)7C.o;1$]!<^vIǏ{"T(ʊk('>?F]3:\o? ŢW\gz@R]DB(lhF쑂ް] B6D?~܋!,p;Z4V䀲mqcbJbFyA y!FvЏ{Kb+I7$q@`+jj5A^ cd0ckjrD,?t$E/]^|~8. dRCAKfRכRÔ}a}N"F dr B.]cbej\}K ZkKXYw)]dDo=0:էBZcċaWes[ɣS#D4VtHU) & 0Z`wnh1ܱ9=}VŠ@FJk&p]OJ;7W6]4_q=!o7ݙAfnVu&[wV9#On@1O@p'찔?>m:W.,Aƾ~@klM/5 ?)3$[] 0!3lV-TsZ.Wz`Nxb˛^3B{sYT+{^n9R==@\XYrV'ҴxfV-j%!V㬤{0 "҆(q8 @\wtch4:IwJ1X?_J }+QA9kqF[q{Z Bn).&ڰkobD )n3F OW1h=<.;ɘxa*1aV eզٝ$7xg`0u/xy B G=Jl~'&ᕷ}*4;-RlFϦz"ioB`(xƒM8P[k(86w_ 6b^zgZa!IGL>xIu1K= o~{@śr 8q,֎-D||0XV$ʽOg-ԥ"uFf."T( `V#C}AZ݋V׺颇U 88wg-d7:}GDwB79a(4<:xϾSc}Fs6$EuE)&%xG[>B8!iwFu檫Ԕ1"W'0 ឩS-1Șh MQ VHxDɹeMZӄpxXҚ0! YC) Q?f /mDRPi cIx 1tPPb G> 1JO \-uC@ebqzy cW[7gΥiūAgYVL,c/[4W )WPx s#CvFCd2`f]9_Y4ME'7^sE[[<҄m-r5:ǝ/'/gMkY|j5ۼW6/*˙ΒQ9j^283qm.4 "G}ɂw]%}QX\mI{(%lGyjUzu7M&6YBMղrڽ/j:ٙ%֔fyS!h5{Qs1c=W܄ @1@C|m]Nzs5Bx_m^;^dB7P~ (@y'9hp(?g@ |?dZ_~5ۧF4kgUF9c7(_֗_ 05.3K{AKe}.K Dg(Q~d_BeF9U^\eUuN? /q _gs?]7]7=^Z_ S}Yп A[(*[h6[ Ku1Ay3CΚ׸pz~;"9(/R*zUKg賲+F'_˰Πsk3e_7C@/1~dnleھ>&R+ ]Q%5-{[I2}ח: c|U$X2& e^>&c˼$=)>w槤I8j.{%])7[O'´Z}5_99* t=}*oND1KAF0_ Gz‰nQ'e&o3?`bG~@' @9N t[MAH^-~k/:)7.q{Zk;ţ;ZءƊ ~3/߆zH'<+?}4(biqe9ޢD)Fyk@XV_p3lcm|iW;usռ_7?Cg6'[u}NoM:S?|Y&@Y8'}R?j L=C9fhNh{sn`'~,@$uRiErT)~ܓNnM70kz@ b3jJ]NmJTL3BAzG l]{ۦJ̾ZCO3CX)x}̺l[ % P1=:eǬ*Yۼx`T ގe@7 J,5{3ŨـD@Sĝ}gR2mc5q) {{[2gډe:' q8i;Ìs,iރz~4@{4Hr(9Pųl1@Љ>7rO 0 hJ/.ӡxCKQ,V28 1(|3˸ [2FlX jXJr h;9ߞ\$ǖt{#KFUxi/ C4|诹)HEVtf-{Rz -HZ0'4FȊ˩qfi񰙄i׌/k9ҦL+Ic֠}փD#iZ#Xnƀ_h_n=,N7"fܝ05Ds[~>]@8>qg o6Nώ{;Y9 Wwh/'/Հ&;߽yjX3!?gxITwDZxಓH_c:-3ES&bb P|_|a9GY3wyC͞39L^e&l[l,)1 {;Kh.Ny 0p;ēC{)B9 H|\k,##1苌Y MЦ  B8̈́dX.N`'2ǞЄ2_X9VX#e i_3QNǮg}M=>1<(xkläd |A«U/="2cX ԟ1@ EY/o~4tZwkdY9Hr&zU h$7=j"6DwΖb'/S۝bNm% 1o)%:f*HrFx*D=Y:}#s!oYX&7ęV /O CׅѰ0 L{,lyEG%RRNfK#fE[Rj0gn~ӣf<˜4W6IĶqyuc~ږ10#ŸErN,ŀGjV0U9wm j׺Wxozc|>[z0XjvAy,O>A@`V\3zf7tZS5gnB<]SL&j1Bi6a1}bfYW`0-ZkAckLeU|tGYEL`&;]+N%t&ж?g8هl*~& l{+ЃT~xFK-^8Q> χ"@TNENE<<Sf}')VSL_Xџ_Q>Q*g\@