In the Obama Era, Routing Has to Change, Too

If you're looking for the really serious security issues to address, ones that might need government help, securing BGP should be on the short list.

If you were in charge of the nation's cyber-security what would you focus on? One really scary problem that doesn't get enough attention is the insecurities in BGP, the router protocol of the Internet. BGP has been getting some attention as of late from Homeland Security, but it's still way down the list of sexy computer problems.

The Obama administration has begun its promised cyber-security initiative by appointing Melissa Hathaway to the National Security Council from where she will head the effort. Hathaway will begin with a 60-day review of the Bush administration's five-year, $30 billion Comprehensive National Cyber Security Initiative, which she helped to develop. During the campaign Obama promised that he would "make cyber-security the top priority that it should be in the 21st century. I'll declare our cyber-infrastructure a strategic asset, and appoint a national cyber-adviser, who will report directly to me." Hathaway will be a few rungs down the ladder from that, but one hopes she has real authority anyway.

Many of you may have wondered from time to time about the big attacks we don't discover. The really sophisticated cyber-attacks go unnoticed, with all their tracks covered up at the end. I'm sure such attacks occur, especially in espionage where you are only collecting information and not causing any real damage. And I would bet that these unnoticed attacks use BGP injection.

Hardening the BGP infrastructure was on the agenda at the Department of Homeland Security recently. We're all a little more familiar lately with DNS cache poisoning, which enables DNS spoofing, but BGP spoofing is even worse. There's essentially no defense against it. If I execute a well-designed spoof I can impersonate anything on the Internet. You may have no way to tell the difference.

About a year ago, overreacting in an effort to disable some YouTube videos, Pakistan Telecom used BGP injection to spoof YouTube in order to block access to it inside the country. It's an interesting enough story just for what it says about the actors involved, but it shows the power of BGP abuse. Pretty much anyone in Pakistan who went to YouTube connected instead to a different page with some message about it being unavailable.

I should note that DNSSEC is also an important initiative that deserves government attention. It has gotten some, even if they are running behind schedule on it. DNSSEC works by using public key cryptography to let clients verify the identities of DNS servers they deal with. The need for DNSSEC became more clear last year after the revelation of the Kaminsky bug.

The main ideas for how to fix BGP work along the same lines: use PKI and sign router communications. Some are calling it BGPSec, some RPKI. Geoff Huston of APNIC says of the problem:" All these attacks rely on one feature of BGP: the ability for a party to 'lie' in routing and for the lie to propagate across the entire network and not be readily and automatically detected as a lie. The RPKI is an essential component of a mechanism that allows such routing lies to be readily identifiable by everyone else using automated processes"

DNSSEC has been around for about 10 years and has barely eeked into the real Internet. RPKI is far behind that. Unlike DNSSEC, there isn't a standard or even an agreed-upon approach. Steve Bellovin of Columbia University, one of the experts on this subject, notes that there are two primary secure BGP proposals and neither has consensus behind it. Bellovin thinks that both proposals are flawed and that a better one may be needed. If this is an area where DHS money could help, then it's time to open the taps and let the money flow.

I wonder whether an opportunity was missed in recent years, in that routers have recently begun adding support for 32-bit ASN numbers. Each network on the Internet has a unique identifying number. Until recently these were 16-bit integers, but this pool will run out soon, so the IANA began distributing 32-bit ASN numbers. It would have been nice if a secure BGP spec had been available to add at the same time.

If I'm expecting the federal government to focus only on the really big problems then this is one of them. If the Obama administration makes cyber-security progress on nothing but DNSSEC and securing BGP then they will have done a good job.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.