Interesting story about BGP and security in the Washington Post today:
http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/
-Bill
Interesting story about BGP and security in the Washington Post today:
http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/
sort of dissappointed they did not quote randy using only lower case. looks weird. once past that, good comment.
Excellent find,
Thanks! I forwarded this to a bunch of people. Mostly managers.
Jeff A. Masiello
Interesting story about BGP and security in the Washington Post today:
http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/
-Bill
The article left me with the feeling that there was a secure version of BGP
that is available but network operators are too short-term-focused and
foolish to deploy it.
I believe the situation is more complicated than that, no? There is no
"secure version of BGP". There are a handful of things that help, like
RPKI ... but they are far off from hitting the mark of "securing the
internet"... not too mention the ARIN RPKI SNAFU with various lawyers that
make RPKI impossible for a large part of the internet.
CB
PS. All my ipv4 and ipv6 routes are RPKI signed, but I can't validate
because Cisco does not think validation within a VRF is an IOS-XR worthy
features
PPS. It does blow my mind that the internet works so well given that its
security relies on the good faith and reputation of a few network janitors
and plumbers
and in comic sans you mean?
The issue here is that people treat routing security the same way as
the Jennifer Anniston character in "Office Space" and her flair. People
do the minimum to make it work and forget about it.
This can have catastrophic effects if one does that with your sewers,
septic fields, etc but we accept it in the BGP and routing universe
for some reason. You even see that with the IRR data, people add and never
remove. You can explore your objects here, you might be surprised how old
they are or who is injecting garbage today. http://irrexplorer.nlnog.net/
at $dayjob we try to do the right thing and as a result see complaints
from customers, prospects and even our vendors that what we do pushes
their scale limits and capabilities. Gert asks if you enabled IPv6 on
something today, (or did you turn IPv4 off soon I think will be a fair
question).
What have we (You!) done to improve routing security recently?
Do we need a photo or t-shirt of randy bush saying “only you can prevent
route hijackings?”
- Jared
Actually, that's the level of attention given to all kinds of infrastructure just about everywhere. 
Because our industry (for better or worse) is not as regulated as other
"life-concerning" things in the world such as health, aviation,
education, construction, finance, electricity, e.t.c., are, it is up to
us to make sure we do the right thing. But if there is no "official" or
"standard" metric against which we can hold one another accountable, we
are all bound to do our own things, as you say, that are enough to make
it work and forget about it.
As the saying goes, "You can't blame a monkey for botching a brain surgery".
Our lack of regulation means we can quickly scramble up a global routing
protocol on three napkins and get it into production. This is a good thing.
The question now is - how important is this Internetnetwork to us that
we are willing to accept a moderate to significant amount of
inconvenience in order to improve its long term utility the same way we
expect the sewer companies to do a decent job keeping the filth out of
sight?
Mark.
The difference is that there are standardized (global) guidelines for
those infrastructures within their own industry, that lack of compliance
can lead to serious fines, jail time or both.
A network operator unmaliciously screwing up their BGP configuration and
taking one side of a continent out is unlikely to see any punishment
beyond being fired by his employer, or losing his customers if
self-employed.
Mark.
Also, the internet usually works pretty good-ish and the janitors clean up
the messes pretty quick-ish.
That said, i believe the BGP situation is completely hygienic relative to
the DDoS issues going on that could be solved by BCP38 and otherwise fixing
poorly admin'd DNS, NTP, CHARGEN, and SSDP nodes. The aforementioned
janitors are pretty powerless on this front... and... various parties on
all side are looking to cash in (booters on one side, web scrubbers on the
other)... which is a very dangerous arms race with real money on both sides
looking to escalate the harm / fix.
CB
1. Ensuring insurance underwriters understand the amount of unsecured risk they have, and working with them to develop the *verifiable* checklists they should be going through before they write 'cyber-' policies.
2. Working with ISO to develop relevant outcome-based standards (e.g., not what you type into your config, but rather the desired result, such as source address validation, detection/classification/traceback/mitigation capabilities, et. al.).
3. Working with regulatory bodies in various regulated verticals to require aforementioned ISOs, same with insurance companies serving those industries (this will have an ink-blot effect reaching down into their supply/service chains).
4. Working with governmental bodies to require aforementioned ISOs in the regulated industries.
5. Working with PCI/DSS to add an availability component, as well as all relevant integrity BCPs.
6. Adding outcome-based requirements surrounding all the relevant BCPs to peering/transit agreements, getting regulators and governments to require same.
I really think the insurance industry is going to be the best/easiest route to take (pardon the pun); this has the advantage of not requiring further governmental regulation, and does offer a market-based solution. I know Bill Woodcock has some experience in this general arena.
My fondest wish is for there to cease to be a need for DDoS mitigation tools and techniques, and I do my best to try and educate and proselytize to that end, and have done so for many years.
<https://app.box.com/s/4h2l6f4m8is6jnwk28cg>
I would much rather be working on other problem-sets. But needs must.
Is there *IN THEIORY* any possibility to make BGP secure enough now?
Yes, RPKI protects from fat fingered people, but NOT protects from
people doing hijacks knowlingly.
The global routing registry really can be the solution, but it
automatically gives one authority a power to cut off any network.
Imagine how fast it will be used for censorship.
>
>
> > Actually, that's the level of attention given to all kinds of
> infrastructure just about everywhere.
>
> The difference is that there are standardized (global) guidelines for
> those infrastructures within their own industry, that lack of compliance
> can lead to serious fines, jail time or both.
>
> A network operator unmaliciously screwing up their BGP configuration and
> taking one side of a continent out is unlikely to see any punishment
> beyond being fired by his employer, or losing his customers if
> self-employed.
>
> Mark.
>Also, the internet usually works pretty good-ish and the janitors clean up
the messes pretty quick-ish.That said, i believe the BGP situation is completely hygienic relative to
the DDoS issues going on that could be solved by BCP38 and otherwise fixing
poorly admin'd DNS, NTP, CHARGEN, and SSDP nodes. The aforementioned
janitors are pretty powerless on this front... and... various parties on
all side are looking to cash in (booters on one side, web scrubbers on the
other)... which is a very dangerous arms race with real money on both sides
looking to escalate the harm / fix.
If you have secure BGP deployed then you could extend the authenication
to securely authenticate source addresses you emit and automate
BCP38 filter generation and then you wouldn't have to worry about
DNS, NTP, CHARGEN etc. reflecting spoofed traffic.
This can be and is done by networks which originate routes and which practice good network hygiene, no PKI required.
But then we get into the customer of my customer (of my customer, of my customer . . .) problem, and this aren't quite so clear.
There are also potentially significant drawbacks to incorporating PKI into the routing space, including new potential DoS vectors against PKI-enabled routing elements, the potential for enumeration of routing elements, and the possibility of building a true 'Internet kill switch' with effects far beyond what various governmental bodies have managed to do so far in the DNS space.
Once governments figured out what the DNS was, they started to use it as a ban-hammer - what happens in a PKIed routing system once they figure out what BGP is?
But nobody seems to be discussing these potential drawbacks, very much.
the possibility of building a true 'Internet kill switch' with effects far
beyond what various governmental bodies have managed to do so far in the DNS
space.
Could you elaborate ? I don't see how it could be worse.
Comparing with DNS is not relevant IMHO. Everyone is managing its own routing
policy, not everyone is managing its own DNS root.
Denis
Everyone CAN manage his own DNS root; everyone CAN use /etc/hosts; everyone CAN switch to an altogether different name resolution such as PNRP.
Everyone CAN'T switch to an alternate global routing table.
So, what happens when the authorities in some locale start pressing for the cancellation of relevant certificates utilized in routing PKI, and/or order operators under their jurisdiction to reject same?
Thus spake Roland Dobbins (rdobbins@arbor.net) on Tue, Jun 02, 2015 at 03:05:13PM +0700:
>If you have secure BGP deployed then you could extend the authenication
>to securely authenticate source addresses you emit and automate
>BCP38 filter generation and then you wouldn't have to worry about
>DNS, NTP, CHARGEN etc. reflecting spoofed trafficThis can be and is done by networks which originate routes and which
practice good network hygiene, no PKI required.But then we get into the customer of my customer (of my customer, of my
customer . . .) problem, and this aren't quite so clear.There are also potentially significant drawbacks to incorporating PKI into
the routing space, including new potential DoS vectors against PKI-enabled
routing elements, the potential for enumeration of routing elements, and the
possibility of building a true 'Internet kill switch' with effects far
beyond what various governmental bodies have managed to do so far in the DNS
space.Once governments figured out what the DNS was, they started to use it as a
ban-hammer - what happens in a PKIed routing system once they figure out
what BGP is?But nobody seems to be discussing these potential drawbacks, very much.
Start here:
https://www.cs.bu.edu/~goldbe/papers/hotRPKI_full.pdf
Dale
Is there *IN THEIORY* any possibility to make BGP secure enough now?
Yes, RPKI protects from fat fingered people, but NOT protects from
people doing hijacks knowlingly.
At the moment because not enough of the net is covered. When you
get enough coverage then yes it will protect you because there is
no way to get a valid CERT to authenticate the hijack.
Even before that RPKI will limit the impact of the hijack by isolating
the attack to the networks close to the injection points. Think
of this as herd immunity.
The same folks also followed up that workshop paper with a longer paper on
the topic:
https://www.cs.bu.edu/~goldbe/papers/sigRPKI.pdf