NWW: Fix to Chinese Internet traffic hijack due in January


Fix to Chinese Internet traffic hijack due in January

Registries to issue digital certificates for verifying IP addresses, routing

By Carolyn Duffy Marsan, Network World

December 07, 2010 11:39 AM ET

Policymakers disagree about whether the recent Chinese hijacking of Internet
traffic was malicious or accidental, but there's no question about the
underlying cause of this incident: the lack of built-in security in the
Internet's main routing protocol.

Network engineers have been talking about this weakness in the Internet
infrastructure for a decade. Now a fix is finally on the way.

Policymakers disagree about whether the recent Chinese hijacking of Internet
traffic was malicious or accidental, but there's no question about the
underlying cause of this incident: the lack of built-in security in the
Internet's main routing protocol.

Network engineers have been talking about this weakness in the Internet
infrastructure for a decade. Now a fix is finally on the way.

Six worst Internet routing attacks

Beginning Jan. 1, Internet registries will add a layer of encryption to their
operations so that ISPs and other network operators can verify that they have
the authority to route traffic for a block of IP addresses or routing
prefixes known as Autonomous System Numbers.

The fix – known as Resource Public Key Infrastructure (RPKI) – is not
perfect. It will require adoption by all of the Internet registries as well
as major ISPs before it can provide a significant amount of protection
against incidents such as when China Telecom hijacked 15% of the world's
Internet traffic in April.

Proponents of RPKI say it is a much-needed first step in improving the
security of the Border Gateway Protocol (BGP), which is the core routing
protocol of the Internet.

Not everyone believes it will work.

At a minimum, RPKI, if widely adopted, should prevent ISPs from accidentally
disrupting the flow of Internet traffic with erroneous routing information.

Geoff Huston, chief scientist at the Asia Pacific Network Information Centre
(APNIC), says RPKI will eliminate many routing incidents including the China
Telecom hijacking when it is coupled with follow-on work aimed at securing
BGP routes.

"The intent of the overall work, which involves the RPKI as the underlying
security platform and secure BGP as a way of introducing signed credentials
into the routing system, is to make lies in the routing system automatically
detectable and, therefore, automatically removable," Huston says. "It will
eliminate a large class of problems…Such a system would directly address the
[China Telecom] incident."

The RPKI development effort was funded in part by the U.S. Department of
Homeland Security, which has made bolstering the security of the Internet's
routing system a key cybersecurity initiative.

How quickly RPKI will be adopted is unknown. Among the companies that have
helped design RPKI are Cisco, Google, Deutsche Telecom, NTT, Sprint and

"RPKI will solve the vast majority of routing problems that crop up, but it's
not the final solution," says Stephen Kent, chief scientist for information
security at Raytheon BBN Technologies and a contributor to the RPKI standards

Kent says RPKI must be followed by adding security for route paths to BGP,
which is under development. This BGP update will take longer and be more
expensive to deploy than RPKI because it will require network operators to
upgrade their routers.

"If it turns out that RPKI solves 80% or 90% of the issues, then there is a
tremendous benefit from that," Kent says. "RPKI is the basis for doing the
fancier stuff later." Routing attacks multiply

The China Telecom incident is the latest in a string of high-profile Internet
routing attacks, such as when Pakistan Telecom brought down YouTube's Web
site for two hours in February 2008 or when Malaysian ISP DataOne hijacked
traffic to Yahoo's Santa Clara data center in May 2004.

RPKI was created by the Internet Engineering Task Force's Secure Inter-Domain
Routing (SIDR) working group, which has been working on routing security
since 2005.

RPKI allows ISPs and other network operators to generate digital signatures
that verify that they have the authority to make changes to Internet
resources such as IP addresses or routing prefixes.

Most of the standards documents that describe how RPKI works are in the final
stages of approval at the IETF.

"There's been a push to get these documents out and approved," Kent says. "I
think they will be popping out through the…first quarter of next year."

One factor driving the release of the RPKI standards is that the regional
Internet registries have already committed to start issuing
production-quality certificates to their members.

The registries have been working for several years to get the processes,
procedures and software in place to support RPKI. They've also been improving
the accuracy of their databases that list which IP addresses and routing
prefixes are allocated to particular network operators.

APNIC already has a resource certification system in production mode. Several
other registries, including Europe's RIPE NCC, plan to go live with their
implementations of RPKI on Jan. 1, 2011.

The American Registry for Internet Numbers (ARIN), which provides IP
addresses and routing prefixes to ISPs in North America, said it will support
RPKI in the second quarter of 2011.

"ARIN plans to release a production-grade Resource Certification service
early in the second quarter of 2011," says Mark Kosters, CTO of ARIN. "There
is a pilot program as an interim measure that has been in place since June

Network operators must verify their IP addresses and routing prefixes with
their registries through the new RPKI system, and they will need to check the
authoritative database created by the registries to construct their routing
filters. Various organizations including Raytheon BBN have created open
source software to handle this extra network management function.

"For the really small ISPs, the Web portal design by [registries] makes this
trivial. They have to do it once, and set it and forget it," Kent says. "If
you're a big ISP, then it will take more effort to integrate [RPKI] into your
overall system."

Enterprises that multi-home their networks – or split their network traffic
between multiple carriers – can take advantage of RPKI if they want the extra
protection it provides.

Huston says enterprise network managers should support the RPKI effort
because it bolsters the security of the Internet's routing infrastructure and
protects against snooping, traffic redirection, distributed denial of service
and man-in-the-middle attacks.

"Everyone ultimately relies on the public network," Huston says. "Enterprise
folk use it for VPNs, they use it for public facing services, they use it for
business-to-business communication. If you can subvert the integrity of the
routing system and send packets to the wrong places, all kinds of risks
ensue." Doubts about RPKI

Not everyone thinks RPKI is going to work.

"I'm not wildly optimistic about it," says Bill Woodcock, research director
for the Packet Clearing House, which offers open source software called the
Prefix Sanity Checker that's used by ISPs to check BGP routing filters for

"The theory behind RPKI is that you would do a cryptographic signing of your
routing announcements and that other people would build filters to not allow
routes that didn't include that cryptographic signature," Woodcock explains.
"It's more complicated than our software, and it only works if the person on
the other end has done this crypto operation."

Woodcock says network operators are notoriously bad at maintaining current
information about their IP addresses and routing prefixes in databases
operated by the regional registries. And they're also lax about using
software such as Prefix Sanity Checker to avoid typographical errors. That's
why he thinks it's unlikely that enough ISPs will deploy something as complex
as RPKI.

"There's no user demand for this, which is going to make it hard to cram down
the throats of network operators," Woodcock adds.

Woodcock says network operators misconfigure routers regularly, and that
there's no reason to believe the China Telecom incident is anything other
than another mistake.

"This was an embarrassment for the entire world to see," he says. "If it had
been malicious, it's very likely it would have taken a very different form. …
The things to look for in a real attack would be specific individual targets
whose traffic was being diverted and a cover-up of that. This was so obvious
and blatant."

Craig Labovitz, chief scientist at Arbor Networks, says he can't tell if the
China Telecom incident was accidental or malicious. Labovitz studied errors
in routing prefixes for his PhD research 15 years ago.

"I just don't know" if China Telecom was being malicious, Labovitz says.
"We've seen many errors in the past: errors and fat fingers and incompetence.
But at the same time, we've seen malicious use of BGP by spammers."

Labovitz says network operators can take steps such as filtering router
announcements to avoid these kinds of traffic hijacking incidents between now
and when RPKI is widely deployed.

"There are things that can be done today without any additional spending,
without upgrading routers, but they are just not being done," Labovitz says.
"A best common practice for ISPs is that you should filter routing
announcements from your customers. It's a little bit depressing that after 15
years, we have large sections of the Internet that are not following best
common engineering packages."

Labovitz says it may take a more significant routing incident than China
Telecom's to prompt deployment of RPKI and BGP security. He points to the
example of the Kaminsky threat, which is propelling domain name registries to
support new security measures.

DNS security "took an event that was so scary to force action," Labovitz
says. "Maybe the growing number of BGP incidents will be enough to drive
industry and government consensus to act…I think this is something that we
need to fix, and we are on borrowed time."

FWIW, I was fairly unhappy with how PCH was portrayed in the article... That was the product of a very long interview, and we certainly didn't suggest that the Prefix Sanity Checker was an _alternative_ to RPKI. I very much think routing security is a critical issue, the Prefix Sanity Checker was a baby-step in that direction, which will help some people some of the time; tools that perform a cryptographic verification of RADb-style origin and transitive-path assertions are the obvious next step, and I'd very much like to see them developed. It does seem to me, and a lot of people who've talked with me about it, however, that using existing cryptographic methods on top of existing routing-policy methods, would get us further, faster, than trying to cook up some whole new single-purpose protocol from scratch. That was the essence of the interview I gave, and I don't think that message made it through into the finished article very obviously.