Detecting Internet routing 'lies'

Aussie expert explains how to fix Internet's routing system to prevent insidious attacks.

Australian Geoff Huston is one of the foremost authorities on Internet routing and scaling issues. We sent Huston, a former Chief Scientist at Telstra Internet, a few questions about the U.S. government's plan to bolster R&D to secure the Internet's core routing protocol, the Border Gateway Protocol (BGP). Here are excerpts of from what Huston had to say:

What's your role in the U.S. Department of Homeland Security's Resource Public Key Infrastructure Initiative (RPKI) [one of two key router security initiatives funded by DHS, the other being BGPSSEC] and your involvement with the DHS on this?

I am the chief scientist at APNIC, the Regional Internet Registry (RIR) for the Asia Pacific Region, and in this role I have been leading the APNIC effort to introduce digital certification of number resources. I am also a co-chair of the Internet Engineering Task Force (IETF) Secure Inter-Domain Routing Working Group (SIDR WG), a group chartered to develop standard technologies intended to produce security mechanisms for inter-domain routing. I am not funded by the U.S. DHS, but I share their concern in this area. I collaborate with a number of researchers who are supported by U.S. research grants.

Can you explain in plain English what RPKI is trying to do and how it relates to improving the security of the Internet's routing system?

Attacks on the routing system can result in outcomes that pervert many conventional forms of security defence and happen in ways that are extremely difficult to detect. Routing attacks can "hijack" addresses, redirecting users' traffic to other than the intended destination, allowing an attacker to "spoof" the identity of the intended victim. Routing attacks also can redirect traffic flows, allowing an attacker to inspect transit traffic without the knowledge of either end party. And routing attacks can disrupt the network, causing chaos and disruption, either directed at a single victim, or more generally at a collection of addresses or at infrastructure elements such as DNS servers.

All these attacks rely on one feature of BGP: the ability for a party to "lie" in routing and for the lie to propagate across the entire network and not be readily and automatically detected as a lie. The RPKI is an essential component of a mechanism that allows such routing lies to be readily identifiable by everyone else using automated processes. In other words, the RPKI does not alter the basic mechanisms of inter-domain routing and does not stop malicious folk from attempting to generate lies in the inter-domain routing environment. But as the routing information is passed through the routing fabric, other parties can use tools and the information loaded into the RPKI to verify the accuracy and authenticity of routing information and correctly identify instances of invalid routing information or lies.

What is the status of the RPKI effort?

In software, a number of efforts are underway to provide tools that implement RPKI services. These include an RPKI software suite authored by APNIC, a set of tools produced by the Internet Software Consortium (ISC) supported by the American Registry for Internet Numbers, and tools developed by BBN.

In standards activity, we have submitted a number of documents to the SIDR WG for standardization that build upon earlier work of adding IP address attributes to digital certificates.

In late 2008, APNIC was the first RIR to include the publication of RPKI certificates as part of its set of services to APNIC resource holders. Holders of IP address resources that are administered by APNIC can now use the APNIC service system to generate digital certificates that can be used to verify digitally signed assertions about IP addresses and their use.

The next steps are to use this framework for the generation of tools that allow ISPs and enterprises to digitally sign "authorities" that relate to routing assertions and to provide tools that allow ISPs and others to validate routing information by matching these signed authorities to the routing information being passed through the inter-domain routing system. The specification of these tools is a task currently underway in the SIDR WG.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags routingbgp

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Carolyn Duffy Marsan

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?