Feds Plot Massive Internet Router Security Upgrade

BobB-nw writes "The U.S. federal government is accelerating its efforts to secure the Internet's routing system, with plans this year for the Department of Homeland Security to quadruple its investment in research aimed at adding digital signatures to router communications. DHS says its routing security effort will prevent routing hijack attacks as well as accidental misconfigurations of routing data. The effort is nicknamed BGPSEC because it will secure the Internet's core routing protocol known as the Border Gateway Protocol (BGP). (A separate federal effort is under way to bolster another Internet protocol, DNS, and it is called DNSSEC.) Douglas Maughan, program manager for cybersecurity R&D in the DHS Science and Technology Directorate, says his department's spending on router security will rise from around $600,000 per year during the last three years to approximately $2.5 million per year starting in 2009."

It's a plot!

[PixelThis]

This plan to upgrade router security is a plot? Are there some nefarious evil masterminds behind it?

Re:It's a plot!

[MooseMuffin]

Wrong meaning of plot. This is referring to a small patch of land.

Re:It's a plot!

[spazdor]

I guess it depends on whether they're planning on submitting an RFC, or just creating a new Sekrit Routing Protocol that only Unca Sam's buddies will know how to implement.

I dearly hope the DHS is at least smart enough to get this one right.

Re:It's a plot!

[ScrewMaster]

This plan to upgrade router security is a plot? Are there some nefarious evil masterminds behind it?

Yeah, that sure put a negative spin on it, didn't it? Fact is, a good chunk of core Internet functionality continues to work only because nobody's yet made a concerted effort to break it on a significant scale. Eventually somebody will, either via a state-sponsored attack of some kind, or a tech-savvy terrorist outfit looking to make a name for itself (the two can't always be easily separated, when you get right down to it.) Either way, hardening this stuff is a good idea. Whether or not the Feds are doing to do it competently is another issue entirely.

Re:It's a plot!

[jmauro]

I think they're just enabling MD5 on the BGP sessions. It's already specified in RFC 2385 - Protection of BGP Sessions via the TCP MD5 Signature Option. It's basically a $600k program to manage the logistics of turing this on. I do give props for Network World for making a mundane task 5 whole pages.

Re:It's a plot!

[youknowjack]

Where the hell is the IETF in all this, I want to know?

http://www.ietf.org/internet-drafts/draft-ietf-rpsec-bgpsecrec-10.txt

Abstract:

The security of BGP, the Border Gateway Protocol, is critical to the proper operation of large-scale internetworks, both public and private. While securing the information transmitted between two BGP speakers is a relatively easy technical matter, securing BGP, as a routing system, is more complex. This document describes a set of requirements for securing BGP and the routing information carried within BGP.

Re:It's a plot!

[jmilne]

It's more than just authenticating your neighbor. It's also about confirming that they have the right to be announcing the blocks that they're trying to announce to you.

Re:It's a plot!

[Stile+65]

I think it's actually referring to S-BGP. I also thought it was just the MD5 signature option, but it's not.

Then again, one of the comments in TFA is that it won't require any new software or hardware to be installed, so maybe it IS just the MD5 option. The features didn't sound like it; it sounded like they were establishing a whole PKI.

Re:It's a plot!

I think they're just enabling MD5 on the BGP sessions.

And everybody knows that MD5 hashes are secure, so problem solved!

Re:It's a plot!

[CarpetShark]

This plan to upgrade router security is a plot? Are there some nefarious evil masterminds behind it?

No, just a bunch of colored pens.

Re:It's a plot!

[X0563511]

OK smartass...
I'll give you a BGP packet, and you have to replace it with another working BGP packet (with addresses that you want) that has the same hash.

Go ahead. I'll wait for you. Well, not really - I'm sure the universe will reach heat-death before you find one.

Now, assuming you do find one... find some for the whole communication. Also, you only have a few milliseconds to do it.

Starting to sound difficult?

Don't spout off bullshit when you KNOW you have no idea what you are talking about.

Re:It's a plot!

[Have+Blue]

MD5 is only weak when used on data in formats which allow for large amounts of padding. BGP packets are a much less flexible format so collision attacks are much more difficult.

Re:It's a plot!

[nabsltd]

Not too long ago, this MD5 crack allowed a trusted SSL CA cert to be created.

Although it's not "in the wild", the listed steps are such that pretty much anybody can do the same thing today. Plus, the actual hack required using real, live CA servers, and not just lab systems.

Question for the experts

[JoshuaZ]

For those of who aren't experts on this sort of thing, will this only increase security at things that are .gov? That's the impression I get but I don't know enough technically to be sure.

Re:Question for the experts

[Klootzak]

will this only increase security at things that are .gov? That's the impression I get but I don't know enough technically to be sure.

Pretty much... it means that when Router A says to Router B "I have a new path to this network." the routers will first authenticate eachothers identity utilizing Digital Signatures.

Basically it's applying elements of PKI to router communications, so the router receiving the information knows it can trust other router's updates. If you didn't do it I could (potentially) spoof updates and say "this network exists here now" and all the information destined for that network would then be routed to me to packet-sniff to my heart's content.

This type of stuff (in addition to SSL/TLS encryption of sensitive data communication channels) has been used internally in (most) Banking networks for awhile now, I'm actually surprised they didn't have something like it in place already.

Re:Question for the experts

If you didn't do it I could (potentially) spoof updates and say "this network exists here now" and all the information destined for that network would then be routed to me to packet-sniff to my heart's content.

Couldn't you just not do that? Why do the Feds have to roll out a $600k program because of you? That is taxpayers money for gods sake!

Re:Question for the experts

[Klootzak]

I don't mean public networks, I mean private ones, SWIFT for instance..

Has been a few years since I've worked in the finance arena, but I thought each BIC code was signed (or at least they were talking about it while I was involved in that area) and things like MQSeries channels between nodes that were used for transporting data have been SSL/TLS encrypted for ages? I remember doing it actually, MQ Version 5.2 (or 5.3?) included SSL-over-channel functionality.

Anyways, I'm sure it's being taken care of, maybe get in touch with your bank and ask them if you're concerned?

Is it must me, or is that sum peanuts?

[dmomo]

I don't know much about security and cost, but the 600k does indeed seem fairly small to me for something like this. Even 2.x million seems like a sizzle in the pan. Can anyone speak to the costs involved?

Re:Is it must me, or is that sum peanuts?

[Morty]

They're talking about funding research, not deployment. RTFA. The dollar amounts in question sound about right.

Note also that this goes way beyond SSL. This is not about identifying your BGP peers -- that's a relatively simple problem that can easily be solved with MD5 [or one of the hash algorithms that is replacing MD5, since MD5 is problematic.] This is about validating that your BGP peers have the right to announce what they are announcing. This is a much harder problem than SSL.

That is, let's say you have a router that peers with $someco's router. It's easy to use MD5 [or replace it with something better] so you are sure that you are talking to $someco's router. It might also be possible to set up SSL instead, so you are even more sure you are talking to $someco. But even if you know you are talking to $someco, how do you know you can trust what $someco is telling you? What if $someco's router says it's a good path to get to a chunk of address space that belongs to $otherco -- should you believe it? BGP is full of settings that let you limit how much you trust your peers, but how do you know what you should set them to? Note that this is not a simple question of "is address space X associated with the $someco that is announcing it" -- even if address space X belongs to $otherco, it's possible that $someco is a legitimate transit network rather than a malicious third party.

Sounds like DHS is funding research to try to solve this.

This is somewhat different than the DNSSEC push. The DNSSEC effort is looking to deploy an existing but unpopular technology across the US federal government. The BGPSEC effort seems to be about creating a new technology for possible future deployment.

Re:Is it must me, or is that sum peanuts?

[m0i]

It exists already, it is called a routing registry. The most famous is RADB but they can use IRRd to have their own private version (which they probably do already).

Most troubling about this

[nwssa]

Most troubling is that problems like these were basically known about for years but nothing is done until after threats are displayed at sec conferences.

+1 Funny! :)

[Klootzak]

Couldn't you just not do that? Why do the Feds have to roll out a $600k program because of you? That is taxpayers money for gods sake!

I wouldn't do it (I don't even have an AS to play with anymore), and it's rather more complicated than my explination made out...

I think a possible way to implement this would be a Hierarchical model where IANA has a top-level certificate for the trust and then it signs each regional NICs certificate, and they sign AS's which sign their subnets, then IANA could ask various NICs to revoke the Certificates of AS's that do dodgy things (like advertise subnets that aren't theirs), still it would require alot more overheads in terms of processing and memory than BGP currently requires.

I should also mention, I haven't worked with BGP in around 7 years now.

Re:+1 Funny! :)

[guruevi]

then IANA could ask various NICs to revoke the Certificates of AS's that do dodgy things

Sounds like a great way to implement censorship or force traffic to follow certain (compromised) routes. Simply say: Wikipedia does something dodgy, they allow free speech and free information, let's revoke their cert (since IANA can be controlled by a government).

The biggest 'problem' with all these 'old' protocols like DNS, SMTP, TCP/IP... is that they were built primarily (by the military) for allowing decentralized communication protecting against massive failures (due to atomic bombs) and secondary (as soon as the academics jumped on) to allow free communications, free speech and research (science) to flourish through open, decentralized, ungoverned communications (the message will get there one way or another) and censorship would be treated as damage and routed around.

The 'problem' is that free speech also includes spam and other 'nasty' things to go through. To protect against that you need to start censoring the communications channels. As soon as you do that you destroy the original purpose of the Internet for what? Terrorists? Children? Hackers? Not really, the only people that would be able to successfully pull that off (rerouting major traffic through their own DNS or BGP-routers) against a clean subnet would have to be large enough to influence your life or make you do what they want without being deceptive which are currently, the ones that own the lines (but they won't do it because they would instantly lose their business) on the other hand they would like to clean house so they can oversell even more without adding capacity and governments (which have proved do anything to remain in control no matter the legality).

Don't give up your free speech and the open nature of the Internet just because you are inconvenienced. If you are really inconvenienced by spam, just let the machine learn to ignore it. My mail server is set up to do so and there are wonderful tools that help you with that.

Re:+1 Funny! :)

[Klootzak]

Sounds like a great way to implement censorship or force traffic to follow certain (compromised) routes. Simply say: Wikipedia does something dodgy, they allow free speech and free information, let's revoke their cert (since IANA can be controlled by a government).

Preaching to the converted here my friend...

I immediately thought of this topic when I was reading the BGP article and thinking about the implications of a hierarchal structure (incidentally, they can pretty much "disconnect" direct connections between eachother NOW if they want to... but of course we can route around it, if required - adding encryption/PKI doesn't make all that much of a difference if people don't enforce it).

See, Governments are still duking it out (Diplomatically and Militarily) while their populations talk to eachother on the net' - the wonderful thing about this is I can talk to you, not knowing if you're White, Black, Green, Yellow, Blue, Purple, Male, Female, American, French, Canadian, Belgian or Martian... if you call me an idiot, I can't say "You called me an idiot because I'm (insert racial/gender type here)", well, I CAN, but you can reply... "I didn't know that, but I still just think you're an idiot!".

The concept of a Worldwide Global Communications network with almost ubiquitous availability is something we really haven't had for along time, it's going to take the Governments of the world a bit of time to get their head around it... Personally I think the Politicians/Diplomats of the world should read The Truth by Terry Pratchett (if they haven't already), as it has alot of similar concepts regarding local, social, and geo-political issues in it, just with a different "new" Technology.

Re:DNSSEC

[Morty]

They're not claiming that they invented it, they're just trying to help it along. While DNSSEC has been around a while, the overwhelming majority of zones, including the root zone and .com, are not signed yet. It may look like the US government is late to the party, they're actually ahead of most of the US commercial sector on this one.

So how does this "bolster" DNSSEC? Answer: the government is hoping that a large-scale implementation by a major buyer will push vendors to properly support DNSSEC. Many vendors don't support DNSSEC at all, or only support part of it; Microsoft, for example, only has minimal DNSSEC support. How do you think vendors will respond when .gov customers start telling them "we can't buy your product because it doesn't support DNSSEC. We'll have to go with one of your competitors."

RTFA.

Re:Just imagine...

[Detritus]

Oh and my favourite 9.7Billion freaking dollars for air traffic control. Honestly that could be done by computers for several million dollars.

That might pay for a requirements analysis, but that's about it. A real system is going to be much more expensive.

Made in China

[binaryseraph]

So does that mean we are going to buy MORE fake routers from china with hardwired security issues?

Re:Excellent

[jd]

Well, yes, it is about time. Especially as the actual protocols needed were defined a long time ago. (To give you a frame of reference, the DoD were releasing Open Source IPSEC implementations in 1997. Ok, that specific protocol wasn't finalized at that point, but that tells you when the Government was sufficiently capable of and expert at encrypting router communications that they'd admit to it.)

That BGP, DNS and other mission-critical protocols aren't secure even twelve years later says a lot for the extreme lethargy at the level of critical infrastructure. Sure, they can't afford to dive straight in, but since when does the DoD release as Open Source their cutting-edge technology? If they were willing to let potential opponents (such as US citizens) have access, you can be certain they were already considering it old-hat.

It follows that they had the means and capability to install highly reliable, strongly encrypted, strongly authenticated router-to-router and DNS-to-DNS communications within the Internet. Of course, by that time the NSF had sold all the US links to Sprint and assorted other scrap-metal merchants, which is presumably why they never bothered.

It also tells me that the corporate sector is incapable of handling such infrastructure, that the "invisible hand" is too busy playing with itself to worry about such things as security and reliability, that those who believed businesses would be safer hands than universities have been shown to be utterly and completely incorrect.

This is not to say the public sector better. The UK's JANET is hardly a paragon of virtue. It turns out that they're all incompetent, but for different reasons. Businesses know better but want your money at no effort on their part, Governments know better but want your souls at no effort on their part.

Woah, boy!

[mcrbids]

Ease off that hair trigger a bit, eh?

I think you missed something rather fundamental - in the case of PP "dodgy" behavior meant doing illogical things with routing paths, not publishing unpopular or dissenting content!