Why Is It Taking So Long To Secure Internet Routing?

CowboyRobot writes: We live in an imperfect world where routing-security incidents can still slip past deployed security defenses, and no single routing-security solution can prevent every attacks. Research suggests, however, that the combination of RPKI (Resource Public Key Infrastructure) with prefix filtering could significantly improve routing security; both solutions are based on whitelisting techniques and can reduce the number of autonomous systems that are impacted by prefix hijacks, route leaks, and path-shortening attacks. "People have been aware of BGP’s security issues for almost two decades and have proposed a number of solutions, most of which apply simple and well-understood cryptography or whitelisting techniques. Yet, many of these solutions remain undeployed (or incompletely deployed) in the global Internet, and the vulnerabilities persist. Why is it taking so long to secure BGP?"

It's a production system

[NFN_NLN]

The internet is in production. No one wants to touch anything that's already in production unless they literally can't make it any worse.
Otherwise we would have IPv6 as well.

Re:It's a production system

So what you're implicitly saying is we need at least one more 'version' of the internet running concurrently that we all can use and break/upgrade as needed.

Re:It's a production system

[silas_moeckel]

And if you look at IPv6 BGP filtering is a lot better.

Re:It's a production system

[binarylarry]

CEO Voice: "So you're saying if we *upgrade*, we get new *features*. I like what I'm hearing."

Re:It's a production system

[jd2112]

CEO Voice: "So you're saying if we *upgrade*, it will cost us money. I don't like what I'm hearing."

FIFY.

Re:It's a production system

[Bengie]

Yeah, thanks Verizon. They just had to suddenly public their huge number of internal routes and crash the Internet.

Re:It's a production system

BGP works just fine as is.
Problem is, the operators are stupid and screw up their filters, configs, and management systems, and just fatfinger stuff.
And they're still going to keep on doing that whether you drop elite PKI and whatever other sort of overhead you want on them.
It's the operators, not the technology.

Re:It's a production system

[dnavid]

The internet is in production. No one wants to touch anything that's already in production unless they literally can't make it any worse. Otherwise we would have IPv6 as well.

Lots of people want to touch production systems. In the case of the internet and BGP, however, evolution has weeded out the people who like to touch production systems, and the only people with administrative rights are still getting over having to support 32-bit AS numbers and wondering where their pet dinosaur went.

Re:It's a production system

Fear works better. Just let him 'OK' that the internettraffic can be intercepted and manipulated (and state that 'common knowledge' could have fixed that).

Re:It's a production system

[gweihir]

Indeed. Also, a medium-sized ISP head of network engineering once told me "most non-peering traffic is default route anyways". BGP seems to be used mostly internally and by some enterprising individuals. Might be the reason why we have seen only very few BGP based attacks. An they have a high risk of being detected immediately, while attackers that invest time (as opposed to automated attackers) want to be detected as late as possibly and preferably never. I mean, even adding a single hop with a BGP attack will be blatantly obvious in ping-time monitoring (think smoke-ping), and even the most stupid network operators are hopefully doing that as it is also the easiest way to detect failing or overloaded equipment.

Re:It's a production system

[petermgreen]

Also, a medium-sized ISP head of network engineering once told me "most non-peering traffic is default route anyways".

Your "medium sized ISP" is a cheapskate. Either they have only one upstream or they have multiple upstreams but aren't really taking advantage of the resiliance it gives them.

BGP seems to be used mostly internally and by some enterprising individuals.

BGP is how all the major internet providers exchange routes with their customers, upstreams and peers.

A cheapskate ISP may chose to ignore the BGP information from their upstream(s) and use default routes instead. This means they can use cheaper routers but it means if they have more than one upstream they can't determine which upstream will provide the better route or indeed a route at all to the destination.

NSA

How can government and LEO's surveil us if everything is locked down?

Re:NSA

How can government and LEO's surveil us if everything is locked down?

Yes

trust

[dremspider]

Most of these solutions require some sort of central authority to manage the security of all the routes. Sounds great until you realize that there is no one that all the users of the Internet can trust. I am not even sure that users can trust their own governments to manage this without exploiting users for the sake of surveillance let alone other countries trust one another. If you can't trust one another the best thing to do is remain insecure but watch each other like hawks for any foul play.

Re:trust

[wisnoskij]

"So from now on I guess the operational phrase is 'Trust no-one.'" "No. Trust Ivanova, trust yourself, anybody else: shoot them."

Re:trust

[peragrin]

Have you ever surfed the Net Bro?

You should be doing the Trust Ivanova, Trust yourself and shoot everyone else to begin with.

If you trust the net your data will be copied. whether you want it to be or not.

Re:trust

[BradMajors]

An untrusted central authority is better than no security.

Re:trust

I agree and would add that most of the "security" practices so far have actually made the Internet much less robust. Egress filtering to block spoofing has made routing an ISP-only privilidge, and a legal risk to everyone else. Port blocking and ISPs' "for your protection" firewalls have made the network useless for telephony, to name only one application. QoS and buffering have increased latency.

Long story short, it's better to have a fluid network with distributed authority than a centralized and fragile one, unfortunately the mere language of "security" is mistakenly encouraging the development of more and more fragile networks. The reality is that there is no "best practice" that can shift the responsability of a "user" to the ISP, or remove the vigilence needed to run a collective open-door service like the Internet.

We have been keeping routing in a box in the name of security. We should be exploring P2P designs, but the legal climate discourages them (preventing copyright infringment or anonymity has become a "security" objective) and this pushing of "security" down the stack is actually the crux of the problem. There would be no core routing issues if the core were not centralized and fragile, and ever user were a full peer, but the Internet has been choked to the point that noone can run the kind of P2P routing software that would obviate the vulnerabilities of the core. As long as we insist on fighting "pirates" and thought crimes, and beaking the end-to-end principal, we can't expect a robust network.

Re:trust

[cheater512]

Erm where the hell do you think the IP's come from? Yep the central internet registries. APNIC, RIPE, AfriNIC, LACNIC and ARIN.

There is your trusted central authorities. If you don't trust them then hand your IP's over.

Re:trust

[WaffleMonster]

An untrusted central authority is better than no security.

Peers have to trust each other to act rationally. Filtering and sanity checking of crap from your downstreams and maintenance of physical links with rational actors whom you trust to act professionally is worth more than central authorities.

Re:trust

"So from now on I guess the operational phrase is 'Trust no-one.'" "No. Trust Ivanova, trust yourself, anybody else: shoot them."

And see where that got us in season 5. Grrr!

Re:trust

[Gr8Apes]

I only have to trust them to hand out the IP once. That's all, certainly not with any other details.

Re:trust

[cheater512]

The only issue here is people saying they control IP's that they don't own.

If everyone trusts these organisations to give out IP's then tying BGP filtering to that is a logical extension.

Edge routers are expensive

[alen]

which means they are bought and used for many years if not a decade or longer
your $50 or whatever you pay your ISP a month is not enough to afford new equipment every year

Re:Edge routers are expensive

You are so wrong I am not sure where to start. Securing routes has nothing to do with the age of equipment and everything to do with configuration, no theoretical PKI-by-another-name needed. Edge of networks, as the old nomenclature goes, should never be routers. There is no reason for it. All the edge does is provide access. Every sane person uses switches for that. Finally, networking equipment can be damn cheap if you know what you are doing. A couple switches and a few router ports can provide 100Mb access (100Mb in ISP terms anyway) to nearly 100 people for less than $400 in equipment costs. I'd imagine there is some money left over in that $4,600 collected in just the first month alone to handle labor and electric.

Re:Edge routers are expensive

[jd2112]

which means they are bought and used for many years if not a decade or longer your $50 or whatever you pay your ISP a month is not enough to afford new equipment every year

It would be, but bribing a bunch of congressmen and FCC officials takes a big chunk out of the budget.

Re:Edge routers are expensive

You try running anything other than a few BGP routes on a switch and see how that goes for you. Most of those cheap switches you mention by the way, do not support BGP by default, you either need a license or a more advanced version of code which you may or may not get on them.

Re:Edge routers are expensive

[Bengie]

You're just talking about BGP, which is done in software. A quick update will allow nearly all hardware that uses BGP to support the new protocol, assuming the code is small enough to fit in the firmware.

And what do you mean by edge routers? You mean the last mile or for peering? My ISP pays Level 3 to handle peering. If you're talking about last mile, then your ISP should have invested into fiber, which is easily and cheaply upgraded. At $100/port for a 500-1gb port chassis that can support 3tb/s, it's not that expensive. How long does it take to pay off $100? Actually, network equipment represents about 40% of an ISP's costs, the bulk of the cost is in customer support. Phone centers are expensive with an average cost of $1/minute that a customer is connected. A single truck roll can cost an ISP much much more.

Re:Edge routers are expensive

[dgatwood]

I keep thinking that if an ISP really wanted to cut costs, they could proactively monitor their network for problems:

• Provide the CPE preconfigured, at no additional cost to the customer. (Build the hardware cost into the price of service.)
• Ensure that the CPE keeps a persistent capacitor-backed log across reboots. If the reboot was caused by anything other than the customer yanking the cord out of the wall or a power outage, send that failure info upstream. Upon multiple failures in less than a few weeks, assume that the customer's CPE is failing, and call the customer with a robocall to tell them that you're mailing them new CPE to improve the quality of their service.
• Detect frequent disconnects and reconnects, monitor the line for high error rates, etc. and when you see this happening, treat it the same way you treat a CPE failure.
• If the new hardware behaves the same way, silently schedule a truck roll to fix the lines.

If done correctly (and if clearly advertised by the ISP so that users would know that they didn't need to call to report any outages), it would eliminate the need for all customer service except for billing, and a decent online billing system could significantly reduce the need for that as well.

Re:Edge routers are expensive

I think "edge" means the edge between ISPs - hence big fat expensive routers with multiple 10G (or better) interfaces that handle 1/2m routes in hardware.

We're not talking access switches with default + couple hundred /32 - /24 routes for customers.

*You* are so wrong *you're* not sure where to start.

Re:Edge routers are expensive

No. I don't want yet another piece of "middle-man gear" in my datacenter.

Your CPE still ends up being connected to my internet edge routers along with the other provider(s) CPE and there is still inbound and outbound route filtering and BGP session parameters configured on a router whether that router is a piece of CPE in my datacenter, or on the other end of the fiber or copper handoff you provide me. I'd rather get my handoff, make a ticket detailing my requirements and requests-full tables if I want, here's my ASN and the IP block(s) I want advertised, and leave it at that.

Re:Edge routers are expensive

[dgatwood]

First, I'm not talking about adding any additional gear. There's no reason that what I'm talking about can't be handled entirely in the DSLAM or head end or whatever and in the existing CPE hardware that talks to it.

Second, I wasn't really talking about changing the CPE for business customers with fiber connections anyway. They're not (usually) the ones who are constantly on the phone with tech support saying "The Internet is down" when really, they just accidentally unplugged something. I'm talking about providing smarter, preconfigured cable modems and DSL modems for home use.

It's a production system

Exactly. The point of the Internet is to interconnect. If you introduce a new, incompatible protocol (more secure though it may be) and refuse to accept updates via the old one, you risk depeering on a massive scale. Remember when the global routing table tipped the scales? And how people freaked out because they couldn't watch their favorite cat video - or conduct meaningful e-commerce? Yeah, expect that type of reaction x 1 million while every major ISP figures out how to rebuild the Internet from scratch.

Because of capitalism.

The Internet was invented with socialist incentive, like all useful things are /invented/ (but not implemented).

Capitalism has done very little to improve the theory underpinning the Internet. It merely provides the grunt work to lay the cables and glue the blinkenlight boxes together, and optimises here and there.

All successful nations balance between socialist (which provides ideas) and capitalist (which implements those ideas) incentive. The US tipped the balance through the '80s, and is now cruising on empty.

Re:Because of capitalism.

[NemoinSpace]

Could someone please explain the parent comment to me in a way that does not involve marijuanna?

Re:Because of capitalism.

[epyT-R]

The network was originally developed and used by the dept of defense to connect military bases in case of nuclear war. It later spread to academic as well as corporate presences.

I don't think you understand capitalism or socialism. Capitalism is an economic system based on the generation, purchase, sale, and ownership of property amongst private parties. Socialism is a government model that imposes itself on individual rights and choices for the sake of what the leadership thinks is the common good. They're not a zero sum game. In fact, what we're seeing in the US now is how one can actually boost the other into whole new realms of abuse across the board. Thanks to this interaction, we have a government culture that doesn't give a shit about the rights of the citizens it's supposed to represent, and we have an economy that increasingly does not cater to the consumer. Each washes the other's back.

This is why net neutrality is damned if you do damned if you don't. Either you have the isps play favorites with connectivity, or you have the state mandating standards which will eventually move towards censorship of data that negatively affects the interests of the single issue lobbyists (corporate and social) making up its collective yet fragmented view of the world. Ideally, I'd want the internet of 1990 with today's bandwidth and reliability, but if I had to choose, I'd rather deal with an overmetered network than one whose culture is dictated by corporates wanting to corner markets with legislation, and politically correct, thin skinned, pompous asses, pushing 'social justice' in the form of soviet style censorship policies and methods.

Re:Because of capitalism.

"I am a religious child. Capitalism is right. Socialism is wrong."

Re:Because of capitalism.

[epyT-R]

Strawman.

Re:Because of capitalism.

The network was originally developed and used by the dept of defense to connect military bases in case of nuclear war. It later spread to academic as well as corporate presences.

I don't think you understand capitalism or socialism. Capitalism is an economic system based on the generation, purchase, sale, and ownership of property amongst private parties. Socialism is a government model that imposes itself on individual rights and choices for the sake of what the leadership thinks is the common good. They're not a zero sum game. In fact, what we're seeing in the US now is how one can actually boost the other into whole new realms of abuse across the board. Thanks to this interaction, we have a government culture that doesn't give a shit about the rights of the citizens it's supposed to represent, and we have an economy that increasingly does not cater to the consumer. Each washes the other's back.

This is why net neutrality is damned if you do damned if you don't. Either you have the isps play favorites with connectivity, or you have the state mandating standards which will eventually move towards censorship of data that negatively affects the interests of the single issue lobbyists (corporate and social) making up its collective yet fragmented view of the world. Ideally, I'd want the internet of 1990 with today's bandwidth and reliability, but if I had to choose, I'd rather deal with an overmetered network than one whose culture is dictated by corporates wanting to corner markets with legislation, and politically correct, thin skinned, pompous asses, pushing 'social justice' in the form of soviet style censorship policies and methods.

Did someone forget their medication today?

Re:Because of capitalism.

It's no strawman to point out that you've just parroted tired, emotive, vacuous Good v. Evil soundbites like a keen acolyte skipping home from Mass, then used those sound-bites to justify your argument. You as laughable as any fundamentalist, but don't even get the pleasure of thinking you're going to sit on a cloud for eternity as reward for your mindless preaching.

Re:Because of capitalism.

[LordLimecat]

When you say "cruising on empty", how do you explain the huge number of top-tier tech companies that are US based? Intel, Apple, Microsoft, Red Hat, Google, nVidia, AMD, Qualcom...

Dunno, I kind of think capitalism does quite fine at providing ideas. Let me know when everyone else catches up to Intel's current process tech, till then maybe we shouldnt write off capitalism as "cruising on empty".

Re:Because of capitalism.

[sjames]

The problem is, we're tipped over into corporatism where the net is controlled by a very few very large legal sictions tha tthe courts insist are somehow people.

You worry about the bad old government censoring the net but forget to worry about the ISPs censoring the net.

I can't imagine why you think the overmetered network protects us from the market cornering legislation and the pompous asses. Without proper net neutrality, we get all of the above and nowhere to turn.

Re:Because of capitalism.

Please find the Hipster to English translation below:

While hanging out in our dorm room*, me and my douchy hipster friends have come to the groundbreaking realizations that money is the root of all evil and the US is the worst country in the world.

Please keep this handy, as it is actually is it is actually the Hipster to English translation for anything said by a hipster.

*per your request, I left out the part where they were smoking weed.

Re: Because of capitalism.

funny how most of those top tier companies are opening offices overseas. we are pushing the creators away.

Re: Because of capitalism.

[LordLimecat]

They open offices overseas because theyre global companies, not because the US sucks. If the US sucked they wouldnt be headquartered here.

NSA Tampering

Do you know how long it takes for the NSA to backdoor all those routers?

Re:NSA Tampering

[epyT-R]

They don't have to. They have CALEA ports.

Re:NSA Tampering

[Shatrat]

Only in the USA. In other parts of the world the NSA collaborates with like-minded agencies from allies like the UK and Germany, and in parts of the world that are unfriendly they do rely heavily on backdoors.

Microsoft

because Microsoft hasn't endorsed any of the solutions yet.

hardee har har, you say? We're talking about Internet backbone routers, not the desktop, and so Microsoft is irrelevant, you say?
But, seriously, nobody seemed to care about IPv6 for centuries, and then suddenly Vista and 7 start supporting IPv6, and now Comcast and Faceb00c have become reachable via IPv6, and sections related to IPv6 get added to CompTIA exams and CCNA. Even Hurricane Electric/TunnelBroker.net's certification now contains content related to IPv6.

Overhead

Another considering is that cryptography is expensive in CPU. Lots of old gear out there that wouldn't like it much.

Cost

[KMGeneral]

When it comes down to it, the main reason is cost. Telcos (or any big business) HATE spending money, and if they feel they can get away without doing so they will.

Well Let's See

[Greyfox]

How much financial penalty is there for having insecure routes (or routers?) Hmm... None, basically. Ok. How much is this upgrade going to cost? Wow...that much? Well, there's your problem!

Re:Well Let's See

[Bengie]

Depends on your customers. If you're a transit provider and your customer has an SLA that states 100% uptime and 1ms jitter and your insecure routing causes the route to become longer and the jitter goes above 1ms, suddenly you're paying your customer for not meeting the SLA.

Re:Well Let's See

but that does not happen, so no penalty

Re:Well Let's See

[petermgreen]

Afaict ISP SLAs only cover the quality of the route to the ISPs border, what happens to the traffic beyond that is not (and can't really be) specified.

If you want "100% uptime and 1ms jitter" to a specific place then you buy a direct connection to that specific place you don't use the internet. If you want "100% uptime and 1ms jitter" to the whole internet that is not going to happen.

Attacker is your Peer

[statemachine]

Except "Attacker" in this case is the administrator at the peer, and the peers are entire companies, multinationals, and governments. We're not talking about your average basement-dweller script kiddie.

If your peers are messing with you, or their peers are messing with them, how do you defend against an attack where the whole system is based on trust?

You could go to a no-trust solution, but then that would need a central authority that would need to pre-calculate all the routes from every single AS. If a route breaks, that'll be slow to adjust to a backup route. If a new route needs to be added, the ISP would need to apply to a central authority with bureaucracy and red tape.

If a route needed to be blackholed because of a DDOS, and that action had to be approved of by a central authority, which could take days to weeks for a ruling, nothing could be done because routers would not accept changes to any route until then.

Essentially, the answer to security is to effectively lock out the AS ISPs from their own routers.

You either trust the AS administrators or you don't. And since they're humans, they'll make mistakes, be malicious, or be affected by politics. This won't be solved by (trusting) a central bureaucracy similar to the UN, at least not in a manner you'll prefer.

Re:Attacker is your Peer

[DarkOx]

The thing is AS admins have been lazy. Broadly speaking I agree with what you have to say and I agree a central authority would very likely cause more problems than it solves. AS admins do need to take a middle ground though, and implement some route filters. For instance if you have a route that sits on transpacific cable in California you should probably be filtering routes with at least a few broad rules like; !ARIN

A little direction for a central authority like IANA that laid down some rules like filter routes along political and regional boundaries could go along way to prevent things from happening like half the US getting routed via China, etc; while doing little harm to the resiliency of the network (so long as rules remain simple and few). Will it stop things like that bitcoin theft a few weeks back, nope but it will keep them in country where there will be a consistent legal framework in place to handle shenanigans

Re:Attacker is your Peer

[sjames]

Or, you go with signed routes. That is, you use a public key system to prove that you have the right to broadcast a route for a particular subnet.

In practice, it will probably mean some router upgrades. No more router cpus that were considered a bit underpowered for a calculator in the '90s. However, as an interim measure, it could be used to set some BGP filters to limit the potential damage.

Re:Attacker is your Peer

[TubeSteak]

If a route needed to be blackholed because of a DDOS, and that action had to be approved of by a central authority, which could take days to weeks for a ruling, nothing could be done because routers would not accept changes to any route until then.

Why would you need permission to blackhole a route?
The problem is adding good routes, not dropping bad ones.

Re:Attacker is your Peer

[petermgreen]

You could have a system of signed routes. When you pass a route to an upstream you would add a signed statement to that affect to the route. When receiving a route from a customer or peer you would check for a valid chain of signatures leading from the owner of the IP block to the entity sending you the route.

Obviously you'd still have to trust your upstreams but you can't really avoid that. You'd also have to have some kind of central database that recorded the owners of IP blocks and the corresponding public keys.

Re:Attacker is your Peer

I wish I had mod points. I don't know whether to mod you insightful or funny though. It depends on whether or not you're being ironic in proposing basically te same solution that the RPKI is part of . In any case, yeah, that would be a decent way to do it (IMOA).

so what's ARPA doing in my computer?

9/16/14 6:27:39.254 PM mDNSResponder[58]: mDNS_Register_internal: ERROR!! Tried to register AuthRecord 00007FD844006FF0 30.3.168.192.in-addr.arpa. (PTR) that's already in the list

Re:so what's ARPA doing in my computer?

[arcade]

If that was a serious question, and not trolling:

The in-addr.arpa DNS zone is used for reverse DNS.

Basically, you forward-map hostnames to IP addresses. At the same time, you can reverse-map IP-addresses to hostnames.

The forward mapping is done via 'A' records.
The reverse mapping is done via 'PTR' records, and it's done in the in-addr.arpa hiearchy.

How Many Nails Does it take to seal a coffin?

[kinohead]

Nine.

Re:How Many Nails Does it take to seal a coffin?

Yes, but are those 9 inch nails?

Because?

Because the sheeple can't can't ass-fucked daily if we truly fixed this?

Not a Problem, submitter doesn't understand

[BitZtream]

Its not actually a problem, thats why. The submitter doesn't actually understand what he's suggesting and why the current method of dealing with this issue works fine.

You know who is doing the damage and 'attacking' you, they are easy to identify, and you just stop talking to them. They're only going to connect to a relatively small number of people so disconnecting bad players is trivial, then you never talk to them again. They bare the cost of having all the money invested in setting up the original connections they used to 'attack' with being lost. And lets be clear, BGP attacks aren't done via virtual connections, they're done across physical connections so you know EXACTLY who is doing them and which cable to unplug to solve the problem.

Do you upgrade every router running BGP, or just turn off the 2 connections to the bad guy? Its just not worth the effort to 'fix the problem' with a technical solution when good old fashion common sense tactics work just as well and for far less cost (read: effort for everyone involved) Even if it were a major backbone provider, the number of connections to cut is still trivial compared to even upgrading all the routers that the single largest backbone providers connect to.

This is a stupid question to ask and just illustrates not understanding the actual problem. The costs of 'fixing' the problem technical FAR outweighs the benefits of doing so (not having to manually disconnect troublesome players).

Re:Not a Problem, submitter doesn't understand

Hmmm... I thought common sense was banned early 2000

Re:Not a Problem, submitter doesn't understand

[LordLimecat]

Whats really bothersome is that so many of the comments hop on the "NSA thats why" or "corporate greed" bandwagons despite having no functional knowledge of the issue.

Thought people here were supposed to be rationally minded geeks; guess not.

Re:Not a Problem, submitter doesn't understand

[jbmartin6]

The costs of 'fixing' the problem technical FAR outweighs the benefits of doing so

+1. We see this in so many cases where someone asks 'Why don't they fix this or that?'

Re:Not a Problem, submitter doesn't understand

I get the feeling that you don't know what BGP is, how it works, or how the network is architected. Its either that, or deliberately spreading misinformation (and getting mod'd +5 insightful for having done so). I'm not even directly involved in networking and I know what you are saying is bullshit.

"Just pull the cable to the bad guy and he's gone" -- no, you'd be pulling a regional connection. We have one physical line (for two virtual "redundant" connections). You are saying we can just pull our cable and its gone? While true, it is rather self defeating.

"You know who is doing the damage" is also not true. There was a huge attack a few years ago that, while trivial to observe and measure the influence of and self-corrected after some hours temporarily routed a large amount of internal Chinese traffic through the US. Okay, maybe in retrospect we *do* know what agency was behind that. But it sure wasn't apparent at the time. When someone comes out and admits fault -- which has happened -- then the responsible party is presumptively known. But that is simply not a given, nor has it been true in every case.

From a security (availability or integrity) perspective BGP is broken (which is why we don't trust it and have some protections in place) and stating or pretending otherwise betrays either gross ignorance or a measure of malice.

thoromyr (who isn't logged in and can't be bothered to)

Re:Not a Problem, submitter doesn't understand

This needs a +1, the GP is missinformed.

BCP38 and RPKI need to be implemented today

What is really required is a combination of BCP38 and RPKI. BCP38 is 14 years old and is fairly easy to implement. I did so for a major network about a decade ago. It simply means blocking packets from addresses that do not belong to your customers. Since a great many attacks including BGP spoofing involve inserting packets to spoof the routing system, simply doing this will prevent a huge part of the problem and no new technology or techniques are required. What is required are tools to maintain a record of the network prefixes allowed from each customer and maintain the prefix lists on each router.

The ONLY excuse for the very limited implementation of this Best Current Practice is that it does cost money and the provider business is highly competitive. This puts pressure on them to avoid any added cost that can be either ignored or kicked down the road. As a result, the majority of the providers don't implement this practice that is so critical to securing the network.

RPKI is routing specific, but is far more effective. The problems at the moment are limited implementation and, again, cost. It is probably quite a bit more expensive to implement, though post implementation is probably a bit less expensive. It also is a far bigger change in the operation of routing and, therefore, more frightening. Still, any network experiencing a routing attack will certainly wish that they had implemented RPKI and that it was implemented by all. But, unlike BCP38 which generally protects others, each provider implementing RPKI is protecting themselves.

P.S. I am only an anonymous coward because some bug leaved me no longer logged in when I make comments via a new post. (Works OK for replies.) I am kevmeister, formerly a senior network engineer at ESnet.

We ran out of IPv4. #1 OS is Android

[raymorris]

> and then suddenly we completely ran out of IPv4 addresses, so everyone, even Microsoft, had no choice but to get moving on IPv6

Ftfy . Most computing devices sold in the last three years don't run Windows. Microsoft is now a minority player. Android is #1, iOS #2.

So which companies have influence? Android is the most popular operating system, so it's support of IPv6 is important. Most end points that need new addresses get those addresses assigned by one of the major mobile carriers, while older equipment is still using the same old IPs on Comcast and Time Warner. The equipment on the backbones is mostly Cisco gear, so it matters what Cisco supports the best, but they'll provide whatever Comcast and Level3 want to buy.

Re:We ran out of IPv4. #1 OS is Android

[cyber-vandal]

In the consumer space yes. In the corporate world no-one's manipulating huge spreadsheets or writing 500 page legal documents on an iPad.

White list? Really?

[Tony+Isaac]

There are more than 600 million Web sites, according to NetCraft. Who is going to maintain a list like that? It's going to cost a lot of money...who is going to pay for it? Who is going to have the power to decide who gets in, and who doesn't? What about appeals, for those who feel they have been unjustly removed from the list? What about opposing points of view? Does the US get to decide which Chinese sites get to be on the list, or vice versa?

Re:White list? Really?

There already is a list like that. Autonomous Systems (ASs) are assigned network prefixes. I.e., there already is a list of ASNs to prefixes. The RPKI creates a PKI around that list based on the structure (i.e. organizations) that currently assigns those network prefixes. It's X509 applied to interenet prefixes.

"every attacks"

Americans.

Central Point of trust == Off Switch

There's also the issue that when you attack the CPT (central points of trust), you effectively disable everything. It is easier to think of DNSSEC than RPKI in this case, but the same basic attack vector holds: break the root signatures, and everything starts to unravel. I.e., DoS.

RPKI is no different. We actually have five natural central points of trust: the RIRs. And I suppose ASO could be the root if you want one instead of five.

What really causes design issues on RPKI is the trust databases. And what really causes operational issues is the absolute lack of proper hardware and firmware support to naturally inject verification points on every eBGP link. Maybe if people start embedding powerful multi-core Xeons or Opterons in the routing engines, but currently you cannot trust anything but Cisco ASR and the larger x86 software-based routers to have control planes that are not wimp crap. Not even the otherwise marvelous Juniper MX5/10/40/80 series (which has a wimpy single-core or dual-core RE that is too slow to converge eBGP) would be able to deal with it.

Why is it taking so long for flying cars?

[DdJ]

The headline made me do a double-take. It's like asking "why is it taking so long to develop an invisibility cloak?" or "why is it taking so long to develop flying cars?".

nor misusing spreadsheets where databases are need

[raymorris]

> In the corporate world no-one's manipulating huge spreadsheets or writing 500 page legal documents on an iPad.

I'm guessing that in your corporate world, nobody HAS huge spreadsheets because they're putting the huge stuff in the RDMS whre it belongs. iPads aren't the right tool for significant datasets, and neither is Excel. In my world, most people do not use the right tool for the job.

APK is why it takes so long

[Khyber]

'Nuff said. Can't get shit done with his constant bullshit spouting.

Re:APK is why it takes so long

Saw your post history. Apk totalled your bullshit with fact http://slashdot.org/comments.p...

Why bother?

[LostMyBeaver]

I train massive numbers of people in BGP every year. The best would go for it. The average are just happy to peer and move on.

IT completely lacks process. ITIL is a joke. People insist on wasting time doing the same thing over and over. The best networking companies I know with the absolute best people are rarely more professional than a bunch of script kiddies. The best of the best hack away on networking and routing like and orangoutang playing with a toy piano. Modern IT is rarely better off than a bunch of idiots in comfort zones who make changes indiscriminately and send the invoice.

There is no profit in fixing BGP. It works and most IT engineers operating peers don't care. There is nothing which says "the internet won't work if we don't do this.". There's not even a clear line of how you would gain money by making such a change.

The internet will never implement a feature simply because it's useful or right. We do it because of the money, because it's fun or because our peering won't function without it.