Why Is It Taking So Long To Secure Internet Routing?

CowboyRobot writes: We live in an imperfect world where routing-security incidents can still slip past deployed security defenses, and no single routing-security solution can prevent every attacks. Research suggests, however, that the combination of RPKI (Resource Public Key Infrastructure) with prefix filtering could significantly improve routing security; both solutions are based on whitelisting techniques and can reduce the number of autonomous systems that are impacted by prefix hijacks, route leaks, and path-shortening attacks. "People have been aware of BGP’s security issues for almost two decades and have proposed a number of solutions, most of which apply simple and well-understood cryptography or whitelisting techniques. Yet, many of these solutions remain undeployed (or incompletely deployed) in the global Internet, and the vulnerabilities persist. Why is it taking so long to secure BGP?"

It's a production system

[NFN_NLN]

The internet is in production. No one wants to touch anything that's already in production unless they literally can't make it any worse.
Otherwise we would have IPv6 as well.

Re:It's a production system

[jd2112]

CEO Voice: "So you're saying if we *upgrade*, it will cost us money. I don't like what I'm hearing."

FIFY.

Re:It's a production system

BGP works just fine as is.
Problem is, the operators are stupid and screw up their filters, configs, and management systems, and just fatfinger stuff.
And they're still going to keep on doing that whether you drop elite PKI and whatever other sort of overhead you want on them.
It's the operators, not the technology.

trust

[dremspider]

Most of these solutions require some sort of central authority to manage the security of all the routes. Sounds great until you realize that there is no one that all the users of the Internet can trust. I am not even sure that users can trust their own governments to manage this without exploiting users for the sake of surveillance let alone other countries trust one another. If you can't trust one another the best thing to do is remain insecure but watch each other like hawks for any foul play.

Re:trust

I agree and would add that most of the "security" practices so far have actually made the Internet much less robust. Egress filtering to block spoofing has made routing an ISP-only privilidge, and a legal risk to everyone else. Port blocking and ISPs' "for your protection" firewalls have made the network useless for telephony, to name only one application. QoS and buffering have increased latency.

Long story short, it's better to have a fluid network with distributed authority than a centralized and fragile one, unfortunately the mere language of "security" is mistakenly encouraging the development of more and more fragile networks. The reality is that there is no "best practice" that can shift the responsability of a "user" to the ISP, or remove the vigilence needed to run a collective open-door service like the Internet.

We have been keeping routing in a box in the name of security. We should be exploring P2P designs, but the legal climate discourages them (preventing copyright infringment or anonymity has become a "security" objective) and this pushing of "security" down the stack is actually the crux of the problem. There would be no core routing issues if the core were not centralized and fragile, and ever user were a full peer, but the Internet has been choked to the point that noone can run the kind of P2P routing software that would obviate the vulnerabilities of the core. As long as we insist on fighting "pirates" and thought crimes, and beaking the end-to-end principal, we can't expect a robust network.

Re:trust

[WaffleMonster]

An untrusted central authority is better than no security.

Peers have to trust each other to act rationally. Filtering and sanity checking of crap from your downstreams and maintenance of physical links with rational actors whom you trust to act professionally is worth more than central authorities.

Because of capitalism.

The Internet was invented with socialist incentive, like all useful things are /invented/ (but not implemented).

Capitalism has done very little to improve the theory underpinning the Internet. It merely provides the grunt work to lay the cables and glue the blinkenlight boxes together, and optimises here and there.

All successful nations balance between socialist (which provides ideas) and capitalist (which implements those ideas) incentive. The US tipped the balance through the '80s, and is now cruising on empty.

Attacker is your Peer

[statemachine]

Except "Attacker" in this case is the administrator at the peer, and the peers are entire companies, multinationals, and governments. We're not talking about your average basement-dweller script kiddie.

If your peers are messing with you, or their peers are messing with them, how do you defend against an attack where the whole system is based on trust?

You could go to a no-trust solution, but then that would need a central authority that would need to pre-calculate all the routes from every single AS. If a route breaks, that'll be slow to adjust to a backup route. If a new route needs to be added, the ISP would need to apply to a central authority with bureaucracy and red tape.

If a route needed to be blackholed because of a DDOS, and that action had to be approved of by a central authority, which could take days to weeks for a ruling, nothing could be done because routers would not accept changes to any route until then.

Essentially, the answer to security is to effectively lock out the AS ISPs from their own routers.

You either trust the AS administrators or you don't. And since they're humans, they'll make mistakes, be malicious, or be affected by politics. This won't be solved by (trusting) a central bureaucracy similar to the UN, at least not in a manner you'll prefer.

Not a Problem, submitter doesn't understand

[BitZtream]

Its not actually a problem, thats why. The submitter doesn't actually understand what he's suggesting and why the current method of dealing with this issue works fine.

You know who is doing the damage and 'attacking' you, they are easy to identify, and you just stop talking to them. They're only going to connect to a relatively small number of people so disconnecting bad players is trivial, then you never talk to them again. They bare the cost of having all the money invested in setting up the original connections they used to 'attack' with being lost. And lets be clear, BGP attacks aren't done via virtual connections, they're done across physical connections so you know EXACTLY who is doing them and which cable to unplug to solve the problem.

Do you upgrade every router running BGP, or just turn off the 2 connections to the bad guy? Its just not worth the effort to 'fix the problem' with a technical solution when good old fashion common sense tactics work just as well and for far less cost (read: effort for everyone involved) Even if it were a major backbone provider, the number of connections to cut is still trivial compared to even upgrading all the routers that the single largest backbone providers connect to.

This is a stupid question to ask and just illustrates not understanding the actual problem. The costs of 'fixing' the problem technical FAR outweighs the benefits of doing so (not having to manually disconnect troublesome players).