Why Is It Taking So Long To Secure Internet Routing?

CowboyRobot writes: We live in an imperfect world where routing-security incidents can still slip past deployed security defenses, and no single routing-security solution can prevent every attacks. Research suggests, however, that the combination of RPKI (Resource Public Key Infrastructure) with prefix filtering could significantly improve routing security; both solutions are based on whitelisting techniques and can reduce the number of autonomous systems that are impacted by prefix hijacks, route leaks, and path-shortening attacks. "People have been aware of BGP’s security issues for almost two decades and have proposed a number of solutions, most of which apply simple and well-understood cryptography or whitelisting techniques. Yet, many of these solutions remain undeployed (or incompletely deployed) in the global Internet, and the vulnerabilities persist. Why is it taking so long to secure BGP?"

It's a production system

[NFN_NLN]

The internet is in production. No one wants to touch anything that's already in production unless they literally can't make it any worse.
Otherwise we would have IPv6 as well.

Re:It's a production system

[silas_moeckel]

And if you look at IPv6 BGP filtering is a lot better.

Re:It's a production system

[binarylarry]

CEO Voice: "So you're saying if we *upgrade*, we get new *features*. I like what I'm hearing."

Re:It's a production system

[jd2112]

CEO Voice: "So you're saying if we *upgrade*, it will cost us money. I don't like what I'm hearing."

FIFY.

Re:It's a production system

[Bengie]

Yeah, thanks Verizon. They just had to suddenly public their huge number of internal routes and crash the Internet.

Re:It's a production system

BGP works just fine as is.
Problem is, the operators are stupid and screw up their filters, configs, and management systems, and just fatfinger stuff.
And they're still going to keep on doing that whether you drop elite PKI and whatever other sort of overhead you want on them.
It's the operators, not the technology.

Re:It's a production system

[dnavid]

The internet is in production. No one wants to touch anything that's already in production unless they literally can't make it any worse. Otherwise we would have IPv6 as well.

Lots of people want to touch production systems. In the case of the internet and BGP, however, evolution has weeded out the people who like to touch production systems, and the only people with administrative rights are still getting over having to support 32-bit AS numbers and wondering where their pet dinosaur went.

Re:It's a production system

[gweihir]

Indeed. Also, a medium-sized ISP head of network engineering once told me "most non-peering traffic is default route anyways". BGP seems to be used mostly internally and by some enterprising individuals. Might be the reason why we have seen only very few BGP based attacks. An they have a high risk of being detected immediately, while attackers that invest time (as opposed to automated attackers) want to be detected as late as possibly and preferably never. I mean, even adding a single hop with a BGP attack will be blatantly obvious in ping-time monitoring (think smoke-ping), and even the most stupid network operators are hopefully doing that as it is also the easiest way to detect failing or overloaded equipment.

Re:It's a production system

[petermgreen]

Also, a medium-sized ISP head of network engineering once told me "most non-peering traffic is default route anyways".

Your "medium sized ISP" is a cheapskate. Either they have only one upstream or they have multiple upstreams but aren't really taking advantage of the resiliance it gives them.

BGP seems to be used mostly internally and by some enterprising individuals.

BGP is how all the major internet providers exchange routes with their customers, upstreams and peers.

A cheapskate ISP may chose to ignore the BGP information from their upstream(s) and use default routes instead. This means they can use cheaper routers but it means if they have more than one upstream they can't determine which upstream will provide the better route or indeed a route at all to the destination.

trust

[dremspider]

Most of these solutions require some sort of central authority to manage the security of all the routes. Sounds great until you realize that there is no one that all the users of the Internet can trust. I am not even sure that users can trust their own governments to manage this without exploiting users for the sake of surveillance let alone other countries trust one another. If you can't trust one another the best thing to do is remain insecure but watch each other like hawks for any foul play.

Re:trust

[wisnoskij]

"So from now on I guess the operational phrase is 'Trust no-one.'" "No. Trust Ivanova, trust yourself, anybody else: shoot them."

Re:trust

[peragrin]

Have you ever surfed the Net Bro?

You should be doing the Trust Ivanova, Trust yourself and shoot everyone else to begin with.

If you trust the net your data will be copied. whether you want it to be or not.

Re:trust

[BradMajors]

An untrusted central authority is better than no security.

Re:trust

I agree and would add that most of the "security" practices so far have actually made the Internet much less robust. Egress filtering to block spoofing has made routing an ISP-only privilidge, and a legal risk to everyone else. Port blocking and ISPs' "for your protection" firewalls have made the network useless for telephony, to name only one application. QoS and buffering have increased latency.

Long story short, it's better to have a fluid network with distributed authority than a centralized and fragile one, unfortunately the mere language of "security" is mistakenly encouraging the development of more and more fragile networks. The reality is that there is no "best practice" that can shift the responsability of a "user" to the ISP, or remove the vigilence needed to run a collective open-door service like the Internet.

We have been keeping routing in a box in the name of security. We should be exploring P2P designs, but the legal climate discourages them (preventing copyright infringment or anonymity has become a "security" objective) and this pushing of "security" down the stack is actually the crux of the problem. There would be no core routing issues if the core were not centralized and fragile, and ever user were a full peer, but the Internet has been choked to the point that noone can run the kind of P2P routing software that would obviate the vulnerabilities of the core. As long as we insist on fighting "pirates" and thought crimes, and beaking the end-to-end principal, we can't expect a robust network.

Re:trust

[cheater512]

Erm where the hell do you think the IP's come from? Yep the central internet registries. APNIC, RIPE, AfriNIC, LACNIC and ARIN.

There is your trusted central authorities. If you don't trust them then hand your IP's over.

Re:trust

[WaffleMonster]

An untrusted central authority is better than no security.

Peers have to trust each other to act rationally. Filtering and sanity checking of crap from your downstreams and maintenance of physical links with rational actors whom you trust to act professionally is worth more than central authorities.

Re:trust

[Gr8Apes]

I only have to trust them to hand out the IP once. That's all, certainly not with any other details.

Re:trust

[cheater512]

The only issue here is people saying they control IP's that they don't own.

If everyone trusts these organisations to give out IP's then tying BGP filtering to that is a logical extension.

Edge routers are expensive

[alen]

which means they are bought and used for many years if not a decade or longer
your $50 or whatever you pay your ISP a month is not enough to afford new equipment every year

Re:Edge routers are expensive

You try running anything other than a few BGP routes on a switch and see how that goes for you. Most of those cheap switches you mention by the way, do not support BGP by default, you either need a license or a more advanced version of code which you may or may not get on them.

Re:Edge routers are expensive

[Bengie]

You're just talking about BGP, which is done in software. A quick update will allow nearly all hardware that uses BGP to support the new protocol, assuming the code is small enough to fit in the firmware.

And what do you mean by edge routers? You mean the last mile or for peering? My ISP pays Level 3 to handle peering. If you're talking about last mile, then your ISP should have invested into fiber, which is easily and cheaply upgraded. At $100/port for a 500-1gb port chassis that can support 3tb/s, it's not that expensive. How long does it take to pay off $100? Actually, network equipment represents about 40% of an ISP's costs, the bulk of the cost is in customer support. Phone centers are expensive with an average cost of $1/minute that a customer is connected. A single truck roll can cost an ISP much much more.

Re:Edge routers are expensive

[dgatwood]

I keep thinking that if an ISP really wanted to cut costs, they could proactively monitor their network for problems:

• Provide the CPE preconfigured, at no additional cost to the customer. (Build the hardware cost into the price of service.)
• Ensure that the CPE keeps a persistent capacitor-backed log across reboots. If the reboot was caused by anything other than the customer yanking the cord out of the wall or a power outage, send that failure info upstream. Upon multiple failures in less than a few weeks, assume that the customer's CPE is failing, and call the customer with a robocall to tell them that you're mailing them new CPE to improve the quality of their service.
• Detect frequent disconnects and reconnects, monitor the line for high error rates, etc. and when you see this happening, treat it the same way you treat a CPE failure.
• If the new hardware behaves the same way, silently schedule a truck roll to fix the lines.

If done correctly (and if clearly advertised by the ISP so that users would know that they didn't need to call to report any outages), it would eliminate the need for all customer service except for billing, and a decent online billing system could significantly reduce the need for that as well.

Re:Edge routers are expensive

[dgatwood]

First, I'm not talking about adding any additional gear. There's no reason that what I'm talking about can't be handled entirely in the DSLAM or head end or whatever and in the existing CPE hardware that talks to it.

Second, I wasn't really talking about changing the CPE for business customers with fiber connections anyway. They're not (usually) the ones who are constantly on the phone with tech support saying "The Internet is down" when really, they just accidentally unplugged something. I'm talking about providing smarter, preconfigured cable modems and DSL modems for home use.

It's a production system

Exactly. The point of the Internet is to interconnect. If you introduce a new, incompatible protocol (more secure though it may be) and refuse to accept updates via the old one, you risk depeering on a massive scale. Remember when the global routing table tipped the scales? And how people freaked out because they couldn't watch their favorite cat video - or conduct meaningful e-commerce? Yeah, expect that type of reaction x 1 million while every major ISP figures out how to rebuild the Internet from scratch.

Re:Because of capitalism.

[NemoinSpace]

Could someone please explain the parent comment to me in a way that does not involve marijuanna?

Re:Because of capitalism.

[epyT-R]

The network was originally developed and used by the dept of defense to connect military bases in case of nuclear war. It later spread to academic as well as corporate presences.

I don't think you understand capitalism or socialism. Capitalism is an economic system based on the generation, purchase, sale, and ownership of property amongst private parties. Socialism is a government model that imposes itself on individual rights and choices for the sake of what the leadership thinks is the common good. They're not a zero sum game. In fact, what we're seeing in the US now is how one can actually boost the other into whole new realms of abuse across the board. Thanks to this interaction, we have a government culture that doesn't give a shit about the rights of the citizens it's supposed to represent, and we have an economy that increasingly does not cater to the consumer. Each washes the other's back.

This is why net neutrality is damned if you do damned if you don't. Either you have the isps play favorites with connectivity, or you have the state mandating standards which will eventually move towards censorship of data that negatively affects the interests of the single issue lobbyists (corporate and social) making up its collective yet fragmented view of the world. Ideally, I'd want the internet of 1990 with today's bandwidth and reliability, but if I had to choose, I'd rather deal with an overmetered network than one whose culture is dictated by corporates wanting to corner markets with legislation, and politically correct, thin skinned, pompous asses, pushing 'social justice' in the form of soviet style censorship policies and methods.

Cost

[KMGeneral]

When it comes down to it, the main reason is cost. Telcos (or any big business) HATE spending money, and if they feel they can get away without doing so they will.

Well Let's See

[Greyfox]

How much financial penalty is there for having insecure routes (or routers?) Hmm... None, basically. Ok. How much is this upgrade going to cost? Wow...that much? Well, there's your problem!

Re:Well Let's See

[Bengie]

Depends on your customers. If you're a transit provider and your customer has an SLA that states 100% uptime and 1ms jitter and your insecure routing causes the route to become longer and the jitter goes above 1ms, suddenly you're paying your customer for not meeting the SLA.

Re:Well Let's See

[petermgreen]

Afaict ISP SLAs only cover the quality of the route to the ISPs border, what happens to the traffic beyond that is not (and can't really be) specified.

If you want "100% uptime and 1ms jitter" to a specific place then you buy a direct connection to that specific place you don't use the internet. If you want "100% uptime and 1ms jitter" to the whole internet that is not going to happen.

Re:Because of capitalism.

[epyT-R]

Strawman.

Re:NSA Tampering

[epyT-R]

They don't have to. They have CALEA ports.

Attacker is your Peer

[statemachine]

Except "Attacker" in this case is the administrator at the peer, and the peers are entire companies, multinationals, and governments. We're not talking about your average basement-dweller script kiddie.

If your peers are messing with you, or their peers are messing with them, how do you defend against an attack where the whole system is based on trust?

You could go to a no-trust solution, but then that would need a central authority that would need to pre-calculate all the routes from every single AS. If a route breaks, that'll be slow to adjust to a backup route. If a new route needs to be added, the ISP would need to apply to a central authority with bureaucracy and red tape.

If a route needed to be blackholed because of a DDOS, and that action had to be approved of by a central authority, which could take days to weeks for a ruling, nothing could be done because routers would not accept changes to any route until then.

Essentially, the answer to security is to effectively lock out the AS ISPs from their own routers.

You either trust the AS administrators or you don't. And since they're humans, they'll make mistakes, be malicious, or be affected by politics. This won't be solved by (trusting) a central bureaucracy similar to the UN, at least not in a manner you'll prefer.

Re:Attacker is your Peer

[DarkOx]

The thing is AS admins have been lazy. Broadly speaking I agree with what you have to say and I agree a central authority would very likely cause more problems than it solves. AS admins do need to take a middle ground though, and implement some route filters. For instance if you have a route that sits on transpacific cable in California you should probably be filtering routes with at least a few broad rules like; !ARIN

A little direction for a central authority like IANA that laid down some rules like filter routes along political and regional boundaries could go along way to prevent things from happening like half the US getting routed via China, etc; while doing little harm to the resiliency of the network (so long as rules remain simple and few). Will it stop things like that bitcoin theft a few weeks back, nope but it will keep them in country where there will be a consistent legal framework in place to handle shenanigans

Re:Attacker is your Peer

[sjames]

Or, you go with signed routes. That is, you use a public key system to prove that you have the right to broadcast a route for a particular subnet.

In practice, it will probably mean some router upgrades. No more router cpus that were considered a bit underpowered for a calculator in the '90s. However, as an interim measure, it could be used to set some BGP filters to limit the potential damage.

Re:Attacker is your Peer

[TubeSteak]

If a route needed to be blackholed because of a DDOS, and that action had to be approved of by a central authority, which could take days to weeks for a ruling, nothing could be done because routers would not accept changes to any route until then.

Why would you need permission to blackhole a route?
The problem is adding good routes, not dropping bad ones.

Re:Attacker is your Peer

[petermgreen]

You could have a system of signed routes. When you pass a route to an upstream you would add a signed statement to that affect to the route. When receiving a route from a customer or peer you would check for a valid chain of signatures leading from the owner of the IP block to the entity sending you the route.

Obviously you'd still have to trust your upstreams but you can't really avoid that. You'd also have to have some kind of central database that recorded the owners of IP blocks and the corresponding public keys.

How Many Nails Does it take to seal a coffin?

[kinohead]

Nine.

Not a Problem, submitter doesn't understand

[BitZtream]

Its not actually a problem, thats why. The submitter doesn't actually understand what he's suggesting and why the current method of dealing with this issue works fine.

You know who is doing the damage and 'attacking' you, they are easy to identify, and you just stop talking to them. They're only going to connect to a relatively small number of people so disconnecting bad players is trivial, then you never talk to them again. They bare the cost of having all the money invested in setting up the original connections they used to 'attack' with being lost. And lets be clear, BGP attacks aren't done via virtual connections, they're done across physical connections so you know EXACTLY who is doing them and which cable to unplug to solve the problem.

Do you upgrade every router running BGP, or just turn off the 2 connections to the bad guy? Its just not worth the effort to 'fix the problem' with a technical solution when good old fashion common sense tactics work just as well and for far less cost (read: effort for everyone involved) Even if it were a major backbone provider, the number of connections to cut is still trivial compared to even upgrading all the routers that the single largest backbone providers connect to.

This is a stupid question to ask and just illustrates not understanding the actual problem. The costs of 'fixing' the problem technical FAR outweighs the benefits of doing so (not having to manually disconnect troublesome players).

Re:Not a Problem, submitter doesn't understand

[LordLimecat]

Whats really bothersome is that so many of the comments hop on the "NSA thats why" or "corporate greed" bandwagons despite having no functional knowledge of the issue.

Thought people here were supposed to be rationally minded geeks; guess not.

Re:Not a Problem, submitter doesn't understand

[jbmartin6]

The costs of 'fixing' the problem technical FAR outweighs the benefits of doing so

+1. We see this in so many cases where someone asks 'Why don't they fix this or that?'

Re:so what's ARPA doing in my computer?

[arcade]

If that was a serious question, and not trolling:

The in-addr.arpa DNS zone is used for reverse DNS.

Basically, you forward-map hostnames to IP addresses. At the same time, you can reverse-map IP-addresses to hostnames.

The forward mapping is done via 'A' records.
The reverse mapping is done via 'PTR' records, and it's done in the in-addr.arpa hiearchy.

Re:NSA

How can government and LEO's surveil us if everything is locked down?

Yes

We ran out of IPv4. #1 OS is Android

[raymorris]

> and then suddenly we completely ran out of IPv4 addresses, so everyone, even Microsoft, had no choice but to get moving on IPv6

Ftfy . Most computing devices sold in the last three years don't run Windows. Microsoft is now a minority player. Android is #1, iOS #2.

So which companies have influence? Android is the most popular operating system, so it's support of IPv6 is important. Most end points that need new addresses get those addresses assigned by one of the major mobile carriers, while older equipment is still using the same old IPs on Comcast and Time Warner. The equipment on the backbones is mostly Cisco gear, so it matters what Cisco supports the best, but they'll provide whatever Comcast and Level3 want to buy.

Re:We ran out of IPv4. #1 OS is Android

[cyber-vandal]

In the consumer space yes. In the corporate world no-one's manipulating huge spreadsheets or writing 500 page legal documents on an iPad.

White list? Really?

[Tony+Isaac]

There are more than 600 million Web sites, according to NetCraft. Who is going to maintain a list like that? It's going to cost a lot of money...who is going to pay for it? Who is going to have the power to decide who gets in, and who doesn't? What about appeals, for those who feel they have been unjustly removed from the list? What about opposing points of view? Does the US get to decide which Chinese sites get to be on the list, or vice versa?

Re:Because of capitalism.

[LordLimecat]

When you say "cruising on empty", how do you explain the huge number of top-tier tech companies that are US based? Intel, Apple, Microsoft, Red Hat, Google, nVidia, AMD, Qualcom...

Dunno, I kind of think capitalism does quite fine at providing ideas. Let me know when everyone else catches up to Intel's current process tech, till then maybe we shouldnt write off capitalism as "cruising on empty".

Why is it taking so long for flying cars?

[DdJ]

The headline made me do a double-take. It's like asking "why is it taking so long to develop an invisibility cloak?" or "why is it taking so long to develop flying cars?".

Re:Because of capitalism.

[sjames]

The problem is, we're tipped over into corporatism where the net is controlled by a very few very large legal sictions tha tthe courts insist are somehow people.

You worry about the bad old government censoring the net but forget to worry about the ISPs censoring the net.

I can't imagine why you think the overmetered network protects us from the market cornering legislation and the pompous asses. Without proper net neutrality, we get all of the above and nowhere to turn.

Re:NSA Tampering

[Shatrat]

Only in the USA. In other parts of the world the NSA collaborates with like-minded agencies from allies like the UK and Germany, and in parts of the world that are unfriendly they do rely heavily on backdoors.

nor misusing spreadsheets where databases are need

[raymorris]

> In the corporate world no-one's manipulating huge spreadsheets or writing 500 page legal documents on an iPad.

I'm guessing that in your corporate world, nobody HAS huge spreadsheets because they're putting the huge stuff in the RDMS whre it belongs. iPads aren't the right tool for significant datasets, and neither is Excel. In my world, most people do not use the right tool for the job.

APK is why it takes so long

[Khyber]

'Nuff said. Can't get shit done with his constant bullshit spouting.

Why bother?

[LostMyBeaver]

I train massive numbers of people in BGP every year. The best would go for it. The average are just happy to peer and move on.

IT completely lacks process. ITIL is a joke. People insist on wasting time doing the same thing over and over. The best networking companies I know with the absolute best people are rarely more professional than a bunch of script kiddies. The best of the best hack away on networking and routing like and orangoutang playing with a toy piano. Modern IT is rarely better off than a bunch of idiots in comfort zones who make changes indiscriminately and send the invoice.

There is no profit in fixing BGP. It works and most IT engineers operating peers don't care. There is nothing which says "the internet won't work if we don't do this.". There's not even a clear line of how you would gain money by making such a change.

The internet will never implement a feature simply because it's useful or right. We do it because of the money, because it's fun or because our peering won't function without it.

Re: Because of capitalism.

[LordLimecat]

They open offices overseas because theyre global companies, not because the US sucks. If the US sucked they wouldnt be headquartered here.