Why Is It Taking So Long To Secure Internet Routing?

CowboyRobot writes: We live in an imperfect world where routing-security incidents can still slip past deployed security defenses, and no single routing-security solution can prevent every attacks. Research suggests, however, that the combination of RPKI (Resource Public Key Infrastructure) with prefix filtering could significantly improve routing security; both solutions are based on whitelisting techniques and can reduce the number of autonomous systems that are impacted by prefix hijacks, route leaks, and path-shortening attacks. "People have been aware of BGP’s security issues for almost two decades and have proposed a number of solutions, most of which apply simple and well-understood cryptography or whitelisting techniques. Yet, many of these solutions remain undeployed (or incompletely deployed) in the global Internet, and the vulnerabilities persist. Why is it taking so long to secure BGP?"

It's a production system

[NFN_NLN]

The internet is in production. No one wants to touch anything that's already in production unless they literally can't make it any worse.
Otherwise we would have IPv6 as well.

Re:It's a production system

[silas_moeckel]

And if you look at IPv6 BGP filtering is a lot better.

Re:It's a production system

[binarylarry]

CEO Voice: "So you're saying if we *upgrade*, we get new *features*. I like what I'm hearing."

Re:It's a production system

[jd2112]

CEO Voice: "So you're saying if we *upgrade*, it will cost us money. I don't like what I'm hearing."

FIFY.

Re:It's a production system

BGP works just fine as is.
Problem is, the operators are stupid and screw up their filters, configs, and management systems, and just fatfinger stuff.
And they're still going to keep on doing that whether you drop elite PKI and whatever other sort of overhead you want on them.
It's the operators, not the technology.

Re:It's a production system

[petermgreen]

Also, a medium-sized ISP head of network engineering once told me "most non-peering traffic is default route anyways".

Your "medium sized ISP" is a cheapskate. Either they have only one upstream or they have multiple upstreams but aren't really taking advantage of the resiliance it gives them.

BGP seems to be used mostly internally and by some enterprising individuals.

BGP is how all the major internet providers exchange routes with their customers, upstreams and peers.

A cheapskate ISP may chose to ignore the BGP information from their upstream(s) and use default routes instead. This means they can use cheaper routers but it means if they have more than one upstream they can't determine which upstream will provide the better route or indeed a route at all to the destination.

trust

[dremspider]

Most of these solutions require some sort of central authority to manage the security of all the routes. Sounds great until you realize that there is no one that all the users of the Internet can trust. I am not even sure that users can trust their own governments to manage this without exploiting users for the sake of surveillance let alone other countries trust one another. If you can't trust one another the best thing to do is remain insecure but watch each other like hawks for any foul play.

Re:trust

I agree and would add that most of the "security" practices so far have actually made the Internet much less robust. Egress filtering to block spoofing has made routing an ISP-only privilidge, and a legal risk to everyone else. Port blocking and ISPs' "for your protection" firewalls have made the network useless for telephony, to name only one application. QoS and buffering have increased latency.

Long story short, it's better to have a fluid network with distributed authority than a centralized and fragile one, unfortunately the mere language of "security" is mistakenly encouraging the development of more and more fragile networks. The reality is that there is no "best practice" that can shift the responsability of a "user" to the ISP, or remove the vigilence needed to run a collective open-door service like the Internet.

We have been keeping routing in a box in the name of security. We should be exploring P2P designs, but the legal climate discourages them (preventing copyright infringment or anonymity has become a "security" objective) and this pushing of "security" down the stack is actually the crux of the problem. There would be no core routing issues if the core were not centralized and fragile, and ever user were a full peer, but the Internet has been choked to the point that noone can run the kind of P2P routing software that would obviate the vulnerabilities of the core. As long as we insist on fighting "pirates" and thought crimes, and beaking the end-to-end principal, we can't expect a robust network.

Re:trust

[WaffleMonster]

An untrusted central authority is better than no security.

Peers have to trust each other to act rationally. Filtering and sanity checking of crap from your downstreams and maintenance of physical links with rational actors whom you trust to act professionally is worth more than central authorities.

Cost

[KMGeneral]

When it comes down to it, the main reason is cost. Telcos (or any big business) HATE spending money, and if they feel they can get away without doing so they will.

Well Let's See

[Greyfox]

How much financial penalty is there for having insecure routes (or routers?) Hmm... None, basically. Ok. How much is this upgrade going to cost? Wow...that much? Well, there's your problem!

Re:Well Let's See

[Bengie]

Depends on your customers. If you're a transit provider and your customer has an SLA that states 100% uptime and 1ms jitter and your insecure routing causes the route to become longer and the jitter goes above 1ms, suddenly you're paying your customer for not meeting the SLA.

Re:NSA Tampering

[epyT-R]

They don't have to. They have CALEA ports.

Re:Edge routers are expensive

[Bengie]

You're just talking about BGP, which is done in software. A quick update will allow nearly all hardware that uses BGP to support the new protocol, assuming the code is small enough to fit in the firmware.

And what do you mean by edge routers? You mean the last mile or for peering? My ISP pays Level 3 to handle peering. If you're talking about last mile, then your ISP should have invested into fiber, which is easily and cheaply upgraded. At $100/port for a 500-1gb port chassis that can support 3tb/s, it's not that expensive. How long does it take to pay off $100? Actually, network equipment represents about 40% of an ISP's costs, the bulk of the cost is in customer support. Phone centers are expensive with an average cost of $1/minute that a customer is connected. A single truck roll can cost an ISP much much more.

Attacker is your Peer

[statemachine]

Except "Attacker" in this case is the administrator at the peer, and the peers are entire companies, multinationals, and governments. We're not talking about your average basement-dweller script kiddie.

If your peers are messing with you, or their peers are messing with them, how do you defend against an attack where the whole system is based on trust?

You could go to a no-trust solution, but then that would need a central authority that would need to pre-calculate all the routes from every single AS. If a route breaks, that'll be slow to adjust to a backup route. If a new route needs to be added, the ISP would need to apply to a central authority with bureaucracy and red tape.

If a route needed to be blackholed because of a DDOS, and that action had to be approved of by a central authority, which could take days to weeks for a ruling, nothing could be done because routers would not accept changes to any route until then.

Essentially, the answer to security is to effectively lock out the AS ISPs from their own routers.

You either trust the AS administrators or you don't. And since they're humans, they'll make mistakes, be malicious, or be affected by politics. This won't be solved by (trusting) a central bureaucracy similar to the UN, at least not in a manner you'll prefer.

Not a Problem, submitter doesn't understand

[BitZtream]

Its not actually a problem, thats why. The submitter doesn't actually understand what he's suggesting and why the current method of dealing with this issue works fine.

You know who is doing the damage and 'attacking' you, they are easy to identify, and you just stop talking to them. They're only going to connect to a relatively small number of people so disconnecting bad players is trivial, then you never talk to them again. They bare the cost of having all the money invested in setting up the original connections they used to 'attack' with being lost. And lets be clear, BGP attacks aren't done via virtual connections, they're done across physical connections so you know EXACTLY who is doing them and which cable to unplug to solve the problem.

Do you upgrade every router running BGP, or just turn off the 2 connections to the bad guy? Its just not worth the effort to 'fix the problem' with a technical solution when good old fashion common sense tactics work just as well and for far less cost (read: effort for everyone involved) Even if it were a major backbone provider, the number of connections to cut is still trivial compared to even upgrading all the routers that the single largest backbone providers connect to.

This is a stupid question to ask and just illustrates not understanding the actual problem. The costs of 'fixing' the problem technical FAR outweighs the benefits of doing so (not having to manually disconnect troublesome players).

Re:NSA Tampering

[Shatrat]

Only in the USA. In other parts of the world the NSA collaborates with like-minded agencies from allies like the UK and Germany, and in parts of the world that are unfriendly they do rely heavily on backdoors.