Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cloudflare Wants Internet Route Leaks To Be a Thing of the Past (techcrunch.com)

Posted by msmash on from the moving-forward dept.

Cloudflare wants routing issues to be a thing of the past by deploying a new feature to try to stop route leaks and hijacks in their tracks. From a report: Cloudflare told TechCrunch that rolling out resource public key infrastructure (RPKI) to all of its customers for free will make it far more difficult to reroute traffic -- either by accident or deliberately. RPKI, in a nutshell, helps to ensure that traffic goes to the right place through a route that's verified as legitimate and correct by using cryptographically signed certificates.

"When two networks connect with each other -- say, AT&T and Verizon -- they announce the set of IP addresses for which they should be sent traffic," said Nick Sullivan, Cloudflare's head of cryptography. "The RPKI is a security framework to make sure a network announces only its legitimate IP addresses." Cloudflare's push in the right direction follows an effort by the National Institute for Standards and Technology, which last week published its first draft of a new standard, which incorporates RPKI as one of three components that will help prevent route leaks and hijacks. A possible approval is expected in the coming weeks.

24 comments

  1. Lag due to PKI? by sinij · · Score: 0

    PKI isn't quick, especially and particularly due to OCSP/CRL lookups. Is this going to spike my ping times as a result? If yes, I am not interested.

    1. Re:Lag due to PKI? by jon3k · · Score: 1

      Is this going to spike my ping times as a result?

      No.

    2. Re: Lag due to PKI? by Anonymous Coward · · Score: 0

      Read->Comprehend->Post

      You missed the first two points there, skippy. You imbecile, you cretin, you utter buffoon

    3. Re:Lag due to PKI? by Anonymous Coward · · Score: 4, Informative

      This may very slightly increase the time taken to form a route after a network comes online. Seeing that this only happens after a major outage or when a new network is commissioned these few milliseconds won't matter at all.

      It is desperately needed btw, it is super easy to make a mistake in BGP configuration that makes you announce the ip ranges of another party. If you are lucky you can route that traffic and nothing goes down, but usually this causes major problems.

    4. Re: Lag due to PKI? by Anonymous Coward · · Score: 0

      Intermittent reconfirmation policies could be done daily to maintain integrity, and have no discernible impact on end users.

    5. Re:Lag due to PKI? by silas_moeckel · · Score: 1

      There are a lot of routers in the DFZ that are already hurting for CPU time.

      How quickly will something get hacked because somebody left the private key either on the router or someplace else exposed.

      --
      No sir I dont like it.
    6. Re:Lag due to PKI? by skovnymfe · · Score: 1

      Unless you live in a part of the internet where the routes are re-calculated and re-established every time you send a packet, in which case, please do tell which ISP you use cause then I'll walk in a large circle around them.

    7. Re: Lag due to PKI? by Anonymous Coward · · Score: 0

      You forget, this is Slashdot. We donâ(TM)t RTFA before commenting.

  2. Cloudflare started as a CIA honeypot by Anonymous Coward · · Score: 0

    the fact that they're now operating a global business and raking in money doesn't change its roots. It's still the same people running it today.

    If you let this American corporation handle your internet traffic, then you can be 100% certain they have a way in if they want.

    1. Re:Cloudflare started as a CIA honeypot by themusicgod1 · · Score: 1

      [citation needed]

      --
      GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
  3. Let's Encrypt Some More by Anonymous Coward · · Score: 0, Offtopic

    Because PKI was such a riot on HTTP, it'll be even better on BGP!

    No, kids, just slapping on any old encryption will NOT do. But then, this is cloudflare, breakers of teh intarwebz. Just like google fiddling with "m." and "www.", this too is an idea born from lots of pretention and a distinct lack of excellence.

    1. Re:Let's Encrypt Some More by Anonymous Coward · · Score: 0

      Didn't RTFA, hey? Oh well, this is /. I suppose. Cloudfare is only jumping on the bandwagon that was started off by NIST and DHS a couple of weeks ago...

      Standard to protect against BGP hijack attacks gets first official draft
      NIST and DHS project publishes first draft of new BGP Route Origin Validation (ROV) standard that will help ISPs and cloud providers protect against BGP hijack attacks.

      https://www.zdnet.com/article/standard-to-protect-against-bgp-hijack-attacks-gets-first-official-draft/

  4. Re:The end of the free internet as we know it. by Anonymous Coward · · Score: 0

    Could this be used to only allow "approved" customers to certain routes?

  5. That's funny by themusicgod1 · · Score: 1

    Because we want Cloudflare to be a thing of the past. It is a central point of failure for the whole of the world wide web at this point, and making them moreso a central point of failure for the internet is not a good idea at all.

    --
    GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
  6. Blockchain by QuietLagoon · · Score: 1

    Cloudflare shudda used "blockchain" in the PR headline, it would have gotten a lot more attention.

  7. Mutual authentication route advertisements by Anonymous Coward · · Score: 0

    Mutual-auth already exists in routing protocol advertisements. What makes this one different?

    Second question: static routes are infinitely more secure. What is stopping someone anywhere within the RPKI to lie, mislead, or be misled through layer 2 and 3 attacks, leading to a propagation of cryptographically verified, but false information?

  8. And I want a pony by WillAffleckUW · · Score: 1

    Only one of us will be happy, and I'm shopping on ponies dot com right now.

    Route that.

    --
    -- Tigger warning: This post may contain tiggers! --
  9. Static routes are fine in your office by raymorris · · Score: 3, Informative

    Static routes are okay with your building, if the building isn't too big. If a router goes offline, everybody waits for the network admin to get back from lunch and fix it. For the backbones, we currently re-route in milliseconds sometimes dpending on network conditions. No waiting around for a sysadmin.

    > What is stopping someone anywhere within the RPKI to lie, mislead, or be misled through layer 2 and 3 attack

    Routing is in layer 3, so this is preventing some layer 3 attacks. For securing layer 2, see http://google.com/search?q=lay...
    Routing protocols at layer 3 aren't supposed to address issues of layer 2.

  10. Re:The end of the free internet as we know it. by Anonymous Coward · · Score: 0

    You grossly misunderstand the situation.

    This only deals with how they handle routing through their network and advertise routes to their peers. They can't affect random home users on a whim, and the protocol reduces the ability of anyone to affect networks outside their own.

    The only way to ensure privacy is to encrypt before you connect.

    This is why I modded you offtopic. Your encryption or lack thereof has absolutely no relevance to RPKI.

  11. Re:The end of the free internet as we know it. by Anonymous Coward · · Score: 0

    No. He has no understanding of the subject at all.

    Routing hiccups occur from time to time (specifically, non-optimal or nonexistent routes due to bad BGP advertisements from peers).

    Sometimes this happens accidentally, other times deliberately. This protocol will practically eliminate this type of hiccup.