Cloudflare Wants Internet Route Leaks To Be a Thing of the Past (techcrunch.com)

← Back to Stories (view on slashdot.org)

Cloudflare Wants Internet Route Leaks To Be a Thing of the Past (techcrunch.com)

Posted by msmash on Wednesday September 19, 2018 @06:45AM from the moving-forward dept.

Cloudflare wants routing issues to be a thing of the past by deploying a new feature to try to stop route leaks and hijacks in their tracks. From a report: Cloudflare told TechCrunch that rolling out resource public key infrastructure (RPKI) to all of its customers for free will make it far more difficult to reroute traffic -- either by accident or deliberately. RPKI, in a nutshell, helps to ensure that traffic goes to the right place through a route that's verified as legitimate and correct by using cryptographically signed certificates.

"When two networks connect with each other -- say, AT&T and Verizon -- they announce the set of IP addresses for which they should be sent traffic," said Nick Sullivan, Cloudflare's head of cryptography. "The RPKI is a security framework to make sure a network announces only its legitimate IP addresses." Cloudflare's push in the right direction follows an effort by the National Institute for Standards and Technology, which last week published its first draft of a new standard, which incorporates RPKI as one of three components that will help prevent route leaks and hijacks. A possible approval is expected in the coming weeks.

24 comments

Min score:

Reason:

Sort:

Lag due to PKI? by sinij · 2018-09-19 06:49 · Score: 0

PKI isn't quick, especially and particularly due to OCSP/CRL lookups. Is this going to spike my ping times as a result? If yes, I am not interested.
1. Re:Lag due to PKI? by jon3k · 2018-09-19 06:54 · Score: 1
  
  Is this going to spike my ping times as a result?
  
  No.
2. Re: Lag due to PKI? by Anonymous Coward · 2018-09-19 06:56 · Score: 0
  
  Read->Comprehend->Post
  You missed the first two points there, skippy. You imbecile, you cretin, you utter buffoon
3. Re:Lag due to PKI? by Anonymous Coward · 2018-09-19 07:02 · Score: 4, Informative
  
  This may very slightly increase the time taken to form a route after a network comes online. Seeing that this only happens after a major outage or when a new network is commissioned these few milliseconds won't matter at all.
  It is desperately needed btw, it is super easy to make a mistake in BGP configuration that makes you announce the ip ranges of another party. If you are lucky you can route that traffic and nothing goes down, but usually this causes major problems.
4. Re: Lag due to PKI? by Anonymous Coward · 2018-09-19 07:22 · Score: 0
  
  Intermittent reconfirmation policies could be done daily to maintain integrity, and have no discernible impact on end users.
5. Re:Lag due to PKI? by Anonymous Coward · 2018-09-19 07:27 · Score: -1
  
  Look, my throbbing hard black cock is coated in KY and little shit crumbs after anally ravaging your mother. Be a dear and lick that off for me, kthx.
6. Re:Lag due to PKI? by silas_moeckel · 2018-09-19 10:04 · Score: 1
  
  There are a lot of routers in the DFZ that are already hurting for CPU time.
  How quickly will something get hacked because somebody left the private key either on the router or someplace else exposed.
  
  --
  No sir I dont like it.
7. Re:Lag due to PKI? by skovnymfe · 2018-09-19 19:46 · Score: 1
  
  Unless you live in a part of the internet where the routes are re-calculated and re-established every time you send a packet, in which case, please do tell which ISP you use cause then I'll walk in a large circle around them.
8. Re: Lag due to PKI? by Anonymous Coward · 2018-09-20 02:10 · Score: 0
  
  You forget, this is Slashdot. We donâ(TM)t RTFA before commenting.
Cloudflare started as a CIA honeypot by Anonymous Coward · 2018-09-19 07:00 · Score: 0

the fact that they're now operating a global business and raking in money doesn't change its roots. It's still the same people running it today.
If you let this American corporation handle your internet traffic, then you can be 100% certain they have a way in if they want.
1. Re:Cloudflare started as a CIA honeypot by themusicgod1 · 2018-09-19 07:24 · Score: 1
  
  [citation needed]
  
  --
  GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
3D gun advocate just got Assanged! by Anonymous Coward · 2018-09-19 07:03 · Score: -1

https://www.nytimes.com/2018/09/19/business/cody-wilson-3d-guns-sexual-assault.html
Let's Encrypt Some More by Anonymous Coward · 2018-09-19 07:07 · Score: 0, Offtopic

Because PKI was such a riot on HTTP, it'll be even better on BGP!
No, kids, just slapping on any old encryption will NOT do. But then, this is cloudflare, breakers of teh intarwebz. Just like google fiddling with "m." and "www.", this too is an idea born from lots of pretention and a distinct lack of excellence.
1. Re:Let's Encrypt Some More by Anonymous Coward · 2018-09-19 09:45 · Score: 0
  
  Didn't RTFA, hey? Oh well, this is /. I suppose. Cloudfare is only jumping on the bandwagon that was started off by NIST and DHS a couple of weeks ago...
  Standard to protect against BGP hijack attacks gets first official draft
  NIST and DHS project publishes first draft of new BGP Route Origin Validation (ROV) standard that will help ISPs and cloud providers protect against BGP hijack attacks.
  https://www.zdnet.com/article/standard-to-protect-against-bgp-hijack-attacks-gets-first-official-draft/
The end of the free internet as we know it. by Anonymous Coward · 2018-09-19 07:16 · Score: -1

Do you want to censor the internet? Because this is how you censor the internet.
First it's "all of its customers for free". Then it's "only customers who have registered". Then it's "only customers on registered platforms (windows)". Finally it's "only to IP addresses we allow, with a side channel to any third party who will pay".
The only way to ensure privacy is to encrypt before you connect. Period. Relying on 'others' to save you between point A and point B is nothing but smoke and mirrors.
1. Re:The end of the free internet as we know it. by Anonymous Coward · 2018-09-19 07:26 · Score: 0
  
  Could this be used to only allow "approved" customers to certain routes?
2. Re:The end of the free internet as we know it. by Anonymous Coward · 2018-09-19 08:58 · Score: 0
  
  You grossly misunderstand the situation.
  This only deals with how they handle routing through their network and advertise routes to their peers. They can't affect random home users on a whim, and the protocol reduces the ability of anyone to affect networks outside their own.
  
  The only way to ensure privacy is to encrypt before you connect.
  This is why I modded you offtopic. Your encryption or lack thereof has absolutely no relevance to RPKI.
3. Re:The end of the free internet as we know it. by Anonymous Coward · 2018-09-19 09:02 · Score: 0
  
  No. He has no understanding of the subject at all.
  Routing hiccups occur from time to time (specifically, non-optimal or nonexistent routes due to bad BGP advertisements from peers).
  Sometimes this happens accidentally, other times deliberately. This protocol will practically eliminate this type of hiccup.
That's funny by themusicgod1 · 2018-09-19 07:27 · Score: 1

Because we want Cloudflare to be a thing of the past. It is a central point of failure for the whole of the world wide web at this point, and making them moreso a central point of failure for the internet is not a good idea at all.

--
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
Blockchain by QuietLagoon · 2018-09-19 07:27 · Score: 1

Cloudflare shudda used "blockchain" in the PR headline, it would have gotten a lot more attention.
Cloudflare by Anonymous Coward · 2018-09-19 07:35 · Score: -1

I remember when they made the arbitrary decision to kill The Daily Stormer. I only trust free speech absolutists. Lameness filters are Jewish.
Mutual authentication route advertisements by Anonymous Coward · 2018-09-19 07:45 · Score: 0

Mutual-auth already exists in routing protocol advertisements. What makes this one different?
Second question: static routes are infinitely more secure. What is stopping someone anywhere within the RPKI to lie, mislead, or be misled through layer 2 and 3 attacks, leading to a propagation of cryptographically verified, but false information?
And I want a pony by WillAffleckUW · 2018-09-19 08:05 · Score: 1

Only one of us will be happy, and I'm shopping on ponies dot com right now.
Route that.

--
-- Tigger warning: This post may contain tiggers! --
Static routes are fine in your office by raymorris · 2018-09-19 08:27 · Score: 3, Informative

Static routes are okay with your building, if the building isn't too big. If a router goes offline, everybody waits for the network admin to get back from lunch and fix it. For the backbones, we currently re-route in milliseconds sometimes dpending on network conditions. No waiting around for a sysadmin.
> What is stopping someone anywhere within the RPKI to lie, mislead, or be misled through layer 2 and 3 attack
Routing is in layer 3, so this is preventing some layer 3 attacks. For securing layer 2, see http://google.com/search?q=lay...
Routing protocols at layer 3 aren't supposed to address issues of layer 2.