Highlights
– US federal government plans for more funding to be dedicated to improving the security of the Internet’s routing system
– Accidental misconfigurations and attacks display the need for improved security to the Internet’s routing infrastructure
– Two key initiatives to improve the security of Internet routing protocols to receive additional R&D resources
The United States (US) federal government has plans to accelerate and allocate more resources to securing the Internet’s routing system in 2009 according to top officials with the US Department of Homeland Security (DHS). DHS is spearheading the initiative through its Secure Protocols for Routing Infrastructure program, which in 2009 will have a US$2.5 million per year budget. The increase quadruples the US$600,000 per year investment the department’s Science and Technology Directorate has spent on router security over the past three years. For fiscal year 2009, the agency received an additional US$12.5 million appropriation for cyber-security research and development (R&D).
Part of the new funding will go towards researching new ways to secure the Internet’s core routing protocol known as the Border Gateway Protocol (BGP). The new effort nicknamed BGPSEC, or BGP Secure, will be the first upgrade to the protocol since 1994, and will attempt to prevent routing hijack attacks and accidental misconfigurations of routing data according to DHS. According to security experts, the current design and implementation of BGP is one of the Internet’s weakest links, and one of the largest threats to the stability and security of the Internet. According to a top official at Arbor Networks, a company that provides tools for monitoring network performance, “over the past 15 years, the security of the Internet routing system has done nothing but deteriorate.”
Beginning in 2003, the US federal government first discussed the vulnerabilities of the Internet’s routing system in its “National Strategy to Secure Cyberspace.” The Presidential directive identified two Internet protocols – BGP and Domain Name System (DNS), which translates domain names (such as www.terrorism.com) into routable internet protocol (IP) addresses – that require modifications to make them more secure and robust. The DNSSEC, or DNS Secure, initiative that hopes to make the DNS protocol more secure, has been making progress with the announcement by the federal government that all .gov domains would adopt the new DNS security extensions by the end of 2009. The implementation of BGP on the other hand is not expected for at least four or more years according to a senior DHS program manager.
The latest initiatives to secure the Internet’s routing infrastructure comes after some recent attacks involving the outdated routing protocols, along with a recent presentation by a pair of security researchers at DEFCON – the largest underground hacking convention in the world – in August 2008 detailing a BGP exploit that could allow an attacker to eavesdrop or change a company’s unencrypted data, and calls by industry leaders and politicians to take cyber security more seriously or suffer severe consequences in the near future.
We believe the latest increases in funding cyber-security R&D initiatives to improve the security and resiliency of the Internet’s routing protocols are an extremely important step to combat the increased security risks posed to businesses and governments around the world who increasingly rely on the Internet for communications, business transactions, and the operation of critical infrastructure systems and military operations. In the near to mid-term, we expect the lack of a developed, tested, and deployable alternative to the current BGP implementation will prove to be an increased security risk as sophisticated hackers or terrorists look to increase the destructive impact of their activities.
Accidental Misconfiguration and Attacks Display Need For Improved Security
In February 2008, Pakistan Telecom inadvertently brought down the entire YouTube site worldwide for two hours as it was attempting to restrict local access to the site. When Pakistan Telecom tried to filter access to YouTube, it sent new routing information via BGP to PCCW, an ISP in Hong Kong that propagated the false routing information across the Internet.
In May 2003, a group of spammers hijacked an unused block of IP address space owned by Northrop Grumman and began sending out massive amounts of unwanted e-mail messages. It took two months for the military contractor to reclaim ownership of its IP addresses and get the rogue routing announcements blocked across the Internet. In the meantime, Northrop Grumman’s IP addresses ended up on high-profile spam blacklists.
Two Key Initiative To Receive Additional R&D Resources
In order to prevent misconfigurations and attacks such as those detailed above, DHS will be funding two key initiatives related to enhancing router security: Resource Public Key Infrastructure (RPKI), which adds authentication to the delegation of IP address blocks by the registries to Internet Service Providers (ISPs) and enterprises; and BGPSEC, which adds digital signatures to BGP announcements.
The idea behind RPKI is that the initiative deals with the administrative side of IP address delegation, and the delegation of address space is secure or signed so it is not forgeable. According to experts close to the development of RPKI, production-quality RPKI deployment is still a couple of years out, but will require no router hardware or software changes, thus helping to speed up its deployment when it is standardized.
With respect to a new secure BGP implementation, DHS plans to fund research related to new standards work within the Internet Engineering Task Force (IETF) and to two existing proposals Secure BGP (S-BGP) and Secure Origin (SoBGP), by BBN Technologies and Cisco Systems respectively, which haven’t been deployed because they require router to manage too many layers of digital certificates according to security experts.
Securing The Internet’s Routing Infrastructure Is A Top Priority
If industry leaders and politicians hope to prevent potential expensive and damaging disruption to the Internet’s ability to carry important digital traffic, developing and deploying new secure protocols for the Internet must be a top priority for the new incoming Presidential administration and supporting governmental bodies and agencies.
A top official with DHS overseeing the development of the new BGPSEC says, “every instance of routing hijacks that has happened over the last several years are proof that [securing BGP] needs to be done.” The official also stated that the current BGP implementation allows bad guys to falsely advertise that they own a particular IP address space, and if people have no way to prove that they don’t, the current BPG implementation supports the hijack.
One can only hope that we are able to develop and implement a more secure Internet routing protocol before hackers or cyber terrorists have a chance to plot and carry out a large-scale attack on the Internet’s routing capabilities.