Feds to Shore Up Net Security
The U.S. federal government is accelerating its efforts to secure the Internet's routing system, with plans this year for the Department of Homeland Security to quadruple its investment in research aimed at adding digital signatures to router communications.
DHS says its routing security effort will prevent routing hijack attacks as well as accidental misconfigurations of routing data. The effort is nicknamed BGPSEC because it will secure the Internet's core routing protocol known as the Border Gateway Protocol (BGP). (A separate federal effort is under way to bolster another Internet protocol, DNS, and it is called DNSSEC.)
Douglas Maughan, program manager for cybersecurity R&D in the DHS Science and Technology Directorate, says his department's spending on router security will rise from around $600,000 per year during the last three years to approximately $2.5 million per year starting in 2009. (Read about "4 open source BGP projects being funded.")
"BGPSEC is going to take a couple of years to go through the process of development and prototypes and standardization," Maughan says. "We're really talking . . . four years out, if not longer, before we see deployment."
Experts hailed the move, saying BGP is one of the Internet's weakest links.
"The reason BGP problems are so serious is that they attack the Internet infrastructure, rather than particular hosts. This is why it is a DHS-type of problem," says Steve Bellovin, a professor of computer science at Columbia University who has worked with DHS on routing security.
BGP is "one of the largest threats on the Internet. It's incredible -- the insecurity of the routing system," says Danny McPherson, CSO at Arbor Networks. "Over the last 15 years, the security of the Internet routing system has done nothing but deteriorate."
McPherson says routing security has been a chicken-and-egg problem for the Internet engineering community.
"There doesn't exist a formally verifiable source for who owns what address space on the Internet, and absent that you can't really validate the routing system," McPherson says.
With its extra funding, DHS hopes to develop ways to authenticate IP address allocations as well as router announcements about how to reach blocks of IP addresses.
"The hijacking attempts that have gone on with routing are much more nefarious than the ones in the DNS," says Mark Kosters, CTO of the American Registry for Internet Numbers (ARIN), adding that DNS attacks tend to get more press. "People don't realize how open for attack the BGP structure is. The DHS effort is trying to close that all up."
BGP security targeted in 2003
The U.S. federal government first discussed the vulnerability of the Internet's routing system in its "National Strategy to Security Cyberspace," which was issued in 2003. The Presidential directive identified two Internet protocols -- BGP and DNS -- that require modifications to make them more secure and robust.
Since then, the feds have made progress on adding authentication to DNS. Last fall, the U.S. federal government announced that it would adopt DNS security extensions known as DNSSEC across its .gov domain by the end of 2009. The feds also are exploring ways to deploy DNSSEC on the DNS root servers.
The federal push for DNSSEC gained momentum last summer after a significant DNS vulnerability was discovered. Security researcher Dan Kaminsky discovered a DNS bug that allows for cache poisoning attacks, with which a hacker redirects traffic from a legitimate Web site to a fake one without the user knowing.
DNSSEC prevents hackers from hijacking Web traffic by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption
Now the feds are looking to add digital signatures and a public-key infrastructure to routing information, which is vulnerable to attack when it is shared between numbering registries, ISPs and enterprises.
New BGP security measures would prevent incidents such as when Pakistan Telecom blocked YouTube's traffic in February 2008.
Bellovin says most famous router-security breaches, including the Pakistan incident, were accidents.
"More and more of them, though, are malicious," Bellovin adds. "Every few weeks, there will be a posting to [the North American Network Operators Group] about some prefix hijacking."
DHS to fund multiple efforts
DHS is funding two key initiatives related to enhancing routing security: Resource Public Key Infrastructure (RPKI), which adds authentication to the delegation of IP address blocks by the registries to ISPs and enterprises; and BGPSEC, which adds digital signatures to BGP announcements. (Maughan says he's modeling the BGPSEC initiative after the agency's DNSSEC effort, which has involved the National Institute of Standards and Technology [NIST] and the Internet Engineering Task Force [IETF].)
With RPKI, the regional Internet registries are putting together a public key infrastructure to authorize IP address delegations from the Internet Assigned Numbers Authority (IANA) to the five regional Internet registries, including ARIN. Then the registries would authenticate the assignment of IP addresses and IP routing prefixes known as autonomous systems that are used by network operators.
"The idea here is that you'd like the delegation of address space to be secure or signed so it is not forgeable," Maughan says, adding that the RPKI initiative deals with the administrative side of IP address delegation. "The reason that's important is that when you start to do the routing protocol [security], you want the registry or registrar or ISP to be able within the protocol to authenticate that the address space they're claiming to have is theirs."
APNIC, the Asia Pacific registry, and the European registry RIPE NCC are running RPKI prototypes. ARIN plans to offer a beta RPKI service in the second quarter, Kosters says.
Production-quality RPKI deployment is "still a couple of years out," Kosters adds.
"By the end of this year, the four biggest [registries] will be offering certificates to their members at least as a managed service," says Stephen Kent, chief scientist for information security at BBN Technologies. "The next big issue is getting the big ISPs who are their members involved. . . . The good news is that what we're talking about here requires no router hardware or software changes. That's an important thing to make it viable for the ISPs."
Despite its promise, RPKI is controversial because it gives unprecedented operational authority to IANA and the regional Internet registries. For example, RPKI opens up the possibility that the registries could purposefully stop routing traffic to a particular block of IP addresses from a rogue nation such as Iran or North Korea.
"If you use RPKI with BGP [security], you're fundamentally changing the Internet infrastructure. You're going from a distributed, autonomously operated routing structure to one with a root and authoritative sources," McPherson says. "We're going to have to accept that trade-off to secure the routing infrastructure.''
The next step is securing BGP so that routing announcements are authorized. BGP maintains a table of IP routing prefixes that shows how blocks of IP addresses can be reached. Today, there is no way in BGP to tell whether a route announcement is real or spoofed.
BGP is used by ISPs as well as enterprises that multihome their networks, which involves using more than one carrier for continuity of operations.
At issue is how to add digital signatures to BGP so that ISPs and enterprises can authenticate BGP updates and prevent man-in-the-middle attacks that allow someone to redirect BGP traffic.
"Every instance of routing hijacks that have happened over the last several years are proof that [securing BGP] needs to be done," Maughan says. "The way that the bad guys can do this is essentially advertise that they own the address space, and if people have no way to prove otherwise, then the protocol supports the hijack."
The Internet engineering community needs to develop a standard for securing BGP that involves as little cryptographic overhead as possible. The two existing proposals -- Secure BGP (S-BGP) by BBN's Kent and Secure Origin BGP (SoBGP) by Cisco -- haven't been deployed because they require routers to manage too many layers of digital certificates, experts say.
Maughan says DHS plans to fund research related to S-BGP and SoBGP as well as new standards work within the IETF.
"There hasn't been any new work in BGP security in a few years," Kent says, adding that he hopes to receive some of the new DHS funding. "DHS is attempting to re-initiate this work."
A secure routing infrastructure will require enterprises to operate a certificate authority function so that they can digitally sign and certify that they own a particular IP address block and have the authority to subdelegate it, outsource it or make some other decisions about how its traffic is routed.
What securing BGP does is that "when somebody sends out an update that they are now routing traffic for a particular autonomous system, you can validate that because those BGP updates will be signed," Maughan says.
Major BGP attack needed?
Despite the federal efforts, some experts say the Internet engineering community needs a massive threat akin to the Kaminsky DNS bug before it will take action to secure BGP and the rest of the routing infrastructure.
"The real barrier to securing BGP is that we just haven't had a serious enough attack," Maughan says. "If people start losing significant money because there's some type of attack on the routing infrastructure, I think you'll see a whole lot more interest."
At last August's DEFCON show, a pair of security researchers detailed a BGP exploit that would allow an attacker to eavesdrop on unencrypted Internet traffic by tricking routers into re-directing traffic to the attacker's network. However, this type of BGP eavesdropping incident is rare.
"The most sophisticated attacks as was demonstrated at DEFCON are things that probably are not occurring very frequently because the bad guys have easier ways to accomplish what they are trying to do," Kent says.
The new BGPSEC funding falls under DHS' Secure Protocols for Routing Infrastructure program. Maughan says the agency received an additional $12.5 million appropriation for cybersecurity R&D in the federal 2009 budget, and between $2 million and $3 million of that money will go to improving router security.