[lacnog] RV: NWW: Fix to Chinese Internet traffic hijack due in January

alvaro.sanchez en adinet.com.uy alvaro.sanchez en adinet.com.uy
Mie Dic 8 16:23:29 BRST 2010 


----Mensaje original----
De: eugen en leitl.org
Fecha: 08/12/2010 16:13 
Para: "NANOG list"<nanog en nanog.org>
Asunto: NWW: Fix to Chinese Internet traffic hijack due in January 


http://www.networkworld.com/cgi-bin/mailto/x.cgi?
pagetosend=/news/2010/120710-chinese-internet-traffic-fix.
html&pagename=/news/2010/120710-chinese-internet-traffic-fix.
html&pageurl=http://www.networkworld.com/news/2010/120710-chinese-
internet-traffic-fix.html&site=printpage&nsdr=n

Fix to Chinese Internet traffic hijack due in January

Registries to issue digital certificates for verifying IP addresses, 
routing
prefixes

By Carolyn Duffy Marsan, Network World

December 07, 2010 11:39 AM ET

Policymakers disagree about whether the recent Chinese hijacking of 
Internet
traffic was malicious or accidental, but there's no question about the
underlying cause of this incident: the lack of built-in security in 
the
Internet's main routing protocol.

Network engineers have been talking about this weakness in the 
Internet
infrastructure for a decade. Now a fix is finally on the way.

Policymakers disagree about whether the recent Chinese hijacking of 
Internet
traffic was malicious or accidental, but there's no question about the
underlying cause of this incident: the lack of built-in security in 
the
Internet's main routing protocol.

Network engineers have been talking about this weakness in the 
Internet
infrastructure for a decade. Now a fix is finally on the way.

Six worst Internet routing attacks

Beginning Jan. 1, Internet registries will add a layer of encryption 
to their
operations so that ISPs and other network operators can verify that 
they have
the authority to route traffic for a block of IP addresses or routing
prefixes known as Autonomous System Numbers.

The fix ? known as Resource Public Key Infrastructure (RPKI) ? is not
perfect. It will require adoption by all of the Internet registries as 
well
as major ISPs before it can provide a significant amount of protection
against incidents such as when China Telecom hijacked 15% of the 
world's
Internet traffic in April.  

Proponents of RPKI say it is a much-needed first step in improving the
security of the Border Gateway Protocol (BGP), which is the core 
routing
protocol of the Internet.

Not everyone believes it will work.

At a minimum, RPKI, if widely adopted, should prevent ISPs from 
accidentally
disrupting the flow of Internet traffic with erroneous routing 
information.

Geoff Huston, chief scientist at the Asia Pacific Network Information 
Centre
(APNIC), says RPKI will eliminate many routing incidents including the 
China
Telecom hijacking when it is coupled with follow-on work aimed at 
securing
BGP routes.

"The intent of the overall work, which involves the RPKI as the 
underlying
security platform and secure BGP as a way of introducing signed 
credentials
into the routing system, is to make lies in the routing system 
automatically
detectable and, therefore, automatically removable," Huston says. "It 
will
eliminate a large class of problems?Such a system would directly 
address the
[China Telecom] incident."

The RPKI development effort was funded in part by the U.S. Department 
of
Homeland Security, which has made bolstering the security of the 
Internet's
routing system a key cybersecurity initiative.

How quickly RPKI will be adopted is unknown. Among the companies that 
have
helped design RPKI are Cisco, Google, Deutsche Telecom, NTT, Sprint 
and
Equinix.

"RPKI will solve the vast majority of routing problems that crop up, 
but it's
not the final solution," says Stephen Kent, chief scientist for 
information
security at Raytheon BBN Technologies and a contributor to the RPKI 
standards
effort.

Kent says RPKI must be followed by adding security for route paths to 
BGP,
which is under development. This BGP update will take longer and be 
more
expensive to deploy than RPKI because it will require network 
operators to
upgrade their routers.

"If it turns out that RPKI solves 80% or 90% of the issues, then there 
is a
tremendous benefit from that," Kent says. "RPKI is the basis for doing 
the
fancier stuff later." Routing attacks multiply

The China Telecom incident is the latest in a string of high-profile 
Internet
routing attacks, such as when Pakistan Telecom brought down YouTube's 
Web
site for two hours in February 2008 or when Malaysian ISP DataOne 
hijacked
traffic to Yahoo's Santa Clara data center in May 2004.

RPKI was created by the Internet Engineering Task Force's Secure Inter-
Domain
Routing (SIDR) working group, which has been working on routing 
security
since 2005.

RPKI allows ISPs and other network operators to generate digital 
signatures
that verify that they have the authority to make changes to Internet
resources such as IP addresses or routing prefixes.

Most of the standards documents that describe how RPKI works are in 
the final
stages of approval at the IETF.

"There's been a push to get these documents out and approved," Kent 
says. "I
think they will be popping out through the?first quarter of next 
year."

One factor driving the release of the RPKI standards is that the 
regional
Internet registries have already committed to start issuing
production-quality certificates to their members.

The registries have been working for several years to get the 
processes,
procedures and software in place to support RPKI. They've also been 
improving
the accuracy of their databases that list which IP addresses and 
routing
prefixes are allocated to particular network operators.

APNIC already has a resource certification system in production mode. 
Several
other registries, including Europe's RIPE NCC, plan to go live with 
their
implementations of RPKI on Jan. 1, 2011.

The American Registry for Internet Numbers (ARIN), which provides IP
addresses and routing prefixes to ISPs in North America, said it will 
support
RPKI  in the second quarter of 2011.

"ARIN plans to release a production-grade Resource Certification 
service
early in the second quarter of 2011," says Mark Kosters, CTO of ARIN. 
"There
is a pilot program as an interim measure that has been in place since 
June
2009."

Network operators must verify their IP addresses and routing prefixes 
with
their registries through the new RPKI system, and they will need to 
check the
authoritative database created by the registries to construct their 
routing
filters. Various organizations including Raytheon BBN have created 
open
source software to handle this extra network management function.

"For the really small ISPs, the Web portal design by [registries] 
makes this
trivial. They have to do it once, and set it and forget it," Kent 
says. "If
you're a big ISP, then it will take more effort to integrate [RPKI] 
into your
overall system."

Enterprises that multi-home their networks ? or split their network 
traffic
between multiple carriers ? can take advantage of RPKI if they want 
the extra
protection it provides.

Huston says enterprise network managers should support the RPKI effort
because it bolsters the security of the Internet's routing 
infrastructure and
protects against snooping, traffic redirection, distributed denial of 
service
and man-in-the-middle attacks.

"Everyone ultimately relies on the public network," Huston says. 
"Enterprise
folk use it for VPNs, they use it for public facing services, they use 
it for
business-to-business communication. If you can subvert the integrity 
of the
routing system and send packets to the wrong places, all kinds of 
risks
ensue." Doubts about RPKI

Not everyone thinks RPKI is going to work.

"I'm not wildly optimistic about it," says Bill Woodcock, research 
director
for the Packet Clearing House, which offers open source software 
called the
Prefix Sanity Checker that's used by ISPs to check BGP routing filters 
for
errors.

"The theory behind RPKI is that you would do a cryptographic signing 
of your
routing announcements and that other people would build filters to not 
allow
routes that didn't include that cryptographic signature," Woodcock 
explains.
"It's more complicated than our software, and it only works if the 
person on
the other end has done this crypto operation."

Woodcock says network operators are notoriously bad at maintaining 
current
information about their IP addresses and routing prefixes in databases
operated by the regional registries. And they're also lax about using
software such as Prefix Sanity Checker to avoid typographical errors. 
That's
why he thinks it's unlikely that enough ISPs will deploy something as 
complex
as RPKI.  

"There's no user demand for this, which is going to make it hard to 
cram down
the throats of network operators," Woodcock adds.

Woodcock says network operators misconfigure routers regularly, and 
that
there's no reason to believe the China Telecom incident is anything 
other
than another mistake.  

"This was an embarrassment for the entire world to see," he says. "If 
it had
been malicious, it's very likely it would have taken a very different 
form. ?
The things to look for in a real attack would be specific individual 
targets
whose traffic was being diverted and a cover-up of that. This was so 
obvious
and blatant."

Craig Labovitz, chief scientist at Arbor Networks, says he can't tell 
if the
China Telecom incident was accidental or malicious. Labovitz studied 
errors
in routing prefixes for his PhD research 15 years ago.

"I just don't know" if China Telecom was being malicious, Labovitz 
says.
"We've seen many errors in the past: errors and fat fingers and 
incompetence.
But at the same time, we've seen malicious use of BGP by spammers."

Labovitz says network operators can take steps such as filtering 
router
announcements to avoid these kinds of traffic hijacking incidents 
between now
and when RPKI is widely deployed.

"There are things that can be done today without any additional 
spending,
without upgrading routers, but they are just not being done," Labovitz 
says.
"A best common practice for ISPs is that you should filter routing
announcements from your customers. It's a little bit depressing that 
after 15
years, we have large sections of the Internet that are not following 
best
common engineering packages."

Labovitz says it may take a more significant routing incident than 
China
Telecom's to prompt deployment of RPKI and BGP security. He points to 
the
example of the Kaminsky threat, which is propelling domain name 
registries to
support new security measures.

DNS security "took an event that was so scary to force action," 
Labovitz
says. "Maybe the growing number of BGP incidents will be enough to 
drive
industry and government consensus to act?I think this is something 
that we
need to fix, and we are on borrowed time."

Más información sobre la lista de distribución LACNOG