[lacnog] RV: NWW: Fix to Chinese Internet traffic hijack due in January
Arturo Servin
aservin en lacnic.net
Mie Dic 8 17:32:00 BRST 2010
RPKI va caminando poco a poco.
Aun es temprano para decir si será exitoso o fracasará. Igual que IPv6 y DNSSEC entre más gente participe el sistema mejora y lo hace más eficiente. En enero una parte del rompecabezas estará funcionando, que son los repositorios de certificados y la posibilidad de los operadores de crear sus objetos para autorizar rutas.
A mitad de año seguro habrá mejoras en estos sistemas, entre las cuales estará la posibilidad de los operadores de tener su propio CA.
Otra partes del rompecabezas listas son los caches que accederán los repositorios centrales para habilitar los certificados de una forma más eficiente, los validadores del repositorio, el protocolo para de comunicación con los routers y el protocolo de validación de rutas. Aquí ya hay algunas implementaciones y esperamos que haya más software de cache en el 2011.
Una parte crítica que falta es el software en los enrutadores. Se que Cisco está trabajando en la suya pero no tengo conocimiento de otros vendors como Juniper o Alcatel. Tampoco en las implementaciones Open Source de Quagga y Xorp tengo conocimiento que se haya implementado. Sin embargo si somos optimistas pudiéramos tener algunos resultados durante este 2011.
En general como dije al principio, RPKI va caminando poco a poco pero a un paso constante.
Saludos,
-as
On 8 Dec 2010, at 16:23, alvaro.sanchez en adinet.com.uy wrote:
>
>
> ----Mensaje original----
> De: eugen en leitl.org
> Fecha: 08/12/2010 16:13
> Para: "NANOG list"<nanog en nanog.org>
> Asunto: NWW: Fix to Chinese Internet traffic hijack due in January
>
>
> http://www.networkworld.com/cgi-bin/mailto/x.cgi?
> pagetosend=/news/2010/120710-chinese-internet-traffic-fix.
> html&pagename=/news/2010/120710-chinese-internet-traffic-fix.
> html&pageurl=http://www.networkworld.com/news/2010/120710-chinese-
> internet-traffic-fix.html&site=printpage&nsdr=n
>
> Fix to Chinese Internet traffic hijack due in January
>
> Registries to issue digital certificates for verifying IP addresses,
> routing
> prefixes
>
> By Carolyn Duffy Marsan, Network World
>
> December 07, 2010 11:39 AM ET
>
> Policymakers disagree about whether the recent Chinese hijacking of
> Internet
> traffic was malicious or accidental, but there's no question about the
> underlying cause of this incident: the lack of built-in security in
> the
> Internet's main routing protocol.
>
> Network engineers have been talking about this weakness in the
> Internet
> infrastructure for a decade. Now a fix is finally on the way.
>
> Policymakers disagree about whether the recent Chinese hijacking of
> Internet
> traffic was malicious or accidental, but there's no question about the
> underlying cause of this incident: the lack of built-in security in
> the
> Internet's main routing protocol.
>
> Network engineers have been talking about this weakness in the
> Internet
> infrastructure for a decade. Now a fix is finally on the way.
>
> Six worst Internet routing attacks
>
> Beginning Jan. 1, Internet registries will add a layer of encryption
> to their
> operations so that ISPs and other network operators can verify that
> they have
> the authority to route traffic for a block of IP addresses or routing
> prefixes known as Autonomous System Numbers.
>
> The fix ? known as Resource Public Key Infrastructure (RPKI) ? is not
> perfect. It will require adoption by all of the Internet registries as
> well
> as major ISPs before it can provide a significant amount of protection
> against incidents such as when China Telecom hijacked 15% of the
> world's
> Internet traffic in April.
>
> Proponents of RPKI say it is a much-needed first step in improving the
> security of the Border Gateway Protocol (BGP), which is the core
> routing
> protocol of the Internet.
>
> Not everyone believes it will work.
>
> At a minimum, RPKI, if widely adopted, should prevent ISPs from
> accidentally
> disrupting the flow of Internet traffic with erroneous routing
> information.
>
> Geoff Huston, chief scientist at the Asia Pacific Network Information
> Centre
> (APNIC), says RPKI will eliminate many routing incidents including the
> China
> Telecom hijacking when it is coupled with follow-on work aimed at
> securing
> BGP routes.
>
> "The intent of the overall work, which involves the RPKI as the
> underlying
> security platform and secure BGP as a way of introducing signed
> credentials
> into the routing system, is to make lies in the routing system
> automatically
> detectable and, therefore, automatically removable," Huston says. "It
> will
> eliminate a large class of problems?Such a system would directly
> address the
> [China Telecom] incident."
>
> The RPKI development effort was funded in part by the U.S. Department
> of
> Homeland Security, which has made bolstering the security of the
> Internet's
> routing system a key cybersecurity initiative.
>
> How quickly RPKI will be adopted is unknown. Among the companies that
> have
> helped design RPKI are Cisco, Google, Deutsche Telecom, NTT, Sprint
> and
> Equinix.
>
> "RPKI will solve the vast majority of routing problems that crop up,
> but it's
> not the final solution," says Stephen Kent, chief scientist for
> information
> security at Raytheon BBN Technologies and a contributor to the RPKI
> standards
> effort.
>
> Kent says RPKI must be followed by adding security for route paths to
> BGP,
> which is under development. This BGP update will take longer and be
> more
> expensive to deploy than RPKI because it will require network
> operators to
> upgrade their routers.
>
> "If it turns out that RPKI solves 80% or 90% of the issues, then there
> is a
> tremendous benefit from that," Kent says. "RPKI is the basis for doing
> the
> fancier stuff later." Routing attacks multiply
>
> The China Telecom incident is the latest in a string of high-profile
> Internet
> routing attacks, such as when Pakistan Telecom brought down YouTube's
> Web
> site for two hours in February 2008 or when Malaysian ISP DataOne
> hijacked
> traffic to Yahoo's Santa Clara data center in May 2004.
>
> RPKI was created by the Internet Engineering Task Force's Secure Inter-
> Domain
> Routing (SIDR) working group, which has been working on routing
> security
> since 2005.
>
> RPKI allows ISPs and other network operators to generate digital
> signatures
> that verify that they have the authority to make changes to Internet
> resources such as IP addresses or routing prefixes.
>
> Most of the standards documents that describe how RPKI works are in
> the final
> stages of approval at the IETF.
>
> "There's been a push to get these documents out and approved," Kent
> says. "I
> think they will be popping out through the?first quarter of next
> year."
>
> One factor driving the release of the RPKI standards is that the
> regional
> Internet registries have already committed to start issuing
> production-quality certificates to their members.
>
> The registries have been working for several years to get the
> processes,
> procedures and software in place to support RPKI. They've also been
> improving
> the accuracy of their databases that list which IP addresses and
> routing
> prefixes are allocated to particular network operators.
>
> APNIC already has a resource certification system in production mode.
> Several
> other registries, including Europe's RIPE NCC, plan to go live with
> their
> implementations of RPKI on Jan. 1, 2011.
>
> The American Registry for Internet Numbers (ARIN), which provides IP
> addresses and routing prefixes to ISPs in North America, said it will
> support
> RPKI in the second quarter of 2011.
>
> "ARIN plans to release a production-grade Resource Certification
> service
> early in the second quarter of 2011," says Mark Kosters, CTO of ARIN.
> "There
> is a pilot program as an interim measure that has been in place since
> June
> 2009."
>
> Network operators must verify their IP addresses and routing prefixes
> with
> their registries through the new RPKI system, and they will need to
> check the
> authoritative database created by the registries to construct their
> routing
> filters. Various organizations including Raytheon BBN have created
> open
> source software to handle this extra network management function.
>
> "For the really small ISPs, the Web portal design by [registries]
> makes this
> trivial. They have to do it once, and set it and forget it," Kent
> says. "If
> you're a big ISP, then it will take more effort to integrate [RPKI]
> into your
> overall system."
>
> Enterprises that multi-home their networks ? or split their network
> traffic
> between multiple carriers ? can take advantage of RPKI if they want
> the extra
> protection it provides.
>
> Huston says enterprise network managers should support the RPKI effort
> because it bolsters the security of the Internet's routing
> infrastructure and
> protects against snooping, traffic redirection, distributed denial of
> service
> and man-in-the-middle attacks.
>
> "Everyone ultimately relies on the public network," Huston says.
> "Enterprise
> folk use it for VPNs, they use it for public facing services, they use
> it for
> business-to-business communication. If you can subvert the integrity
> of the
> routing system and send packets to the wrong places, all kinds of
> risks
> ensue." Doubts about RPKI
>
> Not everyone thinks RPKI is going to work.
>
> "I'm not wildly optimistic about it," says Bill Woodcock, research
> director
> for the Packet Clearing House, which offers open source software
> called the
> Prefix Sanity Checker that's used by ISPs to check BGP routing filters
> for
> errors.
>
> "The theory behind RPKI is that you would do a cryptographic signing
> of your
> routing announcements and that other people would build filters to not
> allow
> routes that didn't include that cryptographic signature," Woodcock
> explains.
> "It's more complicated than our software, and it only works if the
> person on
> the other end has done this crypto operation."
>
> Woodcock says network operators are notoriously bad at maintaining
> current
> information about their IP addresses and routing prefixes in databases
> operated by the regional registries. And they're also lax about using
> software such as Prefix Sanity Checker to avoid typographical errors.
> That's
> why he thinks it's unlikely that enough ISPs will deploy something as
> complex
> as RPKI.
>
> "There's no user demand for this, which is going to make it hard to
> cram down
> the throats of network operators," Woodcock adds.
>
> Woodcock says network operators misconfigure routers regularly, and
> that
> there's no reason to believe the China Telecom incident is anything
> other
> than another mistake.
>
> "This was an embarrassment for the entire world to see," he says. "If
> it had
> been malicious, it's very likely it would have taken a very different
> form. ?
> The things to look for in a real attack would be specific individual
> targets
> whose traffic was being diverted and a cover-up of that. This was so
> obvious
> and blatant."
>
> Craig Labovitz, chief scientist at Arbor Networks, says he can't tell
> if the
> China Telecom incident was accidental or malicious. Labovitz studied
> errors
> in routing prefixes for his PhD research 15 years ago.
>
> "I just don't know" if China Telecom was being malicious, Labovitz
> says.
> "We've seen many errors in the past: errors and fat fingers and
> incompetence.
> But at the same time, we've seen malicious use of BGP by spammers."
>
> Labovitz says network operators can take steps such as filtering
> router
> announcements to avoid these kinds of traffic hijacking incidents
> between now
> and when RPKI is widely deployed.
>
> "There are things that can be done today without any additional
> spending,
> without upgrading routers, but they are just not being done," Labovitz
> says.
> "A best common practice for ISPs is that you should filter routing
> announcements from your customers. It's a little bit depressing that
> after 15
> years, we have large sections of the Internet that are not following
> best
> common engineering packages."
>
> Labovitz says it may take a more significant routing incident than
> China
> Telecom's to prompt deployment of RPKI and BGP security. He points to
> the
> example of the Kaminsky threat, which is propelling domain name
> registries to
> support new security measures.
>
> DNS security "took an event that was so scary to force action,"
> Labovitz
> says. "Maybe the growing number of BGP incidents will be enough to
> drive
> industry and government consensus to act?I think this is something
> that we
> need to fix, and we are on borrowed time."
>
>
>
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
Más información sobre la lista de distribución LACNOG