Australian Geoff Huston is one of the foremost authorities on Internet routing and scaling issues. We sent Huston a few questions about the U.S. government's plan to bolster R&D to secure the Internet's core routing protocol, the Border Gateway Protocol (BGP). Here are excerpts of from what Huston had to say.
Australian Geoff Huston is one of the foremost authorities on Internet routing and scaling issues. We sent Huston a few questions about the U.S. government's plan to bolster R&D to secure the Internet's core routing protocol, the Border Gateway Protocol (BGP). Here are excerpts of from what Huston had to say:
What's your role in the U.S. Department of Homeland Security's Resource Public Key Infrastructure Initiative (RPKI) [one of two key router security initiatives funded by DHS, the other being BGPSSEC] and your involvement with the DHS on this?
I am the chief scientist at APNIC, the Regional Internet Registry (RIR) for the Asia Pacific Region, and in this role I have been leading the APNIC effort to introduce digital certification of number resources. I am also a co-chair of the Internet Engineering Task Force (IETF) Secure Inter-Domain Routing Working Group (SIDR WG), a group chartered to develop standard technologies intended to produce security mechanisms for inter-domain routing. I am not funded by the U.S. DHS, but I share their concern in this area. I collaborate with a number of researchers who are supported by U.S. research grants.
Can you explain in plain English what RPKI is trying to do and how it relates to improving the security of the Internet's routing system?
Attacks on the routing system can result in outcomes that pervert many conventional forms of security defense and happen in ways that are extremely difficult to detect. Routing attacks can "hijack" addresses, redirecting users' traffic to other than the intended destination, allowing an attacker to "spoof" the identity of the intended victim. Routing attacks also can redirect traffic flows, allowing an attacker to inspect transit traffic without the knowledge of either end party. And routing attacks can disrupt the network, causing chaos and disruption, either directed at a single victim, or more generally at a collection of addresses or at infrastructure elements such as DNS servers.
All these attacks rely on one feature of BGP: the ability for a party to "lie" in routing and for the lie to propagate across the entire network and not be readily and automatically detected as a lie. The RPKI is an essential component of a mechanism that allows such routing lies to be readily identifiable by everyone else using automated processes. In other words, the RPKI does not alter the basic mechanisms of inter-domain routing and does not stop malicious folk from attempting to generate lies in the inter-domain routing environment. But as the routing information is passed through the routing fabric, other parties can use tools and the information loaded into the RPKI to verify the accuracy and authenticity of routing information and correctly identify instances of invalid routing information or lies.
What is the status of the RPKI effort?
In software, a number of efforts are underway to provide tools that implement RPKI services. These include an RPKI software suite authored by APNIC, a set of tools produced by the Internet Software Consortium
(ISC) supported by the American Registry for Internet Numbers, and tools developed by BBN.
In standards activity, we have submitted a number of documents to the SIDR WG for standardization that build upon earlier work of adding IP address attributes to digital certificates.
In late 2008, APNIC was the first RIR to include the publication of RPKI certificates as part of its set of services to APNIC resource holders. Holders of IP address resources that are administered by APNIC can now use the APNIC service system to generate digital certificates that can be used to verify digitally signed assertions about IP addresses and their use.
The next steps are to use this framework for the generation of tools that allow ISPs and enterprises to digitally sign "authorities" that relate to routing assertions and to provide tools that allow ISPs and others to validate routing information by matching these signed authorities to the routing information being passed through the inter-domain routing system. The specification of these tools is a task currently underway in the SIDR WG.
When is RPKI likely to be deployed?
Parts of the RPKI, specifically the certification of resources that are administered by APNIC, are already deployed. There are similar efforts underway in North America and in the European and the Middle East regions. So, I suppose, the best answer I can provide is: It's happening now.
When RPKI is deployed, will enterprise network managers need to do anything or upgrade anything or buy anything to be compatible with it?
In APNIC, we've tried hard to reduce the burden on the enterprise and the ISP. Some large organizations have made significant investments in PKI infrastructures and key management regimes, and it's fair to predict that they would like to operate RPKI systems as a completely in-house operation. To assist this category of users, the SIDR WG will provide them with standard specifications for the RPKI components that have been tested for interoperability across multiple implementations of the RPKI.
Others would be looking for an approach to using this technology that, preferably, does not involve additional cost. In APNIC, as part of our launch of RPKI services we've included the provision of an on-line hosted RPKI service for our members. APNIC members can use this online system to generate RPKI certificates, digitally sign routing authorities and attestations and validate these digitally signed objects through this hosted service. While enterprise network managers will need to invest some time and effort in understanding the value of the RPKI and the way in which it can be used to secure their routing advertisements, they will not need to purchase new equipment, devise new security processes or even upgrade their routing systems to use the RPKI. We've tried hard to create an option for enterprise network managers to include security in the routing infrastructure that is robust, fast, and without incremental cost.
The RPKI will allow the enterprise network manager to create a digital authority that states clearly and unambiguously: "These are my IP addresses, and this is my Autonomous System Number." It also allows the network manager to publicly attest: "I will advertise the following routes into the inter-domain routing system. If you see any other forms of routing advertisement of these addresses they are unauthorized, and should be discarded."
Can you explain how RPKI would work with the kind of BGP security mechanisms that DHS plans to help develop?
BGP is an information distribution protocol. It's a "flooding" protocol that allows one party to "create" a unique piece of information and all other parties to "hear" that information. The two questions that any approach to securing BGP must answer is: firstly, is the information that I am hearing an accurate copy of the original information that reflects reachability for legitimate addresses? And, secondly, is the information distribution function operating correctly, so that this information I am hearing is current and accurate in terms of the forwarding decision to reach that legitimate address?"
The approach being developed in the SIDR WG allows for the holder of an address prefix to digitally sign an attestation relating to the authority to originate a routing advertisement, and using the RPKI publication mechanisms to distribute this authority. A receiver of a BGP update could check the information being provided in the update against the set of authorities published in the RPKI, and accept or reject the update based on "authentic" authorities published in the RPKI. BGP itself need not be altered at all, getting past one of the major impediments to adoption of secure routing, namely the need to upgrade routers with new versions of BGP. The nature of the RPKI is such that it is not possible to digitally sign over addresses that are not allocated to the signer. So signing over 'stolen' addresses is not possible in the context of the RPKI.
The second problem is related to the propagation of the information across the inter-domain routing space. There is still some active work in exploring the various alternatives in ways to secure the propagation path that is implicitly carried in the AS Path attributes of BGP updates. The SIDR WG intended to develop some approaches in this area once this exploratory work on security requirements reaches a sufficient level of clarity. It is anticipated that this work will commence in coming months.
What work are you doing related to securing BGP?
I am the author of a number of Internet drafts on securing BGP, and I have written a number of papers and articles on the topic, so it's a topic that is very definitely part of my research interest at present.
I have been working with Prof. Grenville Armitage at the Swinburne University of Technology in looking at the dynamic behavior of BGP updates, and looking at ways in which simple local heuristics can be applied to the processing of BGP update messages. It is hoped that one outcome of this research program is a framework of processing BGP updates that would result in a significant reduction in the potential workload in validating the security credentials of BGP updates.
In your opinion, how important is it that the Internet routing protocols be secured via RPKI and some sort of BGP security extensions?
Routing remains the gaping hole of security. At the start of 2008, we saw YouTube taken offline globally by a routing mishap originating from Pakistan Telecom. "Lies" in routing are propagated all too readily, and that is a serious vulnerability in today's Internet.
If a "lie" about addresses and routing is successful, then many other attacks are possible. A victim's Web site can be hijacked by relocating the Web site's IP address through a routing hijack. More insidious forms of attack are possible in terms of impersonating the root of various trust systems, including the root of the DNS. This form of attack is difficult to detect, and the potential ability to perform an attack with multiple levels of indirection makes tracing the attack very challenging.
There is also the potential of causing chaos and disruption by injecting false routing information that simply 'black holes' traffic, prevents DNS resolution and takes down a large amount of infrastructure and services. Injection of false routes for a large set of addresses has the potential to "turn off" entire countries or regions…that starts to get into various cyber war scenarios.
The "attack" on Estonia in May of 2007 was a simple ping flood attack.Imagine if the attack was of the nature of a BGP attack that redirected traffic directed to Estonian networks addresses to a non-existent sink point. The result would be in effect the disconnection of the entire national infrastructure.
How significant is it that the Department of Homeland Security is going to significantly boost its investments related to RPKI and BGP security this year?
Part of the problem with working on security-related activities is that it's simultaneously everyone's problem and no one's problem. No individual ISP can "solve" secure inter-domain routing independently of everyone else also "solving" the problem, so the work often gets put into the "too hard" basket and no one finds it in their individual interest to work on the problem.
That's where folk like the U.S. DHS, and folk like APNIC and ARIN and the RIPE NCC of course can make a difference, because one thing we can do is take a bigger picture perspective and work on problems that are indeed everyone's problem, and create solutions that can be picked up by industry in a manner that creates a better networked environment for everyone, users, network operators, service providers and enterprises alike.
So I view the DHS efforts as being very positive in this area, and we look forward to working with the DHS folk and the programs they will be supporting as part of their activities. Obviously we all want to work off a common script and common theme in this space and DHS has been a very beneficial influence in such collaborative efforts.