Skip Links

U.S. plots major upgrade to Internet router security

Millions to be spent adding cryptography to BGP

By , Network World
January 15, 2009 03:06 PM ET

Network World - The U.S. federal government is accelerating its efforts to secure the Internet's routing system, with plans this year for the Department of Homeland Security to quadruple its investment in research aimed at adding digital signatures to router communications.

DHS says its routing security effort will prevent routing hijack attacks as well as accidental misconfigurations of routing data. The effort is nicknamed BGPSEC because it will secure the Internet's core routing protocol known as the Border Gateway Protocol (BGP). (A separate federal effort is under way to bolster another Internet protocol, DNS, and it is called DNSSEC.)

Read about the six worst Internet routing attacks.

Douglas Maughan, program manager for cybersecurity R&D in the DHS Science and Technology Directorate, says his department's spending on router security will rise from around $600,000 per year during the last three years to approximately $2.5 million per year starting in 2009. (Read about "4 open source BGP projects being funded.") 

"BGPSEC is going to take a couple of years to go through the process of development and prototypes and standardization," Maughan says. "We're really talking . . . four years out, if not longer, before we see deployment."

Experts hailed the move, saying BGP is one of the Internet's weakest links.

"The reason BGP problems are so serious is that they attack the Internet infrastructure, rather than particular hosts. This is why it is a DHS-type of problem," says Steve Bellovin, a professor of computer science at Columbia University who has worked with DHS on routing security.

BGP is "one of the largest threats on the Internet. It's incredible -- the insecurity of the routing system," says Danny McPherson, CSO at Arbor Networks. "Over the last 15 years, the security of the Internet routing system has done nothing but deteriorate."

McPherson says routing security has been a chicken-and-egg problem for the Internet engineering community.

"There doesn't exist a formally verifiable source for who owns what address space on the Internet, and absent that you can't really validate the routing system," McPherson says.

With its extra funding, DHS hopes to develop ways to authenticate IP address allocations as well as router announcements about how to reach blocks of IP addresses.

"The hijacking attempts that have gone on with routing are much more nefarious than the ones in the DNS," says Mark Kosters, CTO of the American Registry for Internet Numbers (ARIN), adding that DNS attacks tend to get more press. "People don't realize how open for attack the BGP structure is. The DHS effort is trying to close that all up."

BGP security targeted in 2003

The U.S. federal government first discussed the vulnerability of the Internet's routing system in its "National Strategy to Secure Cyberspace,"  which was issued in 2003. The Presidential directive identified two Internet protocols -- BGP and DNS -- that require modifications to make them more secure and robust.

Since then, the feds have made progress on adding authentication to DNS. Last fall, the U.S. federal government announced that it would adopt DNS security extensions known as DNSSEC across its .gov domain by the end of 2009. The feds also are exploring ways to deploy DNSSEC on the DNS root servers

The federal push for DNSSEC gained momentum last summer after a significant DNS vulnerability was discovered. Security researcher Dan Kaminsky discovered a DNS bug that allows for cache poisoning attacks, with which a hacker redirects traffic from a legitimate Web site to a fake one without the user knowing.

DNSSEC prevents hackers from hijacking Web traffic by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption

Now the feds are looking to add digital signatures and a public-key infrastructure to routing information, which is vulnerable to attack when it is shared between numbering registries, ISPs and enterprises.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News