Skip Links

Fix to Chinese Internet traffic hijack due in January

Registries to issue digital certificates for verifying IP addresses, routing prefixes

By , Network World
December 07, 2010 11:39 AM ET

Network World - Policymakers disagree about whether the recent Chinese hijacking of Internet traffic was malicious or accidental, but there's no question about the underlying cause of this incident: the lack of built-in security in the Internet's main routing protocol.

Network engineers have been talking about this weakness in the Internet infrastructure for a decade. Now a fix is finally on the way.

Six worst Internet routing attacks

Beginning Jan. 1, Internet registries will add a layer of encryption to their operations so that ISPs and other network operators can verify that they have the authority to route traffic for a block of IP addresses or routing prefixes known as Autonomous System Numbers.

The fix – known as Resource Public Key Infrastructure (RPKI) – is not perfect. It will require adoption by all of the Internet registries as well as major ISPs before it can provide a significant amount of protection against incidents such as when China Telecom hijacked 15% of the world's Internet traffic in April.  

Proponents of RPKI say it is a much-needed first step in improving the security of the Border Gateway Protocol (BGP), which is the core routing protocol of the Internet.

Not everyone believes it will work.

At a minimum, RPKI, if widely adopted, should prevent ISPs from accidentally disrupting the flow of Internet traffic with erroneous routing information.

Geoff Huston, chief scientist at the Asia Pacific Network Information Centre (APNIC), says RPKI will eliminate many routing incidents including the China Telecom hijacking when it is coupled with follow-on work aimed at securing BGP routes.

"The intent of the overall work, which involves the RPKI as the underlying security platform and secure BGP as a way of introducing signed credentials into the routing system, is to make lies in the routing system automatically detectable and, therefore, automatically removable," Huston says. "It will eliminate a large class of problems…Such a system would directly address the [China Telecom] incident."

The RPKI development effort was funded in part by the U.S. Department of Homeland Security, which has made bolstering the security of the Internet's routing system a key cybersecurity initiative.

How quickly RPKI will be adopted is unknown. Among the companies that have helped design RPKI are Cisco, Google, Deutsche Telecom, NTT, Sprint and Equinix.

"RPKI will solve the vast majority of routing problems that crop up, but it's not the final solution," says Stephen Kent, chief scientist for information security at Raytheon BBN Technologies and a contributor to the RPKI standards effort.

Kent says RPKI must be followed by adding security for route paths to BGP, which is under development. This BGP update will take longer and be more expensive to deploy than RPKI because it will require network operators to upgrade their routers.

"If it turns out that RPKI solves 80% or 90% of the issues, then there is a tremendous benefit from that," Kent says. "RPKI is the basis for doing the fancier stuff later."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News