- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
Now, as this research is being deployed across the Internet, DHS wants government agencies and their carriers to be among the earliest adopters of the new Resource Public Key Infrastructure (RPKI) system that it helped create.
DHS considers the RPKI system to be a much-needed first step in securing the Internet's core routing protocol, which is called the Border Gateway Protocol (BGP). In addition to its support of RPKI, DHS also has spent around $1 million on research and software development aimed at adding security directly to BGP.
RPKI helps improve routing security by adding a layer of encryption to the communications between Internet registries and network operators. With RPKI, network operators can verify that they have the authority to route traffic for a block of IP addresses or routing prefixes known as Autonomous System Numbers.
RPKI is similar to another new Internet security mechanism backed by DHS, which is DNS Security Extensions (DNSSEC). DNSSEC is an Internet standard that prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption. Federal agencies were required to adopt DNSSEC in 2009.
Network World interviewed Doug Maughan, director of the Cybersecurity Division within DHS' Science and Technology Directorate. Here are excerpts from that conversation with Maughan about RPKI and whether federal agencies and their carriers will be required to adopt it:
What is the status of DHS' research into routing security?
The majority of the projects are centered around RPKI and BGP security.
RPKI is moving forward in the Internet Engineering Task Force. We're trying to help ensure that the standards side of things progress, so that we are not just creating a solution that's proprietary. We're funding the software development side of things to ensure that when we have an agreed-upon protocol specification for RPKI, we also have working software that can be open sourced to the community. We will continue to fund that software development for RPKI in 2011 as well as the standards activity.
The second piece of our effort is BGP security, which is the development of a new protocol specification. It's in progress. We expect it to be released this fiscal year, and that it will go through an iteration or two within the IETF, which will take us a year or two. We've already started to do an implementation. It changes the way BGP works, just like we did with DNSSEC. At some point in the near future, we will release the design and then make an open source version of the BGP security protocol available.