Skip Links

Will feds mandate Internet routing security?

DHS wants federal agencies, carriers to adopt emerging routing security standards

By , Network World
December 15, 2010 06:04 AM ET

Network World - The U.S. Department of Homeland Security has spent $3 million over the past few years on research aimed at bolstering the security of the Internet's routing system.

Now, as this research is being deployed across the Internet, DHS wants government agencies and their carriers to be among the earliest adopters of the new Resource Public Key Infrastructure (RPKI) system that it helped create.

Also read: Fix to Chinese Internet traffic hijack due in January

DHS considers the RPKI system to be a much-needed first step in securing the Internet's core routing protocol, which is called the Border Gateway Protocol (BGP). In addition to its support of RPKI, DHS also has spent around $1 million on research and software development aimed at adding security directly to BGP.

RPKI helps improve routing security by adding a layer of encryption to the communications between Internet registries and network operators. With RPKI, network operators can verify that they have the authority to route traffic for a block of IP addresses or routing prefixes known as Autonomous System Numbers.

RPKI is designed to prevent Internet routing attacks and accidents, such as the recent China Telecom Internet traffic hijacking incident that has received attention on Capitol Hill.

RPKI is similar to another new Internet security mechanism backed by DHS, which is DNS Security Extensions (DNSSEC). DNSSEC is an Internet standard that prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption. Federal agencies were required to adopt DNSSEC in 2009.

Network World interviewed Doug Maughan, director of the Cybersecurity Division within DHS' Science and Technology Directorate. Here are excerpts from that conversation with Maughan about RPKI and whether federal agencies and their carriers will be required to adopt it:

What is the status of DHS' research into routing security?

The majority of the projects are centered around RPKI and BGP security.

RPKI is moving forward in the Internet Engineering Task Force. We're trying to help ensure that the standards side of things progress, so that we are not just creating a solution that's proprietary. We're funding the software development side of things to ensure that when we have an agreed-upon protocol specification for RPKI, we also have working software that can be open sourced to the community. We will continue to fund that software development for RPKI in 2011 as well as the standards activity.

The second piece of our effort is BGP security, which is the development of a new protocol specification. It's in progress. We expect it to be released this fiscal year, and that it will go through an iteration or two within the IETF, which will take us a year or two. We've already started to do an implementation. It changes the way BGP works, just like we did with DNSSEC. At some point in the near future, we will release the design and then make an open source version of the BGP security protocol available.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News