Fix to Chinese Internet traffic hijack due in January

Registries to issue digital certificates for verifying IP addresses, routing prefixes

Policymakers disagree about whether the recent Chinese hijacking of Internet traffic was malicious or accidental, but there's no question about the underlying cause of this incident: the lack of built-in security in the Internet's main routing protocol.

Network engineers have been talking about this weakness in the Internet infrastructure for a decade. Now a fix is finally on the way.

Six worst Internet routing attacks

Beginning Jan. 1, Internet registries will add a layer of encryption to their operations so that ISPs and other network operators can verify that they have the authority to route traffic for a block of IP addresses or routing prefixes known as Autonomous System Numbers.

The fix – known as Resource Public Key Infrastructure (RPKI) – is not perfect. It will require adoption by all of the Internet registries as well as major ISPs before it can provide a significant amount of protection against incidents such as when China Telecom hijacked 15% of the world's Internet traffic in April.  

Proponents of RPKI say it is a much-needed first step in improving the security of the Border Gateway Protocol (BGP), which is the core routing protocol of the Internet.

Not everyone believes it will work.

At a minimum, RPKI, if widely adopted, should prevent ISPs from accidentally disrupting the flow of Internet traffic with erroneous routing information.

Geoff Huston, chief scientist at the Asia Pacific Network Information Centre (APNIC), says RPKI will eliminate many routing incidents including the China Telecom hijacking when it is coupled with follow-on work aimed at securing BGP routes.

"The intent of the overall work, which involves the RPKI as the underlying security platform and secure BGP as a way of introducing signed credentials into the routing system, is to make lies in the routing system automatically detectable and, therefore, automatically removable," Huston says. "It will eliminate a large class of problems…Such a system would directly address the [China Telecom] incident."

The RPKI development effort was funded in part by the U.S. Department of Homeland Security, which has made bolstering the security of the Internet's routing system a key cybersecurity initiative.

How quickly RPKI will be adopted is unknown. Among the companies that have helped design RPKI are Cisco, Google, Deutsche Telecom, NTT, Sprint and Equinix.

"RPKI will solve the vast majority of routing problems that crop up, but it's not the final solution," says Stephen Kent, chief scientist for information security at Raytheon BBN Technologies and a contributor to the RPKI standards effort.

Kent says RPKI must be followed by adding security for route paths to BGP, which is under development. This BGP update will take longer and be more expensive to deploy than RPKI because it will require network operators to upgrade their routers.

"If it turns out that RPKI solves 80% or 90% of the issues, then there is a tremendous benefit from that," Kent says. "RPKI is the basis for doing the fancier stuff later."

Routing attacks multiply

The China Telecom incident is the latest in a string of high-profile Internet routing attacks, such as when Pakistan Telecom brought down YouTube's Web site for two hours in February 2008 or when Malaysian ISP DataOne hijacked traffic to Yahoo's Santa Clara data center in May 2004.

RPKI was created by the Internet Engineering Task Force's Secure Inter-Domain Routing (SIDR) working group, which has been working on routing security since 2005.

RPKI allows ISPs and other network operators to generate digital signatures that verify that they have the authority to make changes to Internet resources such as IP addresses or routing prefixes.

Most of the standards documents that describe how RPKI works are in the final stages of approval at the IETF.

"There's been a push to get these documents out and approved," Kent says. "I think they will be popping out through the…first quarter of next year."

One factor driving the release of the RPKI standards is that the regional Internet registries have already committed to start issuing production-quality certificates to their members.

The registries have been working for several years to get the processes, procedures and software in place to support RPKI. They've also been improving the accuracy of their databases that list which IP addresses and routing prefixes are allocated to particular network operators.

APNIC already has a resource certification system in production mode. Several other registries, including Europe's RIPE NCC, plan to go live with their implementations of RPKI on Jan. 1, 2011.

The American Registry for Internet Numbers (ARIN), which provides IP addresses and routing prefixes to ISPs in North America, said it will support RPKI  in the second quarter of 2011.

"ARIN plans to release a production-grade Resource Certification service early in the second quarter of 2011," says Mark Kosters, CTO of ARIN. "There is a pilot program as an interim measure that has been in place since June 2009."

Network operators must verify their IP addresses and routing prefixes with their registries through the new RPKI system, and they will need to check the authoritative database created by the registries to construct their routing filters. Various organizations including Raytheon BBN have created open source software to handle this extra network management function.

"For the really small ISPs, the Web portal design by [registries] makes this trivial. They have to do it once, and set it and forget it," Kent says. "If you're a big ISP, then it will take more effort to integrate [RPKI] into your overall system."

Enterprises that multi-home their networks – or split their network traffic between multiple carriers – can take advantage of RPKI if they want the extra protection it provides.

Huston says enterprise network managers should support the RPKI effort because it bolsters the security of the Internet's routing infrastructure and protects against snooping, traffic redirection, distributed denial of service and man-in-the-middle attacks.

"Everyone ultimately relies on the public network," Huston says. "Enterprise folk use it for VPNs, they use it for public facing services, they use it for business-to-business communication. If you can subvert the integrity of the routing system and send packets to the wrong places, all kinds of risks ensue."

Doubts about RPKI

Not everyone thinks RPKI is going to work.

"I'm not wildly optimistic about it," says Bill Woodcock, research director for the Packet Clearing House, which offers open source software called the Prefix Sanity Checker that's used by ISPs to check BGP routing filters for errors.

"The theory behind RPKI is that you would do a cryptographic signing of your routing announcements and that other people would build filters to not allow routes that didn't include that cryptographic signature," Woodcock explains. "It's more complicated than our software, and it only works if the person on the other end has done this crypto operation."

Woodcock says network operators are notoriously bad at maintaining current information about their IP addresses and routing prefixes in databases operated by the regional registries. And they're also lax about using software such as Prefix Sanity Checker to avoid typographical errors. That's why he thinks it's unlikely that enough ISPs will deploy something as complex as RPKI.  

"There's no user demand for this, which is going to make it hard to cram down the throats of network operators," Woodcock adds.

Woodcock says network operators misconfigure routers regularly, and that there's no reason to believe the China Telecom incident is anything other than another mistake.  

"This was an embarrassment for the entire world to see," he says. "If it had been malicious, it's very likely it would have taken a very different form. … The things to look for in a real attack would be specific individual targets whose traffic was being diverted and a cover-up of that. This was so obvious and blatant."

Craig Labovitz, chief scientist at Arbor Networks, says he can't tell if the China Telecom incident was accidental or malicious. Labovitz studied errors in routing prefixes for his PhD research 15 years ago.

"I just don't know" if China Telecom was being malicious, Labovitz says. "We've seen many errors in the past: errors and fat fingers and incompetence. But at the same time, we've seen malicious use of BGP by spammers."

Labovitz says network operators can take steps such as filtering router announcements to avoid these kinds of traffic hijacking incidents between now and when RPKI is widely deployed.

"There are things that can be done today without any additional spending, without upgrading routers, but they are just not being done," Labovitz says. "A best common practice for ISPs is that you should filter routing announcements from your customers. It's a little bit depressing that after 15 years, we have large sections of the Internet that are not following best common engineering packages."

Labovitz says it may take a more significant routing incident than China Telecom's to prompt deployment of RPKI and BGP security. He points to the example of the Kaminsky threat, which is propelling domain name registries to support new security measures.

DNS security "took an event that was so scary to force action," Labovitz says. "Maybe the growing number of BGP incidents will be enough to drive industry and government consensus to act…I think this is something that we need to fix, and we are on borrowed time."

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)