Network World (01/15/09) Marsan, Carolyn Duffy
Tuesday, January 20, 2009
U.S. Plans Major Upgrade to Internet Router Security
The U.S. Department of Homeland Security (DHS) plans to invest in research dedicated to securing the Border Gateway Protocol (BGP) by adding digital signatures to router communications. DHS says the research initiative, dubbed BGPSEC, will prevent routing hijackings and accidental misconfigurations of routing data. DHS expects BGPSEC to take at least four years before deployment. "The reason BGP problems are so serious is that they attack the Internet infrastructure, rather than particular hosts," says Columbia University professor of computer science Steve Bellovin. "This is why it is a DHS-type of problem." Arbor Networks' Danny McPherson says BGP is one of the largest threats on the Internet. "There doesn't exist a formally verifiable source for who owns what address space on the Internet, and absent that you can't really validate the routing system," McPherson says. The extra funding should enable the DHS to develop ways of authenticating Internet Protocol (IP) address allocations and router announcements on how to reach blocks of IP addresses.
Network World (01/15/09) Marsan, Carolyn Duffy
Network World (01/15/09) Marsan, Carolyn Duffy
Subscribe to:
Post Comments (Atom)
1 comments:
Detecting Internet Routing 'Lies'
Internet routing and scaling expert Geoff Huston will work for the U.S. Department of Homeland Security's Resource Public Key Infrastructure Initiative (RPKI) to strengthen Internet security. Huston will serve as a co-chair on the Internet Engineering Task Force Security Inter-Domain Routing Working Group, which is developing standard technologies for providing security mechanisms for inter-domain routing. Huston also is the chief scientist at APNIC, the Regional Internet Registry for the Asia Pacific Region, which is working to introduce digital certification of number resources. Attacks on the routing system can hijack Internet addresses and redirect traffic to unintended destinations, allowing the attacker to send users to malicious Web sites, or allow an attacker to inspect transit traffic undetected. These attacks rely on a single feature in the Border Gateway Protocol that allows a party to "lie" in routing and for the lie to spread across an entire network. The RPKI is a critical component of a mechanism that will detect such lies. RPKI allows users to verify the accuracy and authenticity of routing information and correctly identify instances of invalid routing information. Huston says several efforts are underway to provide tools that implement RPKI services, and the next steps are to use the RPKI framework for the creation of tools that allow Internet service providers (ISPs) and enterprises to digitally sign authorities that relate to routing assertions and provide tools that allow ISPs and others to validate routing information by matching authorities to the information sent through the inter-domain routing system.
Network World (01/20/09) Marsan, Carolyn Duffy
Post a Comment