December 07, 2010, 3:02 PM — Policymakers disagree about whether the recent Chinese hijacking of Internet traffic was malicious or accidental, but there's no question about the underlying cause of this incident: the lack of built-in security in the Internet's main routing protocol.
Network engineers have been talking about this weakness in the Internet infrastructure for a decade. Now a fix is finally on the way.
Beginning Jan. 1, Internet registries will add a layer of encryption to their operations so that ISPs and other network operators can verify that they have the authority to route traffic for a block of IP addresses or routing prefixes known as Autonomous System Numbers.
The fix - known as Resource Public Key Infrastructure (RPKI) - is not perfect. It will require adoption by all of the Internet registries as well as major ISPs before it can provide a significant amount of protection against incidents such as when China Telecom hijacked 15% of the world's Internet traffic in April.
Proponents of RPKI say it is a much-needed first step in improving the security of the Border Gateway Protocol (BGP), which is the core routing protocol of the Internet.
Not everyone believes it will work.
At a minimum, RPKI, if widely adopted, should prevent ISPs from accidentally disrupting the flow of Internet traffic with erroneous routing information.
Geoff Huston, chief scientist at the Asia Pacific Network Information Centre (APNIC), says RPKI will eliminate many routing incidents including the China Telecom hijacking when it is coupled with follow-on work aimed at securing BGP routes.
"The intent of the overall work, which involves the RPKI as the underlying security platform and secure BGP as a way of introducing signed credentials into the routing system, is to make lies in the routing system automatically detectable and, therefore, automatically removable," Huston says. "It will eliminate a large class of problems...Such a system would directly address the [China Telecom] incident."
The RPKI development effort was funded in part by the U.S. Department of Homeland Security, which has made bolstering the security of the Internet's routing system a key cybersecurity initiative.