Fix to Internet infrastructure coming in wake of Chinese traffic hijack

By , Network World |  Security, China, internet security

APNIC already has a resource certification system in production mode. Several other registries, including Europe's RIPE NCC, plan to go live with their implementations of RPKI on Jan. 1, 2011.

The American Registry for Internet Numbers (ARIN), which provides IP addresses and routing prefixes to ISPs in North America, said it will support RPKI  in the second quarter of 2011.

"ARIN plans to release a production-grade Resource Certification service early in the second quarter of 2011," says Mark Kosters, CTO of ARIN. "There is a pilot program as an interim measure that has been in place since June 2009."

Network operators must verify their IP addresses and routing prefixes with their registries through the new RPKI system, and they will need to check the authoritative database created by the registries to construct their routing filters. Various organizations including Raytheon BBN have created open source software to handle this extra network management function.

"For the really small ISPs, the Web portal design by [registries] makes this trivial. They have to do it once, and set it and forget it," Kent says. "If you're a big ISP, then it will take more effort to integrate [RPKI] into your overall system."

Enterprises that multi-home their networks - or split their network traffic between multiple carriers - can take advantage of RPKI if they want the extra protection it provides.

Huston says enterprise network managers should support the RPKI effort because it bolsters the security of the Internet's routing infrastructure and protects against snooping, traffic redirection, distributed denial of service and man-in-the-middle attacks.

"Everyone ultimately relies on the public network," Huston says. "Enterprise folk use it for VPNs, they use it for public facing services, they use it for business-to-business communication. If you can subvert the integrity of the routing system and send packets to the wrong places, all kinds of risks ensue."

Doubts about RPKI

Not everyone thinks RPKI is going to work.

"I'm not wildly optimistic about it," says Bill Woodcock, research director for the Packet Clearing House, which offers open source software called the Prefix Sanity Checker that's used by ISPs to check BGP routing filters for errors.

Originally published on Network World |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question