Fix to Internet infrastructure coming in wake of Chinese traffic hijack

By , Network World |  Security, China, internet security

"The theory behind RPKI is that you would do a cryptographic signing of your routing announcements and that other people would build filters to not allow routes that didn't include that cryptographic signature," Woodcock explains. "It's more complicated than our software, and it only works if the person on the other end has done this crypto operation."

Woodcock says network operators are notoriously bad at maintaining current information about their IP addresses and routing prefixes in databases operated by the regional registries. And they're also lax about using software such as Prefix Sanity Checker to avoid typographical errors. That's why he thinks it's unlikely that enough ISPs will deploy something as complex as RPKI.  

"There's no user demand for this, which is going to make it hard to cram down the throats of network operators," Woodcock adds.

Woodcock says network operators misconfigure routers regularly, and that there's no reason to believe the China Telecom incident is anything other than another mistake.  

"This was an embarrassment for the entire world to see," he says. "If it had been malicious, it's very likely it would have taken a very different form. ... The things to look for in a real attack would be specific individual targets whose traffic was being diverted and a cover-up of that. This was so obvious and blatant."

Craig Labovitz, chief scientist at Arbor Networks, says he can't tell if the China Telecom incident was accidental or malicious. Labovitz studied errors in routing prefixes for his PhD research 15 years ago.

"I just don't know" if China Telecom was being malicious, Labovitz says. "We've seen many errors in the past: errors and fat fingers and incompetence. But at the same time, we've seen malicious use of BGP by spammers."

Labovitz says network operators can take steps such as filtering router announcements to avoid these kinds of traffic hijacking incidents between now and when RPKI is widely deployed.

"There are things that can be done today without any additional spending, without upgrading routers, but they are just not being done," Labovitz says. "A best common practice for ISPs is that you should filter routing announcements from your customers. It's a little bit depressing that after 15 years, we have large sections of the Internet that are not following best common engineering packages."

Labovitz says it may take a more significant routing incident than China Telecom's to prompt deployment of RPKI and BGP security. He points to the example of the Kaminsky threat, which is propelling domain name registries to support new security measures.


Originally published on Network World |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness