Last week I described how data moving between your two domestic sites might be routed through another country on the other side of the world.
The IETF has a nice document, Generic Threats to Routing Protocols, describing the concepts of possible attacks and impacts.
Interior routing protocols like OSPF are used within one organization and should be blocked at your perimeter.
The exterior routing problem is more interesting. BGP, the Border Gateway Protocol, is used for inter-domain routing. Your border routers use BGP to tell your provider and any peer organizations about the IP address blocks you have. This propagates to the backbone, so the rest of the world can reach any one corner.
Work is underway to secure BGP with BGPSEC, which would use a hierarchical Resource Public Key Infrastructure (or RPKI) to validate routing announcements. In simple terms, you could convincingly announce “This block of addresses is over here” only if you had the right keys to cryptographically prove that you own those addresses.
This control of routing is very important for governance of the Internet. But people aren’t paying much attention to the BGPSEC debate.
How important is inter-domain routing security?
In the Egyptian Revolution in the winter of 2011, the Egyptian government disconnected the country from the Internet, not by unplugging cables but through routing protocol announcements.
In the summer of 2012, the Syrian Telecommunications Establishment withdrew all their networks from the global routing table and cut off most of Syria from the Internet. This followed a Syrian disconnection the year before.
Those events in Egypt and Syria were authoritarian governments disconnecting themselves, but you can imagine how this could be used as a weapon, not just for disconnection but for redirection. We really need something like BGPSEC.
If you can’t always count on reaching one remote site, mirror it. Learning Tree’s Cloud Security Essentials course shows you how to design a distributed cloud architecture and then use it safely. But what if an adversary blocked routing to all of your IP address blocks?
The people who would be carrying out the implementation feel that BGPSEC with RPKI is workable, at least for validating the owner of IP address blocks. But the operators are concerned about using RPKI to validate the routing announcements.
The prominent dissenter is Verisign, where engineers strongly question the scalability. I will pay attention to what Verisign says about scalability of large PKI projects, as that’s what they do.
You can wade into the technical discussion here, but the short version is that the current design’s scalability is questionable, and even if it can be applied, BGPSEC still does not solve other serious routing security problems.
Dwight Eisenhower might recognize this situation as a result of the military-industrial complex he warned us about. It seems like this might be another unending cycle starting with a problem being identified, a contractor proposing a solution, and a government agency hiring the contractor to carry out their proposal. But after a few funding cycles based on a series of proposals and grants, the problem being addressed by the contractor is no longer the practical one that the operators must deal with.