DHS to take on core routing vulnerability
No serious security geek has forgotten last year's big reveal of the hole at the heart of the net's routing protocol, but is the Department of Homeland Security the outfit you'd imagined patching it?
The Border Gateway Protocol (BGP) is essential stuff, allowing the Net to be decentralized but still able to get stuff from point A to point B. It's not something you can simply not use, like JavaScript or even HTTP. As such, BGP is a fat target for bad guys, and last year at DefCon, two security researchers demonstrated a technique that would let such entities monitor and even alter unencrypted net traffic.
The BGP problem isn't a bug, since it was deliberately designed; it's just a design that has outlasted its time. (Once upon a time, nobody out there would particularly have anything to gain by corrupting your routing.) Every now and then the architecture quirk is even deliberately used to re-route traffic -- for good reasons (if there's a faster way to get traffic to a particular destination) or not such good ones (when a Pakistani telco decided it would block Pakistani citizens from getting at certain YouTube videos and ended up blocking the whole world from the whole site).
Understandably, there has been some interest in fixing the problem, which dates back to the era of expensive processing time and generally trustworthy net users. Enter DHS, which sees an opportunity to strengthen cyber-security as a whole.
The Department's effort, called BGPSEC, has been underway for several years, but it plans to quadruple funding for it this year. The effort will work to add digital signatures to the BGP "announcements" that manage the routing tables, adding another and much thicker layer of security to the process of changing it.
Interesting, but two potential questions arise: First, though BGP is a vulnerable surface, some feel that the DNS system itself could be attacked more easily and with potentially similar results. No reason not to secure it of course, and DHS notes that there's a twin effort, DNSSEC, devoted to locking down DNS holes such as the one famously revealed by Dan Kaminsky last year.
Also, and perhaps more critically, some question whether DHS -- an organization that has been perceived as highly politicized -- is the right spearhead. Security researchers at various organizations have been involved in both government efforts and private-enterprise attempts to build BGP durability, but many entities, particularly overseas, raise at eyebrow at any US-led effort to manage the net, especially where security is concerned.
But there's hope, even for the politically uneasy. DNSSEC -- further along in its efforts -- is coordinated by DHS, but the task is being executed by companies and other entities all around the world. That'll be important to the success of DNSSEC, which will require an infrastructure of services that can sign domains and host signed domains, and there's no reason to think it'll be less so for a BGP system that calls for digital signatures or some other verification method for change announcements.
The venue for BGPSEC's meeting of the minds may not please everyone, but it's very hard to argue against the gathering itself.