Feeds

back to article Plumbers of the interwebs vow to kill IP hijacking

The Internet Engineering Task Force (IETF) aims to strengthen the basic protocols of the internet, with a way to stop route, or IP, hijacking. IETF experts say the proposed fix is simpler to implement than previous suggestions. IP hijacking exploits a fundamental weakness of the internet, Data and messages sent across the …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

>"BGP has no built-in security."

That's an over-simplification to the point where it's verging on falsehood. You try opening a BGP connection from your home or office (i.e. ISP end-user) computer to any random router out there on the internet; it won't accept anything from you.

BGP routers are configured by the network admins to know who their peers are and only accept updates from them, and most of them use shared-secret MD5-based signatures as a form of (admittedly weak) authentication. Faking a BGP update would require both knowing the particular shared secret for a particular peer-peer link *and* blind IP spoofing as one of the peers; it's only valid authorised peers who can inject (whether by accident or design) bad data into the BGP routing tables.

It would be a bit more accurate to say that BGP has no data validation rather than no security at all, as the problems arise when someone emits routing updates for routes they don't have the right to originate. This becomes a particular problem as some enterprise-level ISPs sell a service where the customer can supply their own BGP router and originate routes from it; the ISPs should be filtering these routes rather than blindly passing them on, but that's still basically a data validation/GIGO issue.

1
0
Anonymous Coward

Not sure this would make that much of a difference

I've seen said CN hijack, from the point of view of a engineer on call. They don't happen that often, but I suppose it's a road bump on the way to insanity for some people. The issue with the solution is that for the really big issues, we are relying on the network (in the form of DNS and VA's) to secure...the network, which has the odd flaw. The other way of looking at the issue is to make the point that since diverting Youtube your way will probably fill your pipes instantly anyway, hijacks are usually going to be smaller rather than larger.

I'm more convinced by a solution that holds Tier1 transit providers to account. Jitter analysis of AS latency from test points, as well as route update frequency available from RIPE and others could be used to update BGP damping.

1
0
FAIL

In the mid 90s an ISP had a DS3 into MAE-East. One of their customers somehow managed to configure their router, from memory some Bay Networks device, to emit the entire address space as /24's over BGP. The upstream had no prefix length filtering in place and announced said prefixes out MAE-East. In the good old tradition of shortest prefix wins, the entire traffic of MAE-East suddenly tried vanishing down this DS3. It was rather amusing to see MCI's own traffic try to go from east cost to west coast via this 3rd party.

Its been clear that announcement forgery, or in this case cockups, has been a problem for a lot longer than China has been the new enemy of freedom. The fact its taken until now to try and get a workable solution is a demonstration of how bad the IETF is at solving real problems. If nothing else, there are existing and maintained databases of routing information (although admittedly they tend to be regional rather than global, but it would seem that is a problem that could be solved if one cared enough) that are separate from the BGP tables themselves and contain information such as prefixes, ASN, peers, and what is announced to those peers and what is accepted from those peers. Why we need YET ANOTHER way of representing the information is beyond me.

0
0
Anonymous Coward

BGP

Boom Goes the Protocol...

#iamsosorry

0
0
Silver badge
Coat

ROVER

Orange Alert! Orange Alert!

(Large white weather balloon bounces across the interwebs...)

1
0
WTF?

Here's the simple solution to this

Step 1: Hire decent people in the first place

Step 2: Set the shit up properly using a decent protocol with authentication capabilities in the first place!

Step 3: turn anti-spoofing/anti-posioning/cache and anti-duplication protection on!

Not rocket science, not really computer science either, just basic logical process!

0
1
Silver badge
Devil

It won't stop

Route/IP hijacking via the old fashioned method of producing fake paperwork stating you're the owner of the IP blocks in question.

0
0
This topic is closed for new posts.