Make BGP great again, er, no, for the first time: NIST backs internet route security brainwave A proposal for securing BGP – the protocol that lays out the traffic pathways of the internet – has a another backer: NIST, aka America's National Institute for Standards and Technology. The US government agency has issued a discussion paper outlining the use of Route Origin Validation (ROV) to protect the notoriously all-too- …
And knowing who you're talking to (at the network level) is a part of making sure your packets are not getting slurped by malicious actors.*
So potentially a good start.
*Choose your preferred MA depending on political outlook and area of the world.
We have colo with a sizeable US provider, who also supply the comms. I can connect to the BGP port of our first hop outbound (their router, in other words) from a domestic DSL line in the UK.
I'm pretty sure that this should be locked down to their peers. Or at least their continent.
Beat my head off them for two weeks, and the best they could come up with was for us to firewall it so we couldn't see it.
Anon because we use this for a live service.
>>Their router, their security << but who ends up taking the hit?
This is why you make sure you've documented that they've been warned and acknowledged receipt of the warning.
That way if the splash zone includes you, you have an audit trail - and if it gets messy, passing that information to their public liability insurers can result in an interesting wakeup call.
Failure to mitigate this kind of threat would invalidate most liability insurance in the event of the ISP being hacked and facing civil litigation from aggrieved customers - it's usually liabliity insurers footing the bill when companies end up defending civil cases like this.
There are ways of naming/shaming the ISP in forums where they'll get a good hard kicking without compromising your anonymity.
IPv6 adoption requires end user participation, and affects ALL devices. BGP protection only affects a handful of devices in the typical enterprise (i.e. where they interconnect with outside networks/providers) so it is a far simpler problem.
Though keeping certificates up to date has proven to be a problem already, and I'd hate to think an expired certificate would cause routes to go down. We might end up with a more secure, but less stable internet.
"The ancient protocol was written with the “good chaps theory” as one of its fundamental assumptions "
Which was a proven fallacy even then.
At least one set of naval war games in the late 1970s/early 1980s ended within hours after Red team accessed Blue team's systems, downloading all their plans and intercepting orders, etc. They paralysed Blue team's deployment ability and "killed" them where they sat, in several cases by causing "self detontations" of Blue equipment without a Red team member in sight.
Blue team cried "foul" and tried to have this kind of thing banned, but it marked when the US military became interested in cyber warfare.
Academics getting onto DARPAnet brought a lot of that blind trust back, but those in the know were preaching security from the outset.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
