After Chinese Internet traffic hijack, fix due in January

Engineers prep patch for core Internet routing protocol that allowed 15 percent of world's Web traffic to pass through China

Policymakers disagree about whether the recent Chinese hijacking of Internet traffic was malicious or accidental, but there's no question about the underlying cause of this incident: the lack of built-in security in the Internet's main routing protocol.

Network engineers have been talking about this weakness in the Internet infrastructure for a decade. Now a fix is finally on the way.

[ Also on InfoWorld: Roger A. Grimes says the China Telecom incident lays bare the Internet's biggest vulnerability. | Tech Watch blogger Robert Lemos considers whether China's Internet hijack was an accident or an attack. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Six worst Internet routing attacks

Beginning Jan. 1, Internet registries will add a layer of encryption to their operations so that ISPs and other network operators can verify that they have the authority to route traffic for a block of IP addresses or routing prefixes known as Autonomous System Numbers.

The fix-- known as Resource Public Key Infrastructure (RPKI) -- is not perfect. It will require adoption by all of the Internet registries as well as major ISPs before it can provide a significant amount of protection against incidents such as when China Telecom hijacked 15 percent of the world's Internet traffic in April.

Proponents of RPKI say it is a much-needed first step in improving the security of the Border Gateway Protocol (BGP), which is the core routing protocol of the Internet.

Not everyone believes it will work.

At a minimum, RPKI, if widely adopted, should prevent ISPs from accidentally disrupting the flow of Internet traffic with erroneous routing information.

Geoff Huston, chief scientist at the Asia Pacific Network Information Centre (APNIC), says RPKI will eliminate many routing incidents, including the China Telecom hijacking when it is coupled with follow-on work aimed at securing BGP routes.

"The intent of the overall work, which involves the RPKI as the underlying security platform and secure BGP as a way of introducing signed credentials into the routing system, is to make lies in the routing system automatically detectable and, therefore, automatically removable," Huston says. "It will eliminate a large class of problems -- such a system would directly address the [China Telecom] incident."

The RPKI development effort was funded in part by the U.S. Department of Homeland Security, which has made bolstering the security of the Internet's routing system a key cyber security initiative.

How quickly RPKI will be adopted is unknown. Among the companies that have helped design RPKI are Cisco, Google, Deutsche Telecom, NTT, Sprint, and Equinix.

"RPKI will solve the vast majority of routing problems that crop up, but it's not the final solution," says Stephen Kent, chief scientist for information security at Raytheon BBN Technologies and a contributor to the RPKI standards effort.

Kent says RPKI must be followed by adding security for route paths to BGP, which is under development. This BGP update will take longer and be more expensive to deploy than RPKI because it will require network operators to upgrade their routers.

"If it turns out that RPKI solves 80 or 90 percent of the issues, then there is a tremendous benefit from that," Kent says. "RPKI is the basis for doing the fancier stuff later."

1 2 3 Page
Join the discussion
Be the first to comment on this article. Our Commenting Policies