After Chinese Internet traffic hijack, fix due in January

Engineers prep patch for core Internet routing protocol that allowed 15 percent of world's Web traffic to pass through China

Page 2 of 3

Routing attacks multiply

The China Telecom incident is the latest in a string of high-profile Internet routing attacks, such as when Pakistan Telecom brought down YouTube's website for two hours in February 2008 or when Malaysian ISP DataOne hijacked traffic to Yahoo's Santa Clara data center in May 2004.

RPKI was created by the Internet Engineering Task Force's Secure Inter-Domain Routing (SIDR) working group, which has been working on routing security since 2005.

RPKI allows ISPs and other network operators to generate digital signatures that verify they have the authority to make changes to Internet resources such as IP addresses or routing prefixes.

Most of the standards documents that describe how RPKI works are in the final stages of approval at the IETF.

"There's been a push to get these documents out and approved," Kent says. "I think they will be popping out through the first quarter of next year."

One factor driving the release of the RPKI standards is that the regional Internet registries have already committed to start issuing production-quality certificates to their members.

The registries have been working for several years to get the processes, procedures, and software in place to support RPKI. They've also been improving the accuracy of their databases that list which IP addresses and routing prefixes are allocated to particular network operators.

APNIC already has a resource certification system in production mode. Several other registries, including Europe's RIPE NCC, plan to go live with their implementations of RPKI on Jan. 1, 2011.

The American Registry for Internet Numbers (ARIN), which provides IP addresses and routing prefixes to ISPs in North America, said it will support RPKI in the second quarter of 2011.

"ARIN plans to release a production-grade Resource Certification service early in the second quarter of 2011," says Mark Kosters, CTO of ARIN. "There is a pilot program as an interim measure that has been in place since June 2009."

Network operators must verify their IP addresses and routing prefixes with their registries through the new RPKI system, and they will need to check the authoritative database created by the registries to construct their routing filters. Various organizations including Raytheon BBN have created open source software to handle this extra network management function.

"For the really small ISPs, the Web portal design by [registries] makes this trivial. They have to do it once, and set it and forget it," Kent says. "If you're a big ISP, then it will take more effort to integrate [RPKI] into your overall system."

Enterprises that multihome their networks -- or split their network traffic between multiple carriers -- can take advantage of RPKI if they want the extra protection it provides.

Huston says enterprise network managers should support the RPKI effort because it bolsters the security of the Internet's routing infrastructure and protects against snooping, traffic redirection, distributed denial of service, and man-in-the-middle attacks.

"Everyone ultimately relies on the public network," Huston says. "Enterprise folk use it for VPNs, they use it for public-facing services, they use it for business-to-business communication. If you can subvert the integrity of the routing system and send packets to the wrong places, all kinds of risks ensue."

| 1 2 3 Page 2