Doubts about RPKI
Not everyone thinks RPKI is going to work.
"I'm not wildly optimistic about it," says Bill Woodcock, research director for the Packet Clearing House, which offers open source software called the Prefix Sanity Checker that's used by ISPs to check BGP routing filters for errors.
"The theory behind RPKI is that you would do a cryptographic signing of your routing announcements and that other people would build filters to not allow routes that didn't include that cryptographic signature," Woodcock explains. "It's more complicated than our software, and it only works if the person on the other end has done this crypto operation."
Woodcock says network operators are notoriously bad at maintaining current information about their IP addresses and routing prefixes in databases operated by the regional registries. They're also lax about using software such as Prefix Sanity Checker to avoid typographical errors. That's why he thinks it's unlikely that enough ISPs will deploy something as complex as RPKI.
"There's no user demand for this, which is going to make it hard to cram down the throats of network operators," Woodcock adds.
Woodcock says network operators misconfigure routers regularly, and that there's no reason to believe the China Telecom incident is anything other than another mistake.
"This was an embarrassment for the entire world to see," he says. "If it had been malicious, it's very likely it would have taken a very different form. The things to look for in a real attack would be specific individual targets whose traffic was being diverted and a cover-up of that. This was so obvious and blatant."
Craig Labovitz, chief scientist at Arbor Networks, says he can't tell if the China Telecom incident was accidental or malicious. Labovitz studied errors in routing prefixes for his doctoral research 15 years ago.
"I just don't know" if China Telecom was being malicious, Labovitz says. "We've seen many errors in the past: errors and fat fingers and incompetence. But at the same time, we've seen malicious use of BGP by spammers."
Labovitz says network operators can take steps such as filtering router announcements to avoid these kinds of traffic hijacking incidents between now and when RPKI is widely deployed.
"There are things that can be done today without any additional spending, without upgrading routers, but they are just not being done," Labovitz says. "A best common practice for ISPs is that you should filter routing announcements from your customers. It's a little bit depressing that after 15 years, we have large sections of the Internet that are not following best common engineering packages."
Labovitz says it may take a more significant routing incident than China Telecom's to prompt deployment of RPKI and BGP security. He points to the example of the Kaminsky threat, which is propelling domain name registries to support new security measures.
DNS security "took an event that was so scary to force action," Labovitz says. "Maybe the growing number of BGP incidents will be enough to drive industry and government consensus to act. I think this is something that we need to fix, and we are on borrowed time."
Read more about wide area network in Network World's Wide Area Network section.
This story, "After Chinese Internet traffic hijack, fix due in January" was originally published by Network World.