Experts say White House protocol upgrade advice is serious
Cost and red tape get in the way
According to these experts, vulnerabilities in these protocols mean it could just be a question of when they are exploited in an attack, not if. And the target would not be a sole wired entity, but the entire internet, or large portions of it.
In his draft report "National Strategy to Secure Cyberspace", Bush-appointed adviser Clarke wrote: "A public-private partnership should refine and accelerate the adoption of improved security" for IP, BGP and DNS, arguably the most important internet protocols.
The language of the recommendation, numbered 1 in the National Priorities section of the report, sounds somewhat vague, but compared to the rest of the report, which often couches recommendations with "suggest" and "consider", it's fairly urgent language.
When Clarke recommends Federal funds should be set aside for research and development of internet and software security, he again names BGP (border gateway protocol) and DNS (domain name system) as priorities.
Mike Lloyd, CTO of BGP routing software specialist RouteScience Inc, told ComputerWire: "The internet is a network of trust, so if someone introduces malicious data somewhere it can replicate from one autonomous system to another."
"If you attack BGP you attack the entire internet, but nobody has done it yet because nobody has had the motivation," Lloyd said. "The root problem is that BGP is how people announce to the world where they are. I can announce to the world I'm you, and all your traffic would come to me."
BGP handles which way to route data when two networks interconnect. Currently, the only thing stopping bad routes being propagated around the internet is the best practices policies of the ISPs, which do manual authentication of permitted IP space before allowing their customers to announce BGP routes to their routers.
Regardless, bad BGP data has been introduced accidentally at least twice in the last few years, causing major problems, Ken Silva, head of networks and security at VeriSign Inc, told ComputerWire. While brief, these incidents caused major portions of the network to become inaccessible, while others were flooded with traffic.
"It's not easy to do, but it's not impossible," said Silva. Fortunately, you can't just download a tool from a warez site and start messing with international routing tables. You would probably need to be in control (by fair means or foul) of a network of some significance, requiring autonomous system designation by the appropriate body.
Secure-BGP (S-BGP) is at the Internet Draft stage in the Internet Engineering Task Force, designed by BBN Technologies. S-BGP would mandate the use of IPSec and public key infrastructure to have BGP announcements digitally signed, so that routers know when they receive a BGP update that it came from a trusted source.
"S-BGP is being used, but it could be used more extensively," said RouteScience's Lloyd. "We need to look at how reliable our PKI infrastructure is if we make our entire routing system reliant on it. But today PKI is in a lot better shape than the routing infrastructure."
An additional concern in the Clarke document is DNS, the method by which internet domain names are converted into IP addresses. DNS is used by virtually every network-enabled application, but is inherently insecure as applications doing DNS lookups have no way of knowing the reply came from the authoritative server for the correct domain.
Again, a standard way of securing DNS, called DNSSec, has been developed within the IETF, but it has yet to be widely deployed. Like S-BGP, DNSSec calls for some method of digitally signing a DNS message to show the requesting application that the reply is authoritative and has not been tampered with.
The specification is undergoing some work aimed at making it simpler and cheaper to upgrade name servers to support it, according to Paul Mockapetris, who is chief scientist of Nominum Inc (which develops DNS security software) and credited as the creator of the DNS spec.
"Right now we can deploy DNSSec, it would just be very expensive," said Mockapetris, estimating large namespaces would require two to five times the memory footprint on their servers just to upgrade. "I suspect the day a big DNS exploit is used [in an attack], that's the day people will say 'this is cheap enough.'"