back to article Make BGP great again, er, no, for the first time: NIST backs internet route security brainwave

A proposal for securing BGP – the protocol that lays out the traffic pathways of the internet – has a another backer: NIST, aka America's National Institute for Standards and Technology. The US government agency has issued a discussion paper outlining the use of Route Origin Validation (ROV) to protect the notoriously all-too- …

  1. John Smith 19 Gold badge
    Gimp

    Should be seen as a key part of the "surveillance is a threat to the net" agenda

    And knowing who you're talking to (at the network level) is a part of making sure your packets are not getting slurped by malicious actors.*

    So potentially a good start.

    *Choose your preferred MA depending on political outlook and area of the world.

  2. Anonymous Coward
    Anonymous Coward

    As an aside

    We have colo with a sizeable US provider, who also supply the comms. I can connect to the BGP port of our first hop outbound (their router, in other words) from a domestic DSL line in the UK.

    I'm pretty sure that this should be locked down to their peers. Or at least their continent.

    Beat my head off them for two weeks, and the best they could come up with was for us to firewall it so we couldn't see it.

    Anon because we use this for a live service.

    1. A.P. Veening Silver badge

      Re: As an aside

      Their router, their security and eventually someone will hack them, their problem after your fair warning.

      1. Wellyboot Silver badge

        Re: As an aside

        >>Their router, their security << but who ends up taking the hit?

        1. Alan Brown Silver badge

          Re: As an aside

          >>Their router, their security << but who ends up taking the hit?

          This is why you make sure you've documented that they've been warned and acknowledged receipt of the warning.

          That way if the splash zone includes you, you have an audit trail - and if it gets messy, passing that information to their public liability insurers can result in an interesting wakeup call.

          Failure to mitigate this kind of threat would invalidate most liability insurance in the event of the ISP being hacked and facing civil litigation from aggrieved customers - it's usually liabliity insurers footing the bill when companies end up defending civil cases like this.

          There are ways of naming/shaming the ISP in forums where they'll get a good hard kicking without compromising your anonymity.

  3. Prosthetic Conscience
    Meh

    So much like IPv6 this will be adopted in the next 30 years, yeah?

    1. phuzz Silver badge

      Well, with IPv6 there's a financial incentive as the cost of buying more IPv4 addresses increases.

      I don't see any financial reason for a big company to spend time and money implementing this so thirty years is probably over optimistic.

      1. KarMann Silver badge

        One word

        Liability.

    2. Anonymous Coward
      Anonymous Coward

      Not like IPv6 at all

      IPv6 adoption requires end user participation, and affects ALL devices. BGP protection only affects a handful of devices in the typical enterprise (i.e. where they interconnect with outside networks/providers) so it is a far simpler problem.

      Though keeping certificates up to date has proven to be a problem already, and I'd hate to think an expired certificate would cause routes to go down. We might end up with a more secure, but less stable internet.

  4. Alan Brown Silver badge

    "good chaps"

    "The ancient protocol was written with the “good chaps theory” as one of its fundamental assumptions "

    Which was a proven fallacy even then.

    At least one set of naval war games in the late 1970s/early 1980s ended within hours after Red team accessed Blue team's systems, downloading all their plans and intercepting orders, etc. They paralysed Blue team's deployment ability and "killed" them where they sat, in several cases by causing "self detontations" of Blue equipment without a Red team member in sight.

    Blue team cried "foul" and tried to have this kind of thing banned, but it marked when the US military became interested in cyber warfare.

    Academics getting onto DARPAnet brought a lot of that blind trust back, but those in the know were preaching security from the outset.

    1. Anonymous Coward
      Anonymous Coward

      Re: "good chaps"

      All protocols were written that way, because there was no alternative. Routers could barely route packets at wire speed, let alone handle encryption certificates.

  5. Flakk
    Joke

    Freddy Got FINGERed

    I was wondering what had happened to Tom Green. Microsoft's South Central US facility is lucky to have him.

  6. eldakka
    Coat

    Cisco, Juniper Networks, Palo Alto Networks, AT&T, CenturyLink, Comcast, and the George Washington University in the US helped NIST prepare the paperwork.

    You left out: NSA.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon