White House thinks it's time to fix the insecure glue of the internet: Yup, BGP

Noibody with a clue ever said ...

... that the Internet was designed to be secure, was intended to be secure, was secure, or in fact could be made secure.

Being nothing more than a wide area network built to investigate/study wide area networking, this existing iteration of "The Internet" is not now, never has been, and never will be secure ... at least not without a complete tear-down, redesign and rebuild. From scratch. That's what happens when you build a network from the ground up to share data, not to suppress the sharing of that data.

Putting on bandaids by changing things like BGP will not change this.

Right.

So this is the US government, in specific the POLITICAL arm of it, saying they want the main routing protocol 'fixed'.

Alarm bells anyone? The country that runs surveilance on the entire planet including their own citizens that includes such hits as tracking your phone calls, collecting all your email, tracking all your connections, watching all your web traffic, tracking you via your cell phone (and intercepting the calls), runs connection and association software based on all that data and tries to weaken encryprtion protocols so they can snoop even harder.

The US, the worlds most prolific nation state hacker and pervasive invasive spy state wants changes made to the routing protocol that enhance tracking capability, does a red flag pop up for you now?

No?

Given the Dual_EC_DRBG fiasco what makes you think they haven't already backdoored this one too, particularly as it is used prolifically in APAC?

Still no red flags?

OK I see you don't remember Vault 7, Dual_EC_DRBG and know nothing about security.

Carry on.

A BGP hijacking incident that I think indicates a larger problem.

In September 2022, someone BGP hijacked a cryptocurrency thing called Celer Network Bridge.

They got a valid TLS certificate for an imposter website by paying $18 and stole $235,000 in three hours

https://www.coinbase.com/blog/celer-bridge-incident-analysis

If a service is doing proper encryption and cryptographic authentication then a BGP hijack should just result in the service not working, but it seems that just seeing https in your browser is not a guarantee of that.

The operator of a website can, if they choose, do extra work to configure CAA to make it harder for an imposter website to show valid https but end users are never aware if that has been done. People putting together a website just think "showing ok in a browser and the free certificate is auto-renewing, great, it's all good".

Last year 'someone' put a man-in-the-middle proxy in front of the jabber.ru server in a Hetzner datacenter in Germany, it was noticed six months later when the certificate it was using expired.

So, er...

1) It'll never happen. Changing BGP is up there with moving off of IPv4 as a lovely pipe dream.

2) BGP isn't meant to be secure. Everyone is responsible for their own house and needs to decide who they trust to peer with and then share their own routing policies with those peers and thoroughly understand the routing policies that they receive. You should be validating your peers using the methods already available and you should be creating a policy that only receives the routes you are prefixes to receive.

3) Trust is about trusting who you trust and also trusting who they trust. See point 2.

4) If you are peering with hostile nations networks then you should expect them to be hostile.

5) Because of the trust model BGP, as with the rest of the internet, is designed to be decentralised. Any attempts to 'fix' it will almost certainly put more of an emphasis on centralised control. We all know that this central control will be in the US.

The white house indicated?

well let us hold our breath? Pls focus on actual things and not political parties ambitions that they don't understand a thing about....

The tribalisation of the internet.

Your internet will only cross borders that your government permits it to.

Say goodbye to the global internet.

Anything good gets invented, politicians take control of it and ruin it, or just kill it.

Am I oversimplifying by thinking of this as internet3 (or would it be 4 if i3 was the ipv6 roll out)?

It really just comes down to legislation, once a few of the bigger counties or blocks demand it, it will start to shift. If India or EU makes it a requirement then the revenue hit will force many companies hand. It really just comes down to how much they care about it and the time frame. Wouldn't surprise me to see them start with the ISPs, move to critical national infrastructure next and onwards from the large to small caps.