Computing Now Exclusive Content — March 2011

News Archive

July 2012

Gig.U Project Aims for an Ultrafast US Internet

June 2012

Bringing Location and Navigation Technology Indoors

May 2012

Plans Under Way for Roaming between Cellular and Wi-Fi Networks

Encryption System Flaw Threatens Internet Security

April 2012

For Business Intelligence, the Trend Is Location, Location, Location

Corpus Linguistics Keep Up-to-Date with Language

March 2012

Are Tomorrow's Firewalls Finally Here Today?

February 2012

Spatial Humanities Brings History to Life

December 2011

Could Hackers Take Your Car for a Ride?

November 2011

What to Do about Supercookies?

October 2011

Lights, Camera, Virtual Moviemaking

September 2011

Revolutionizing Wall Street with News Analytics

August 2011

Growing Network-Encryption Use Puts Systems at Risk

New Project Could Promote Semantic Web

July 2011

FBI Employs New Botnet Eradication Tactics

Google and Twitter "Like" Social Indexing

June 2011

Computing Commodities Market in the Cloud

May 2011

Intel Chips Step up to 3D

Apple Programming Error Raises Privacy Concerns

Thunderbolt Promises Lightning Speed

April 2011

Industrial Control Systems Face More Security Challenges

Microsoft Effort Takes Down Massive Botnet

March 2011

IP Addresses Getting Security Upgrade

February 2011

Studios Agree on DRM Infrastructure

January 2011

New Web Protocol Promises to Reduce Browser Latency

To Be or NAT to Be?

December 2010

Intel Gets inside the Helmet

Tuning Body-to-Body Networks with RF Modeling

November 2010

New Wi-Fi Spec Simplifies Connectivity

Expanded Top-Level Domains Could Spur Internet Real Estate Boom

October 2010

New Weapon in War on Botnets

September 2010

Content-Centered Internet Architecture Gets a Boost

Gesturing Going Mainstream

August 2010

Is Context-Aware Computing Ready for the Limelight?

Flexible Routing in the Cloud

Signal Congestion Rejuvenates Interest in Cell Paging-Channel Protocol

July 2010

New Protocol Improves Interaction among Networked Devices and Applications

Security for Domain Name System Takes a Big Step Forward

The ROADM to Smarter Optical Networking

Distributed Cache Goes Mainstream

June 2010

New Application Protects Mobile-Phone Passwords

WiGig Alliance Reveals Ultrafast Wireless Specification

Cognitive Radio Adds Intelligence to Wireless Technology

May 2010

New Product Uses Light Connections in Blade Server

April 2010

Browser Fingerprints Threaten Privacy

New Animation Technique Uses Motion Frequencies to Shake Trees

March 2010

Researchers Take Promising Approach to Chemical Computing

Screen-Capture Programming: What You See is What You Script

Research Project Sends Data Wirelessly at High Speeds via Light

February 2010

Faster Testing for Complex Software Systems

IEEE 802.1Qbg/h to Simplify Data Center Virtual LAN Management

Distributed Data-Analysis Approach Gains Popularity

Twitter Tweak Helps Haiti Relief Effort

January 2010

2010 Rings in Some Y2K-like Problems

Infrastructure Sensors Improve Home Monitoring

Internet Search Takes a Semantic Turn

December 2009

Phase-Change Memory Technology Moves toward Mass Production

IBM Crowdsources Translation Software

Digital Ants Promise New Security Paradigm

November 2009

Program Uses Mobile Technology to Help with Crises

More Cores Keep Power Down

White-Space Networking Goes Live

Mobile Web 2.0 Experiences Growing Pains

October 2009

More Spectrum Sought for Body Sensor Networks

Optics for Universal I/O and Speed

High-Performance Computing Adds Virtualization to the Mix

ICANN Accountability Goes Multinational

RFID Tags Chat Their Way to Energy Efficiency

September 2009

Delay-Tolerant Networks in Your Pocket

Flash Cookies Stir Privacy Concerns

Addressing the Challenge of Cloud-Computing Interoperability

Ephemeralizing the Web

August 2009

Bluetooth Speeds Up

Grids Get Closer

DCN Gets Ready for Production

The Sims Meet Science

Sexy Space Threat Comes to Mobile Phones

July 2009

WiGig Alliance Makes Push for HD Specification

New Dilemnas, Same Principles:
Changing Landscape Requires IT Ethics to Go Mainstream

Synthetic DNS Stirs Controversy:
Why Breaking Is a Good Thing

New Approach Fights Microchip Piracy

Technique Makes Strong Encryption Easier to Use

New Adobe Flash Streams Internet Directly to TVs

June 2009

Aging Satellites Spark GPS Concerns

The Changing World of Outsourcing

North American CS Enrollment Rises for First Time in Seven Years

Materials Breakthrough Could Eliminate Bootups

April 2009

Trusted Computing Shapes Self-Encrypting Drives

March 2009

Google, Publishers to Try New Advertising Methods

Siftables Offer New Interaction Model for Serious Games

Hulu Boxed In by Media Conglomerates

February 2009

Chips on Verge of Reaching 32 nm Nodes

Hathaway to Lead Cybersecurity Review

A Match Made in Heaven: Gaming Enters the Cloud

January 2009

Government Support Could Spell Big Year for Open Source

25 Reasons For Better Programming

Web Guide Turns Playstation 3 Consoles into Supercomputing Cluster

Flagbearers for Technology: Contemporary Techniques Showcase US Artifact and European Treasures

December 2008

.Tel TLD Debuts As New Way to Network

Science Exchange

November 2008

The Future is Reconfigurable

IP Addresses Getting Security Upgrade

by George Lawton

Resource Public Key Infrastructure (RPKI) is being advanced for securing the Internet's IP addressing space and its autonomous system (AS) numbers, which represent IP routing prefixes. RPKI improves routing system security by adding an authentication layer that lets network operators programmatically verify they’re working with authorized routing data.

"RPKI provides for strong cryptographic verification of address space ownership," said Steven Bellovin, a computer science professor at Columbia University who has worked with the US Department of Homeland Security (DHS) on routing security. "This helps secure the routing infrastructure against things like the Pakistan YouTube incident, China's reported hijacking of address space, and accidents like the AS 7007 incident," Bellovin said. "While the primary protection it provides is against accidents, it also provides some protection against malicious attacks."

These sorts of attacks have been growing in scale, and the issue came into the spotlight in the US with a recent China Telecom hijacking incident in which 15 percent of the world's Internet traffic was routed through Chinese servers.

Building a Secure Internet

Until recently, the Internet has operated without any infrastructure for protecting against accidental or malicious changes to the authorized name space. As a result, the Domain Name System (DNS), IP, and routing table resources might be poorly utilized, hijacked, or impersonated. Tools for detecting these errors have been improving, but they haven't been capable of enforcing a chain of trust to prevent the errors in the first place.

In 2003, hackers took over a block of IP addresses from Northrop Grumman for two months. More recent attacks have been larger in scale but shorter in duration. In 2008, Pakistan Telecom brought down the entire YouTube site for two hours in an apparent effort to restrict local access.

The first major wave of security upgrades was the introduction of DNSSEC, which uses PKI for protecting DNS. RPKI will bring the same sort of protection to IP addresses, and will be followed by BGPSEC for protecting Border Gateway Protocol (BGP) announcements.

Concerns about router security reached the national level in 2003, when the US Government issued a presidential directive indicating that BGP and DNS needed better security. The efforts are being driven in large part by the DHS, the US National Institute of Standards and Technology, and the Internet Engineering Task Force (IETF).

The DHS has budgeted $3 million a year on routing research through 2016 and has funded other research on open source router security tools as well. It supported the University of Oregon's Route Views project to speed the detection of routing incidents. It funded the Prefix Clearing House (PCH) Prefix Sanity Checker, which helps validate IP address prefixes. These projects helped reduce the incident detection time from 80 minutes in the Pakistan-YouTube incident to only 30 seconds in the China Telecom incident.

The IETF is in the final stages of reviewing and standardizing the RPKI specifications, and full RPKI implementations exist — including an open source implementation.

The 4-1-1 on RPKI

PKI provides a programmatic infrastructure for establishing a chain of trust between a client or router and a recognized certificate authority. RPKI introduces X.509 certificates to protect AS numbers and IP address resources. This infrastructure will support a chain of trust that starts with the Internet Assigned Numbers Authority (IANA) and moves through the five major regional Internet registries.

"The RPKI provides a secure method for network operators to securely attest to the network addresses they hold and thereby secure the routing paths of Internet traffic from one network to another," said Mark Kosters, chief technology officer for the American Registry for Internet Numbers (ARIN). "It does not secure connections between computers on the Internet."

The IETF designed the architecture to support multiple trust anchors if the need arises. However, the Internet Architecture Board and the Number Resource Organization are advocating for a single trust anchor that's closely aligned with the registry of the root hierarchy, which is now IANA. They say the single trust anchor will prevent numbering conflicts.

Mistakes and attacks in the allocation process are possible, so the Internet Architecture Board recommends that local operators adopt fallback plans for restoring their service routes without having to wait for a detected error to be corrected by the source. Consequently, the IETF is exploring mechanisms that will let network operators maintain local policy files and local trust anchors while maintaining compatibility with X.509 processing and a global trust anchoring system.

The IETF is also working on mechanisms to allow algorithmic migration of the encryption protocols in a robust, seamless transition. The mechanisms will support updates to the signature algorithm suite for either performance or security improvements. The updates aren't expected to be frequent, but they will be necessary for the long-term evolution of router security.

Getting over the Hurdles

The adoption of RPKI faces both technical and organizational challenges. On the organizational side, vendors don't want to support RPKI until customers ask for it, and customers don't want to invest in using the RPKI until vendors support it. "However, the RPKI is seeing early adoption from the network operator community," ARIN's Kosters, "and some vendors have begun development of RPKI support in their products."

On the technical side, RPKI will require specialized training in PKI technology, which has a steep learning curve. "However, ARIN and the other RIRs [Regional Internet Registries] are working hard to make the RPKI as easy to use as possible," said Kosters. "The focus of the RPKI work has been on security, but once the RPKI is entrenched in network operations it could ease the burden of maintaining complex routing policies and make it easier for network operators to find troublesome routing announcements."

There will be two types of RPKI users: the ISPs who want to protect their customers by creating a secure way of mapping the network's origin and the ISPs on the receiving side who rely on that information to ensure that the routes they received came from the correct source. "We would anticipate any ISP who wants to protect its customers from routing attacks would want to participate in this program," said Kosters.

The RPKI rollout is likely to be easier than DNSSEC, because it sends its data out of band, said Sam Weiler, senior scientist at Sparta, a defense security vendor. "DNSSEC, which transmits its signatures, keys, and other security data within the DNS protocol, was repeatedly delayed by backward-compatibility issues. In the RPKI, certificates are being carried outside of the control plane, which avoids a whole class of problems."

RPKI is now being deployed in numerous pilots, although operators want to shake out various technical and legal issues before wide-scale deployment. Four of the five RIRs have RPKI in production: the African Network Information Center), Asia Pacific Network Information Center, Latin American and Caribbean Internet Address Registry, and Réseaux IP Européens Network Coordination Centre.

Right now, network engineers are gathering data from the four production services as well as ARIN’s pilot service. (ARIN's pilot service has been available to the RPKI development community since June 2010 at Kosters said that ARIN’s Board of Trustees is looking into the legal liabilities of providing a hosted service. In April, ARIN will ask its members for feedback on the service at its biannual public policy and members meeting. "After that meeting," Kosters said, "ARIN will have a better idea of when we anticipate moving our pilot service into production."

George Lawton is freelance writer based in Guerneville, California. Contact him at glawton@glawton.