IP Addresses Getting Security Upgrade
Resource Public Key Infrastructure (RPKI) is being advanced for securing the Internet's IP addressing space and its autonomous system (AS) numbers, which represent IP routing prefixes. RPKI improves routing system security by adding an authentication layer that lets network operators programmatically verify they’re working with authorized routing data.
"RPKI provides for strong cryptographic verification of address space ownership," said Steven Bellovin, a computer science professor at Columbia University who has worked with the US Department of Homeland Security (DHS) on routing security. "This helps secure the routing infrastructure against things like the Pakistan YouTube incident, China's reported hijacking of address space, and accidents like the AS 7007 incident," Bellovin said. "While the primary protection it provides is against accidents, it also provides some protection against malicious attacks."
These sorts of attacks have been growing in scale, and the issue came into the spotlight in the US with a recent China Telecom hijacking incident in which 15 percent of the world's Internet traffic was routed through Chinese servers.
Building a Secure Internet
Until recently, the Internet has operated without any infrastructure for protecting against accidental or malicious changes to the authorized name space. As a result, the Domain Name System (DNS), IP, and routing table resources might be poorly utilized, hijacked, or impersonated. Tools for detecting these errors have been improving, but they haven't been capable of enforcing a chain of trust to prevent the errors in the first place.
In 2003, hackers took over a block of IP addresses from Northrop Grumman for two months. More recent attacks have been larger in scale but shorter in duration. In 2008, Pakistan Telecom brought down the entire YouTube site for two hours in an apparent effort to restrict local access.
The first major wave of security upgrades was the introduction of DNSSEC, which uses PKI for protecting DNS. RPKI will bring the same sort of protection to IP addresses, and will be followed by BGPSEC for protecting Border Gateway Protocol (BGP) announcements.
Concerns about router security reached the national level in 2003, when the US Government issued a presidential directive indicating that BGP and DNS needed better security. The efforts are being driven in large part by the DHS, the US National Institute of Standards and Technology, and the Internet Engineering Task Force (IETF).
The DHS has budgeted $3 million a year on routing research through 2016 and has funded other research on open source router security tools as well. It supported the University of Oregon's Route Views project to speed the detection of routing incidents. It funded the Prefix Clearing House (PCH) Prefix Sanity Checker, which helps validate IP address prefixes. These projects helped reduce the incident detection time from 80 minutes in the Pakistan-YouTube incident to only 30 seconds in the China Telecom incident.
The IETF is in the final stages of reviewing and standardizing the RPKI specifications, and full RPKI implementations exist — including an open source implementation.
The 4-1-1 on RPKI
PKI provides a programmatic infrastructure for establishing a chain of trust between a client or router and a recognized certificate authority. RPKI introduces X.509 certificates to protect AS numbers and IP address resources. This infrastructure will support a chain of trust that starts with the Internet Assigned Numbers Authority (IANA) and moves through the five major regional Internet registries.
"The RPKI provides a secure method for network operators to securely attest to the network addresses they hold and thereby secure the routing paths of Internet traffic from one network to another," said Mark Kosters, chief technology officer for the American Registry for Internet Numbers (ARIN). "It does not secure connections between computers on the Internet."
The IETF designed the architecture to support multiple trust anchors if the need arises. However, the Internet Architecture Board and the Number Resource Organization are advocating for a single trust anchor that's closely aligned with the registry of the root hierarchy, which is now IANA. They say the single trust anchor will prevent numbering conflicts.
Mistakes and attacks in the allocation process are possible, so the Internet Architecture Board recommends that local operators adopt fallback plans for restoring their service routes without having to wait for a detected error to be corrected by the source. Consequently, the IETF is exploring mechanisms that will let network operators maintain local policy files and local trust anchors while maintaining compatibility with X.509 processing and a global trust anchoring system.
The IETF is also working on mechanisms to allow algorithmic migration of the encryption protocols in a robust, seamless transition. The mechanisms will support updates to the signature algorithm suite for either performance or security improvements. The updates aren't expected to be frequent, but they will be necessary for the long-term evolution of router security.
Getting over the Hurdles
The adoption of RPKI faces both technical and organizational challenges. On the organizational side, vendors don't want to support RPKI until customers ask for it, and customers don't want to invest in using the RPKI until vendors support it. "However, the RPKI is seeing early adoption from the network operator community," ARIN's Kosters, "and some vendors have begun development of RPKI support in their products."
On the technical side, RPKI will require specialized training in PKI technology, which has a steep learning curve. "However, ARIN and the other RIRs [Regional Internet Registries] are working hard to make the RPKI as easy to use as possible," said Kosters. "The focus of the RPKI work has been on security, but once the RPKI is entrenched in network operations it could ease the burden of maintaining complex routing policies and make it easier for network operators to find troublesome routing announcements."
There will be two types of RPKI users: the ISPs who want to protect their customers by creating a secure way of mapping the network's origin and the ISPs on the receiving side who rely on that information to ensure that the routes they received came from the correct source. "We would anticipate any ISP who wants to protect its customers from routing attacks would want to participate in this program," said Kosters.
The RPKI rollout is likely to be easier than DNSSEC, because it sends its data out of band, said Sam Weiler, senior scientist at Sparta, a defense security vendor. "DNSSEC, which transmits its signatures, keys, and other security data within the DNS protocol, was repeatedly delayed by backward-compatibility issues. In the RPKI, certificates are being carried outside of the control plane, which avoids a whole class of problems."
RPKI is now being deployed in numerous pilots, although operators want to shake out various technical and legal issues before wide-scale deployment. Four of the five RIRs have RPKI in production: the African Network Information Center), Asia Pacific Network Information Center, Latin American and Caribbean Internet Address Registry, and Réseaux IP Européens Network Coordination Centre.
Right now, network engineers are gathering data from the four production services as well as ARIN’s pilot service. (ARIN's pilot service has been available to the RPKI development community since June 2010 at http://rpki-pilot.arin.net.) Kosters said that ARIN’s Board of Trustees is looking into the legal liabilities of providing a hosted service. In April, ARIN will ask its members for feedback on the service at its biannual public policy and members meeting. "After that meeting," Kosters said, "ARIN will have a better idea of when we anticipate moving our pilot service into production."
George Lawton is freelance writer based in Guerneville, California. Contact him at glawton@glawton.