TweakTown
Tech content trusted by users in North America and around the world
5,911 Reviews & Articles | 38,072 News Posts

IT engineers ponder fix to dangerous Internet routing problem

The internet contains a massive security flaw which allows traffic to be rerouted and sniffed

| Internet & Websites News | Posted: Apr 27, 2012 9:31 pm

While it's great that the internet is an open, widely available network, this openness yields some security flaws. Most have been dealt with by encryption and other security measures, but one gaping hole remains unfixed. This major hole can cause massive, widespread outages or allow your data to be snooped on.

 

TweakTown image news/2/3/23808_107_it_engineers_ponder_fix_to_dangerous_internet_routing_problem.jpg

 

The problem resides in the routers used by every corporation or company who owns a block of IPs. These routers are constantly communicating with other routers in order to update internal information. This internal information, some 400,000 entries, contains the best routes to get to other networks using a protocol called Border Gateway Protocol (BGP).

 

According to InfoWorld, "BGP enables routers to find the best path when, say, a network used to retrieve a web page from South Korea is not working properly. Changes in that routing information are distributed quickly to routers around the world in as few as five minutes."

 

The flaw resides in the fact that the routers do not verify the "announcements." So outages can occur because people accidentally put in incorrect information or typos or because someone maliciously enters the information. The latter can cause data to be routed through someone's network where it can be sniffed and snooped upon.

 

"The broader problem here is that much of this critical infrastructure simply relies on players behaving correctly," said Dan Massey, an associate computer science professor at Colorado State University. "In a truly global system like the internet, you must assume that organizations will occasionally make unintentional mistakes."

 

InfoWorld gives a great explanation of the solution:

 

RPKI is complex, and deployment has been slow. Experts recently came up with an alternate system, nicknamed Rover for Route Origin Verification, that may be easier.

 

Rover stores the legitimate route information within the DNS, the enormous distributed database that translates a domain name into an IP address that can be called into a browser. That route information can be signed with DNSSEC, the security protocol that allows DNS records to be cryptographically signed, which is being widely adopted.

 

The advantages with Rover are that no changes need to be made to existing routers, and it can work alongside RPKI. "The whole infrastructure of securing the answer [of whether the route is legitimate] already exists," said Gersch, who has authored two specifications for how to name a route and the type of record that could be inserted into the DNS.

 

The specifications are currently in "internet daft" status before the Internet Engineering Task Force. The next step to becoming a standard is for a working group to adopt the documents, Gersch said.

NEWS SOURCE
Infoworld.com

Related Tags

Further Reading: Read and find more Internet & Websites news at our Internet & Websites news index page.

Do you get our news RSS feed? Get It!

Post a Comment about this news

Latest Tech News Posts

View More News Posts

TweakTown Web Poll

Question: Facebook's acquisition of Oculus VR will...

Improve Oculus Rift Development

Hamper Oculus Rift Development

Completely destroy Oculus Rift Development

Let's wait and see, I'm not sure

or View the Results

View More Polls

Forum Activity

View More Forum Posts

Press Releases

View More Press Releases