IT engineers ponder fix to dangerous Internet routing problem

While it's great that the internet is an open, widely available network, this openness yields some security flaws. Most have been dealt with by encryption and other security measures, but one gaping hole remains unfixed. This major hole can cause massive, widespread outages or allow your data to be snooped on.

The problem resides in the routers used by every corporation or company who owns a block of IPs. These routers are constantly communicating with other routers in order to update internal information. This internal information, some 400,000 entries, contains the best routes to get to other networks using a protocol called Border Gateway Protocol (BGP).

According to InfoWorld, "BGP enables routers to find the best path when, say, a network used to retrieve a web page from South Korea is not working properly. Changes in that routing information are distributed quickly to routers around the world in as few as five minutes."

The flaw resides in the fact that the routers do not verify the "announcements." So outages can occur because people accidentally put in incorrect information or typos or because someone maliciously enters the information. The latter can cause data to be routed through someone's network where it can be sniffed and snooped upon.

"The broader problem here is that much of this critical infrastructure simply relies on players behaving correctly," said Dan Massey, an associate computer science professor at Colorado State University. "In a truly global system like the internet, you must assume that organizations will occasionally make unintentional mistakes."

InfoWorld gives a great explanation of the solution:

RPKI is complex, and deployment has been slow. Experts recently came up with an alternate system, nicknamed Rover for Route Origin Verification, that may be easier.

Rover stores the legitimate route information within the DNS, the enormous distributed database that translates a domain name into an IP address that can be called into a browser. That route information can be signed with DNSSEC, the security protocol that allows DNS records to be cryptographically signed, which is being widely adopted.

The advantages with Rover are that no changes need to be made to existing routers, and it can work alongside RPKI. "The whole infrastructure of securing the answer [of whether the route is legitimate] already exists," said Gersch, who has authored two specifications for how to name a route and the type of record that could be inserted into the DNS.

The specifications are currently in "internet daft" status before the Internet Engineering Task Force. The next step to becoming a standard is for a working group to adopt the documents, Gersch said.