InFocus: Preserving the integrity of the Internet

Convergence of voice, video and data may be inevitable -- but the timing is not. Enterprise end users have been mentally prepared for years to deal with the Internet's fundamental unreliability, through redundant provisioning and fault-tolerant protocols like TCP and BGP. But new concerns about the Internet infrastructure's trust mechanisms (or lack thereof) have led some to call for additional "trust engineering" before the Net will be ready to take center stage.

The paradox of trust on the Internet comes from the fact that it attempts to build a reliable and trustworthy infrastructure out of anonymous, untrusted components. Since its inception, the Internet has linked organizations who are largely anonymous, with no a priori basis for mutual trust. Ten years of higher-level protocol research went into the creation and deployment of trust mechanisms such as SSL that protect end-users' ecommerce transactions. But the Internet's underlying infrastructure is comparatively wide open for exploitation.

Recently, Internet users have begun to notice that IP addresses are not necessarily unique. Due to weaknesses in BGP4, the core routing protocol of the Internet, there is no guarantee that any particular IP address is in any single place on the Net at once, or that it has been there for any specific amount of time. The core notion of identity of an end-site on the Internet--the uniqueness of an IP address--has been called into question. Awareness of this problem is growing and now is the time for carriers to address it.

Addressing this problem will require significantly better visibility into the ways that routing on the Internet evolves over time. In order to build trusted infrastructure on top of untrusted components, carriers will ultimately have to offer trust services to enterprises and end-users that allow them to evaluate the credibility of the traffic that reaches them.

Network operators today have an opportunity to create a new, higher-trust level of service, and simultaneously avoid a hazardous decline in trust in the basic, Internet infrastructure. Without this approach, we are in danger of losing the confidence of the end-users in Internet infrastructure. We also risk the ultimate involvement of well-meaning federal regulators who, convinced that the Internet is “critical infrastructure” (which it is) believe guaranteeing the identity of endpoints on the Internet is crucial.

The Problem

The largest service providers on the Net trust each other. They trust each other to tell the truth, all the time, about everything. They trust each other's customers, and their customers. It is surprising, but most of the time, this works well. But occasionally, someone makes a mistake, or lies.

Someone in Malaysia pretends that they are Yahoo. Someone in Turkey pretends that they are everyone else. And as long as they convince just a couple of carriers (or only one) to accept their lies (or unintentional falsehoods), the damage spreads rapidly throughout the Internet.

To understand how this works, a little bit of routing is necessary. A routing announcement creates a location for an IP address. Routing announcements, much like gossip, start in a particular place (nominally, the registered "owner" of that IP address) and spread throughout the Internet. But like gossip, it is difficult for any listener to determine the truth of a particular announcement, especially as they get further from the source. In practice, what this means is that multiple people can convince portions of the Internet that they are, for a time, the same IP address. They can even outright steal portions of an enterprise or provider network, often without detection. This is sometimes referred to as Network Hijacking or Network Identity Theft.

BGP4, the current routing protocol that makes the Internet work, provides some mechanisms for trying to detect and reject these lies (or "filter the announcements" in industry parlance). But these mechanisms are mostly unworkable at the core of the Internet—they simply don't scale to, well, Internet scales. So Level (3) ends up trusting Sprint because it has little choice. And Sprint repays the favor. As long as Level (3) is correctly filtering the announcements from every single customer all of the time, the system will work. But as soon as Level (3) makes a mistake, Sprint is guaranteed to believe it and spread the damage far and wide.

This isn't to single out these two carriers. The same is true of UUNet (Verizon), AT&T, NTT, Global Crossing, Savvis, Qwest, Telia, Teleglobe, and every other large network provider in the world. Security practitioners are familiar with the notion of end-to-end security, where each step in a process can be trusted, and as a result, the entire transaction is secure. Right now, the Internet trust model is closer to police the edges (or most edges) and blindly trust everything in the core. This, obviously, does not produce a trustworthy set of end-to-end relationships.

Why would someone do this? Mostly, they're motivated by money. Spammers seeking to send out more spam and suffer fewer consequences "borrow" the IP addresses of a legitimate mailer. They blast several hundred million messages and then give the addresses back to their rightful owner, who now reaps the crop of complaints from spam that really did come from his IP addresses (if not from him). There are lots of other malicious uses of this technique.

What is most troubling about the nature of Network Identity Theft is that, unlike most security problems, it is not local in nature. When Company A's servers get hacked, they are their servers, not yours. Unless they are an important business partner or customer, it really doesn't affect you at all. If they were to secure their environment better (with good firewalls and a careful security update plan and practice), then they could keep their servers safe. But with the threat of Network Identity Theft (IP Hijacking), perfect security on routers, servers and firewalls is no barrier. Anyone can, at any time, have people running around the Internet pretending to be them. The vulnerability here is not to anyone in particular, but to all of us, and it is global in score, not local. This makes it particularly problematic.

Solutions

Operators and computer scientists are well aware of this problem. Two fairly complete solutions have been proposed: sBGP and soBGP. Aside from having confusingly similar names, the two solutions use some of the same techniques to address the problem. The main change involves cryptographically signing routing announcements. Many users are surprised that this isn't part of the routing protocol already.

Security routing protocols by strong cryptography is a great solution. Unfortunately it has seen little interest, and zero actual adoption, from large carriers. This is because doing this sort of thing properly requires substantial changes to routing hardware, which was mostly designed to push packets among interfaces quickly, rather than do cpu-intensive cryptographic calculations. Cap-Ex-constrained carriers prefer to invest their money in hardware than can offer new services and expand their market. And so these heavyweight solutions get left on the curb.

Detection, Reputation, Trust

So, assuming that most backbone operators are not going to forklift upgrade their routing infrastructure to easily support strong crypto for all routing announcements any time soon, where does that leave us?

Customers are, quite reasonably, going to assume that service providers are the authority for where a particular IP address actually is (and has been) on the Internet. They are going to expect that carriers will solve this problem related to the fundamental security of the infrastructure.

But that leads to a particular difficulty: no single carrier can plausibly solve this whole problem on its own, even for its own customers. This is true because of the global nature of the problem: even if Sprint carefully polices the routes that it accepts and propagates, if no one else does, Sprint's customers' routes will still be stolen and their network identities will be hijacked. Until routing is secured globally and universally, providers are going to have to work together to share information about this kind of malicious activity, just as they do with other security problems (Denial of Service Attacks, botnets, phishing, etc.).

If providers are able to work together to offer customers some real solutions to detect and mitigate network identity theft, SOX-regulated customers will pay for those solutions immediately. Anything else would be an unacceptable risk to business. There is therefore a rare opportunity for service providers to work together to create solutions that improve the end-to-end security of the Internet and simultaneously generate more revenue. If network operators do not act together to solve these problems proactively, it's likely that solutions will mandated, and these will not come with revenue opportunities. Let's not blow this chance.

Todd Underwood is Chief Operations and Security Officer for Renesys Corp.

Visit Renesys Corp. online.