[ad_1]
This spring, the services heavy hitters like Google and Facebook seemed glitchy or inaccessible to people around the world for over an hour. But it wasn’t a hack, or even a glitch in any particular organization. This was the latest incident due to design flaws in the Border Gateway Protocol, the Internet’s basic universal routing system. Now, after years of slow progress in implementing improvements and safeguards, a coalition of Internet infrastructure partners is finally turning a corner in their fight to make BGP more secure.
Today, the group known as Mutually Agreed Standards for Routing Security announces a working group specifically dedicated to helping “content delivery networks” and other cloud services adopt filters and the cryptographic controls necessary to strengthen BGP. In some respects, the step is gradual, as MANRS has already formed working groups for network operators and so-called “Internet exchange points”, the physical physical infrastructure where Internet service providers and CDNs transmit data to each other’s networks. But this process happening in the cloud represents tangible progress that has been elusive so far.
“With nearly 600 total attendees at MANRS to date, we believe the enthusiasm and hard work of CDN and cloud providers will encourage other network operators around the world to improve routing security for all of us. Says Aftab Siddiqui, MANRS project manager and senior Internet technology executive at the Internet Society.
BGP is often thought of as a GPS navigation service for the Internet, allowing infrastructure players to quickly and automatically determine routes for sending and receiving data over complex digital topography. And like your favorite GPS mapping tool, BGP has some quirks and flaws that usually don’t cause problems, but can sometimes get you in heavy traffic on bridges. This happens when entities such as Internet service providers “wrong route” send data randomly and misguided across the Internet, and often into oblivion. This is when web services seem to be down. And the risks of this BGP insecurity don’t end with service disruptions – weaknesses can also be intentionally exploited by bad actors to redirect data over the networks they control for interception. This practice is known as “BGP hijacking” and has been used by hackers around the world, including China, for espionage and data theft.
A handful of leading CDNs have already spoken out about implementing BGP best practices and safeguards in their own systems and promoting them to others. After the so-called road leak in April, for example, Cloudflare released a tool called “BGP Safe Yet?” to let regular internet users know if their internet service provider has already implemented cryptographic route checks and filters. And on Wednesday, Google released an update on its efforts with MANRS to overhaul its own BGP infrastructure and convince industry contacts to do the same.
Organizations like Google and Cloudflare are increasingly motivated to support this change for the overall health of the internet, but also because the BGP route leaks that lead to outages reflect them poorly, no matter what the source of the problem. These types of important organizations are essential in fostering the adoption of these types of voluntary and cooperative technical changes, as they have relationships with infrastructure providers around the world.
“I spent 20 years in financial services doing cybersecurity for big banks, but a little over two years ago I joined Google because you are starting to see that the company’s dependence on this infrastructure is so big, ”said Royal Hansen, vice president of engineering security for Google Cloud. “My leverage was going to be so much more at Google than it would ever be in a single company.”
One of the main BGP guarantees promoted by MANRS is RPKI, or “Routing Public Key Infrastructure,” a public database of routes that have been cryptographically signed as proof of their validity. RPKI adoptees publish their suggested routes and check the database to confirm others’ routes, but the system can only eliminate route leaks and failures through universal adoption. If many ISPs or other organizations are not using it, providers will still need to accept unsigned, i.e., non-validated routes.
[ad_2]
Source link