Hacker News new | past | comments | ask | show | jobs | submit login
White House asks agencies to step up internet routing security efforts (reuters.com)
124 points by arkadiyt 31 days ago | hide | past | favorite | 55 comments



This article leans more towards a general audience. For more a tech-leaning audience, perhaps see:

* https://arstechnica.com/tech-policy/2024/06/fcc-pushes-isps-...

* https://www.techspot.com/news/104590-white-house-declares-bg...

* https://www.securityweek.com/white-house-outlines-plan-for-a...

WH PR (linked to by Reuters):

> While there is no single solution to address all internet routing vulnerabilities, the roadmap advocates for the adoption of Resource Public Key Infrastructure (RPKI) as a mature, ready-to-implement approach to mitigate BGP’s vulnerabilities. RPKI consists of two primary components: Route Origin Authorizations (ROA) and Route Origin Validation (ROV). A ROA is a digitally-signed certificate that a network is authorized to announce a specific block of internet space (i.e., IP addresses). ROV is the process by which BGP routers use ROA data to filter BGP announcements flagged as invalid. Importantly, ROV can help protect an organization’s internet address resources only if that organization has created ROAs.

* https://www.whitehouse.gov/oncd/briefing-room/2024/09/03/fac...

Roadmap/whitepaper (PDF):

* https://www.whitehouse.gov/wp-content/uploads/2024/09/Roadma...


So ROA/ROV are for preventing prefix hijacking and IANA will personally issue a certificate to verify organization owns ASN.

But what impacts does this have on performance? Great we solved hijacking issue. But this other ASN which used to be a preferred route doesn’t use ROA/ROV (yet or refuses).

Now traffic reroutes to a less efficient path?


> But what impacts does this have on performance? Great we solved hijacking issue. But this other ASN which used to be a preferred route doesn’t use ROA/ROV (yet or refuses).

No performance impact: a routing table is a very (ahaha) binary thing, it takes a destination address and does a longest prefix match search in a table to find the next hop interface, to which it routes the packet.

Route validity is considered (alongside a bunch of other routing policy inputs) when constructing the table, not when a packet arrives.


I think you missed the parent commenter's point.

The purported performance hit wouldn't be from the propagation delay on any given router, but rather from shifts in traffic resulting in a longer path.

In practice, I suspect there will be very little impact for most traffic, since typical aspath lengths are, like, 2. (Mostly, direct peering between CDNs and ISPs if the data isn't cached within the ISP network to begin with)

edit for source:

> The average AS path length in a well-developed content network is about 1. Maybe 1.1.

https://youtu.be/gxO73fH0VqM?t=1387


> The purported performance hit wouldn't be from the propagation delay on any given router, but rather from shifts in traffic resulting in a longer path.

You are right, I neglected to point out that origin validation is (in the absence of shenanigans) not going to cause one path to be preferable to another: if the origin is the same AS, either both paths or neither is valid.

If the origin in two paths is two different ASes, either both are valid or shenanigans are afoot - perhaps there's a hijack being prevented, perhaps the network operator has screwed up their ROAs, perhaps the network operator is measuring sBGP uptake, perhaps the network operator is doing a rather bizarre and ineffectual form of traffic ingress management, or perhaps the network is in a transition from one AS to another, but those are all "shenanigans" in which routing efficiency is secondary to some other goal.

An alternative source for average BGP path length is https://blog.apnic.net/2024/01/10/bgp-in-2023-bgp-updates/ - where many other similar statistics can be found, and independently repeatable methodology is available. The average BGP path length for IPv4 is around 5.5 hops, and for IPv6 it is just shy of 5 hops. These numbers have been stable for a while with IPv4 slowly shrinking and IPv6 slowly growing, albeit in both cases by around 0.2 hops a decade.

And perhaps also relevant to the parent's question: path length itself is a pretty poor indicator of network performance by just about any measure you can name (excepting perhaps the TTL field), and is a last resort measure used only when all else is equal. The case of a prefix hijack being thwarted by origin validation is an extreme example in which the shorter (invalid) path represents 100% packet loss and the longer (valid) path given preference due to origin validation is infinitely more performant.

edit: oh, disclaimer - I am a co-author of one of the RPKI RFCs, and while I am personally not involved in secure BGP at present my employer definitely is. Opinions presented are mine.


You're certainly not wrong here -- it all depends what you're measuring and how. The 5-5.5 figure seems to be average length inside the internet routing tables, which is going to be skewed by smaller networks with relatively sparse connectivity and how IP space is carved up geographically.

> And perhaps also relevant to the parent's question: path length itself is a pretty poor indicator of network performance by just about any measure you can name (excepting perhaps the TTL field), and is a last resort measure used only when all else is equal.

Perhaps I focused the conversation in the wrong direction by mentioning AS path (and then further by describing the AS path between CDNs and end-users and framing that as "typical"). For a major CDN, most of the bytes served are originating from and destined to the same metro. Unless those CDNs have some serious problems with their RPKI setups, I expect that those bytes are going to continue flowing the same way they have been.


Average AS Path being about 1 isn't right. For direct peer CDN content sure Even AWS has their own path that's at least 2 from GTT, Areilon, NTT, etc from wherever you connect. if you are at a data center and use blended IP Transit that's another ASN to add to the path RIPE report had the average at 3-4 in 2012.


Path length is dependent on where you stand and look at it all, of course.

If anyone knows of a place in which a border router is only one (or 1.1 average) hop away from every other network on the planet, please let me know what real estate prices are like there, though.

(I suspect the 1.1 figure measures something quite different - the average path length inside a CDN or similar, which probably should be closer to one but might involve sneaky things like an overlay network).


I would wager the 1.1 figure is "average path length from CDN to end user", and quite possibly weighted by bytes served.

Most of the major players in the space (Netflix, Akamai, YouTube, Facebook, etc) have boxes inside ISP networks across major metros, so the path length to reach those ISPs' users is in fact 1 assuming a cache hit, and the RTT is certainly less than 20ms.


RPKI unfortunately doesn’t prevent BGP hijacking though. You need every message to be signed.


It solves a class of hijacks, where an autonomous system announces a prefix it is not authorized to announce. This is typically the operator error use case or uneducated bad actor use case. What it does not cover is if an autonomous system crafts an announcement containing the valid origin autonomous system in which case you would need a mechanism to validate the entire AS_PATH itself. ROA is only concerned about the origin in the AS_PATH.


The whole thing feels dishonest. BGP is working as intended, so should we really call hijacking a "vulnerability"? A failure to acknowledge that the protocol is fundamentally flawed and not fit for purpose.


BGP is working as intended, according to how it was designed before we had the opportunity to have decades of observations about how it can be abused.

And BGP is not really fundamentally flawed, what is fundamentally flawed is trying to get everyone to build an authoritative database on who owns which IPs and how they connect to their upstreams/downstreams, without it being possible for someone to manipulate that database nefariously. As we are on hacker news, you are probably aware that there is no such thing as a hack-proof system. The old IRR system would have been perfect if every IRR hoster had a dedicated team of highly trained NOC engineers who are capable of making cross references using the RIR databases to the fullest and investigate any anomalies to prevent any malicious submissions. Unfortunately, that doesn't scale as well as rolling out something smarter like RPKI. Unfortunately, everything was already setup to use the IRRs and some people like it that way, so getting to 100% RPKI adoption has been slow, just like IPv4 addresses will probably always be worth more than IPv6 even though in principle, IP address space should have zero inherent value because it's just a number and should not have any limited supply.

Source: Former RADB admin.


It’s interesting how easy it is to get someone to announce your prefixes, it often just takes a credible letter of authority, in my understanding all processes rely on manual due diligence. If an organization e.g. has a valid RIPE database entry that it can announce a given prefix under its own ASN I could set up an account at a cloud provider like Vultr using the business data of said company, charge it with 10 USD and then ask them to announce the prefixes of the organization under their ASN, pulling in traffic for these IPs. I could then try to reroute them to the actual destination (not always trivial but often doable), giving me a MitM setup. Not sure if it would work but it’s essentially what I did for my own organization and in my RIPE data there’s nothing that specifically says Vultr can announce my prefixes. I think today you need a service that monitors all BGP routes for your prefixes to detect this kind of incident, and then of course someone from the announcing ASN needs to delete the announcement.


> what I did for my own organization and in my RIPE data there’s nothing that specifically says Vultr can announce my prefixes

In RIPE, each as-num should list out a policy of which other ASNs can import/export routes from that ASN. I think there should also be a route/route6 object.

Do vultr not check/enforce this? (Other providers do).


They do not validate this and it's probably part of their appeal.


I have had to delete a lot of invalid routes from an IRR database due to things like this. Generally, we needed someone to notify us that someone was using a cloud provider to announce their prefix unexpectedly. I would love to build a system to be constantly cross referencing IRR changes to detect stuff like this proactively, it wouldn't be simple but it would be possible. Unfortunately very, very few people understand how the IRR works.


Can get US government also strong arm the organizations to do so?


I don't want this to sound cynical, but do we have any examples where the US government successfully got the corporations to actually increase security, as opposed to just gaming the regulations to make more money instead?


Assuming I'm understanding the article correctly, this seems to be about federal agencies being tasked with increasing the security of their own networks, not private companies being regulated. I don't think federal agencies tend to make a profit, and they're usually the ones making the regulations, not gaming them.



> they're usually the ones making the regulations, not gaming them.

Government agencies regularly game regulations that apply to them in the same way as corporations. See e.g. FOIA, Fourth Amendment, qualified immunity, civil asset forfeiture.


There are many, but perhaps the second part of your question is invisible, but is the meaningful one: "in a short timeframe" or "at reasonable cost" or something.

People like to dump on government but they can move the acceptable window/best practice to a place that corps would not have gotten to by themselves. Crypto is one, OWASP springs to mind, etc. But the government is not a homogeneous monolithic entity and it necessarily has to have some confliction built into it. You could have a bulletproof secure system for identity for example come out of NIST, say,...but the CIA would immediately need a workaround so that agents could assume new IDs in the field.


I think there is a good argument to be made that many companies would have created a better infrastructure by now if the government wasn't involved.


I think the fact that most of the world has decent payment systems (eg UK FPS) now due to government mandates, where the US notably does not, is a decent counterpoint.


worth noting that the Federal Reserve has gradually started up programs that now basically handle all the different types of inter bank transfers in the US.

Those programs have now out competed every corporate service in the space and are either the main clearing house/provider or the second main provider in each type of US bank transfer.

They now have FedNow which is a "next gen" for these types of transfer systems and over the course of the next few years to the next decade it'll probably eat all the other systems as well as the many corporate offerings as well.

https://en.wikipedia.org/wiki/Fedwire

https://en.wikipedia.org/wiki/FedACH

https://en.wikipedia.org/wiki/FedNow


Yeah, like moving to IPv6 in a small time frame.

People arguing about public vs. private are missing the mark entirely. It has nothing to do with that. It's all about how many people have to do a task.

The US govt got to the moon and created a nuclear bomb in a relatively tiny amount of time, all entirely because it was a relatively small number of people focused on the same task. As for people who own routers? Thousands and thousands of them who all have different interests who aren't all focused on the same goal.

Getting a large group of people to do one simple task is 100x harder than getting a small group of people to do a complex task. This is why humanity got to the moon but still are stuck on IPv4.


The moon and the bomb are both examples of what happens when you take aim at a problem with completely unlimited money and zero red tape. 400,000 people contributed to the moon landing and the Manhattan Project employed over 130,000 people. These were not small groups.


Obama was calling for 2FA back in 2016. https://www.wsj.com/articles/protecting-u-s-innovation-from-...

> we’re launching a new national awareness campaign to raise awareness of cyberthreats and encourage more Americans to move beyond passwords—adding an extra layer of security like a fingerprint or codes sent to your cellphone

Amongst other things.


And now every website has an excuse to require a verified phone number...

I guess it probably does raise the baseline, but at the cost of those who have good security practices.


There's a simple way to tell if 2FA is being used for security or to harvest phone numbers: Does the site let you use an email instead of a phone number? If you can't use an email, the purpose is to harvest phone numbers.


> Does the site let you use an email instead of a phone number?

Or TOTP.


TOTP is so good, it should be treated equally to or superior than phone number or e-mail as a requirement, by regulation, as an option for any site conducting business in US Dollars. E-mail is terrible for secure authentication. Banks have had plenty of time to implement this and haven't. TOTP can eliminate the password altogether, and make login usernames long-lived long TOTP or HOTP codes and I have just solved the terrible passkey problem!


Email is pretty reasonable for secure authentication. All but the most anachronistic mail servers use TLS these days and you're under no obligation to use any of the few that don't. The notion that email is insecure is from the old days when the links weren't encrypted.

SMS, on the other hand, is an abomination to this very day and should not be used by anyone for anything.


> TOTP can eliminate the password altogether

Does anyone have TOTP-only authentication?


Yes.

Edit: SOX, HIPAA, NIST CSF.

Government is not always bad.


These aren't great examples.

HIPAA is extraordinarily expensive, meanwhile healthcare providers continue to have abominable security because compliance is offloaded to a "compliance team" who comes around once in a while to check boxes without really understanding the system, which is managed by other people who don't really understand HIPAA. This is one of the reasons security in large organizations is hard. Bureaucracies gravitate toward bureaucratic solutions, but then the left hand doesn't know what the right hand is doing, which is a direct mechanism for security to get messed up.

SOX isn't really about "security", it's about auditing and so on, but it suffers from a disadvantageous trade off. Large companies are less likely to have accounting problems than smaller ones. The law was passed in response to major outliers like Enron, but basing rules on rare outliers generally results in bad rules. Meanwhile the smaller companies have disproportionately higher compliance costs, to the point that there have been proposals to exempt smaller companies. But that implies it probably isn't worth it for large companies because the rate of fraud is so low and it probably isn't worth it for small companies because the compliance costs are so high, and then there's nothing left.

Whereas NIST CSF is a different kind of thing because it's voluntary. This is where government publications can really do some good, because if they publish rubbish then nobody has to pay any attention to it and the cost is limited to the money they spent creating it, but if it's good then it's valuable to anyone who uses it. The government should definitely lean towards this method, but it's hard to call this one "regulations" -- and the criticism you're responding to was that corporations would end up "just gaming the regulations".


HIPAA is not extraordinarily expensive.


For small entities it is. Which, in turn, causes there to be fewer small entities, less competition, and higher prices. Which is extraordinarily expensive.

Also notice that a large part of the cost is poorly accounted for, because the way many of the non-destructed entities comply with it is by adopting cloud-hosted EMR systems that handle a lot of the compliance burden for them. Which aren't exactly cheap, but more than that they're usability fiascos that imperil patient care.


I really don't think this is true. What cost factors are you thinking of? We host lots of small HIPAA-complying businesses, and in my career I've consulted for many dozens more. As near as I can tell, there's actually not a whole lot to it.


This is what the government calls the "administrative simplification":

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/ad...

It's 115 pages. Just training the staff to comprehend what's in it is a non-trivial undertaking, assuming people are actually going to comply with it.

It has some fun provisions, like prohibiting disclosure of certain information except where disclosure is mandatory, which means there is no "err on the side of caution" and you need staff to know exactly what the conditions are if you want to avoid breaking the law.

There are various rules about computer systems and access controls that are all reasonable and expected in a large bureaucracy but not anything a small medical practice is going to be familiar with. So they'll have someone host it for them who has lawyers on staff and pay them a premium for it. That makes it "easier" and then the expense gets accounted for as something else. But now we're back to many of these systems being proprietary and miserable, because they're specialized to the limited (and extremely "enterprise") market of customers who need HIPAA compliance, and now small entities have to deal with the daily horrors of using "enterprise software" for their ordinary work.

Compliance costs also often seem low because people aren't actually complying. But then you're creating a competitive disadvantage for companies that actually follow the law.


Yeah, if that's what you mean, this just isn't expensive. If you do a lot of consulting for HIPAA companies, you get HIPAA-trained a bunch (ie: you fast-forward through a lot of videos with an HTML5 video playback speed hack). They're not a big deal; maybe a hundred or two per seat?

It's not my impression that HIPAA is one of the more burdensome regs regimes, and this comment sort of reinforces that belief.


I feel kind of the opposite. Like the way "compliance" works in corporations is everyone has to sit through a boring training video so they can check the box that says "trained staff on regulatory compliance" when the real cost is not just watching the video but actually diligently putting it into practice. Which is pretty cheap for the companies who skip doing that part, admittedly, but if that's expected to be the method of "compliance" then what's the point of the law?


Plenty of that with airplanes.


> The White House said on Tuesday it wants federal agencies to boost internet routing security on networks in the face of concerns raised by U.S. officials about China's ability to divert internet traffic.

Isn't that funny when the white house has been exposed secretly tapping every single non American (Chinese included) and American online activity, phones calls, mails, etc.

I'm not saying the Chinese should be able to do what the USA is already doing to the world but it's like seeing a thieft getting robbed by another criminal. Somehow its funny.


I don't understand why IT laypeople so often appeal to moral hypocrisy in matters of internal state interests: The basis for national security recommendations is not fairness for all human beings. Yes, if you're not a citizen, you are discriminated against. Sometimes, even if you are. That's the case for every nation. It also has limited bearing on whether a security policy is in the government's self-interest.


What is your point? Appealing to morals and pointing out hypocrisy to convey the message about someone not being trustworthy is fundamental.

Trusting US/Five eyes controlled companies with your data is a bad move. No matter if private or enterprise.

It is like people being perplexed about people complaining about some company or product. 'So choose another one?' Ye well others might wanna know about it too...


It's a non-sequitur. BGP validation was not recommended because of a moral claim. It was recommended for national readiness against an adversary. It also wouldn't be hypocritical if the USA (or China) subsequently engaged in BGP attacks. In fact, you can trust them to.


Thieves are probably more likely to want good locks on their house, it's for sure true with pentesters.

Security issues is a security issue, the justification is mostly just puffery. Even the white house statement is vague as hell with things some adversary might be able to do grasping at something to relate what is an industry-specific esoteric issue to some hypothetical tangible real world consequence.

It's like how Net Neutrality had that fake Comcast ad where you had to pay for tiers of internet to try to make sense of what really was a B2B market intervention to stop ISPs from rent-seeking tech companies. It made it relatable even if it wasn't at all what would have (and didn't happen I suppose) happened.


Why thief? All countries do protect their citizens and government from external dangers. Why is one of them suddenly "thief"?


Do you really think that only the US has been doing international electronic espionage?

Russia (and before them the Soviets), the Chinese, the French, the Brits, and many others have been doing it for decades.

This isn’t a response from China to US revelations, it’s a continuation and escalation of a practice they’ve been doing all along.


So my ISP fails https://isbgpsafeyet.com/

What would be the most convincing arguments to email my ISP with?



it looks like route views and bgpmon got embraced, extended, and largely extinguished by cisco? I've been out of this loop for a long time. is there a free service around for monitoring tables or something you can connect an openbgpd instance to for doing analysis?


There are several such sites. bgp.tools and bgp.he.net are two of the ones I use for web based monitoring.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: