Article: DoD, DoJ press FCC for industry-wide BGP security standard
Fierce Telecom: DoD, DoJ press FCC for industry-wide BGP security standard <https://www.fiercetelecom.com/telecom/dod-doj-press-fcc-industry-wide-bgp-security-standard>
Way overdue! In the last 4 weeks, I've had at least 20 diff conversations with FSI Network operators re: BGP hijacking, how to detect and in the future, mitigate with higher levels of success. Come on BGP RPKI/ROA adaption. I found the easiest way is via ISP pressure to implement dropping invalid routes. On Mon, Sep 19, 2022, 6:29 PM Fletcher Kittredge <fkittredge@staff.gwi.net> wrote:
Fierce Telecom: DoD, DoJ press FCC for industry-wide BGP security standard <https://www.fiercetelecom.com/telecom/dod-doj-press-fcc-industry-wide-bgp-security-standard>
Way overdue! In the last 4 weeks, I've had at least 20 diff conversations with FSI Network operators re: BGP hijacking, how to detect and in the future, mitigate with higher levels of success. Come on BGP RPKI/ROA adaption. I found the easiest way is via ISP pressure to implement dropping invalid routes.
to remind, ROV is a safety mechanism, not a security mechanism. it is proving, as intended, to mitigate mistakes. which is very cool. but it does not mitigate attacks of any sophistication. randy
Does another barrier to entry make sense? This makes it even more difficult still for new companies to start. Do we trust the FCC to come up with an industry wide fool proof (whatever that means) security standard? This is the same government that can't stop fake phone calls. On Tue, Sep 20, 2022 at 1:39 PM Randy Bush <randy@psg.com> wrote:
Way overdue! In the last 4 weeks, I've had at least 20 diff conversations with FSI Network operators re: BGP hijacking, how to detect and in the future, mitigate with higher levels of success. Come on BGP RPKI/ROA adaption. I found the easiest way is via ISP pressure to implement dropping invalid routes.
to remind, ROV is a safety mechanism, not a security mechanism. it is proving, as intended, to mitigate mistakes. which is very cool. but it does not mitigate attacks of any sophistication.
randy
Does another barrier to entry make sense?
ROV's ROA creation is a barrier to entry in north america, as discussed in another thread or see https://scholarship.law.upenn.edu/faculty_scholarship/2035/ there are other cultures where isp operational security is taken more seriously than power and money.
Do we trust the FCC to come up with an industry wide fool proof (whatever that means) security standard?
note that the DHS funded the development of both dns and routing security technology. otoh, as other cultures, clue is not evenly distributed. the first step is said to be admitting one has a problem. randy
ROA isn't mandatory. If it was, it would be a better comparison. Still, showing that low adoption rate shows the industry's interest in it. I think we all see the problem, but is there a viable solution? Is the problem big enough to warrant the transition? On Tue, Sep 20, 2022 at 2:29 PM Randy Bush <randy@psg.com> wrote:
Does another barrier to entry make sense?
ROV's ROA creation is a barrier to entry in north america, as discussed in another thread or see
https://scholarship.law.upenn.edu/faculty_scholarship/2035/
there are other cultures where isp operational security is taken more seriously than power and money.
Do we trust the FCC to come up with an industry wide fool proof (whatever that means) security standard?
note that the DHS funded the development of both dns and routing security technology. otoh, as other cultures, clue is not evenly distributed.
the first step is said to be admitting one has a problem.
randy
On 20 Sep 2022, at 2:29 PM, Randy Bush <randy@psg.com<mailto:randy@psg.com>> wrote: Does another barrier to entry make sense? ROV's ROA creation is a barrier to entry in north america, as discussed in another thread or see https://scholarship.law.upenn.edu/faculty_scholarship/2035/ Randy - I’d agreed in principle with the statement that "ROA creation is a barrier to entry in north america” – as ARIN both started later with its RPKI service development and in some places has taken different approaches due to liability concerns in the highly litigious US environment in which we operate. Noting such, it is also worth pointing out that in the three years since publication of the You/Wishnick (UPenn) report, ARIN has made several significant changes in order to make our RPKI services more usable both by those issuing ROAs as well as relying parties (e.g., integrating the RPKI service into ARIN Online, adding support for hybrid ROA distribution model, allowing parties that wish to redistribute ARIN RPKI repository to do so under agreement, allowing RPKI validator packages to distribute ARIN’s TAL and use simple click acceptance of the RPA, and most recently issuing an update to the ARIN RSA/LRSA which strikes much of the language in section 7 that gave pause to some organizations during their legal review. These changes occurred after discussions & feedback from this community, including in 2019 inviting Professor Yoo present his findings during the ARIN 43 meeting – <https://www.arin.net/blog/2019/04/09/arin-43-day-2-daily-recap/> ARIN still has quite a bit to go with RPKI: we’ve only recently been doing focused training on RPKI deployment; our RPKI user interface has colorful artifacts due to the requirement that organizations externally digitally sign their ROA requests, and we lack any interface support for cross RPKI, IRR & routing state reconciliation. Addressing these items is now underway and should help growth of RPKI in the region, but I note that it is not holding back some organizations – ARIN has already seen significant RPKI growth in 2021 and 2022. Just this year (January through the end of August) we have gone from 2,334 to 2,931 orgs deploying RPKI and published ROAs going from 41,648 to 55,418. We have substantial IPv4 address space in the ARIN region and therefore quite a long way to go before our ROA coverage as a percentage is comparable to other regions, but the surge in RPKI deployment over the last two years already has the total of ARIN IPv4 space covered by ROAs comparable to that of the RIPE region in absolute terms; see [1] below. I don’t dispute that “ROA creation is a barrier to entry in north america” (and remains so until ARIN addresses some of the remaining issues) but also believe that the characterization in the three year old report is not as timely / valid as when first issued, as since that time there has been a noticeable surge in RPKI deployment in the region. Thanks! /John John Curran President and CEO American Registry for Internet Numbers [1] <https://certification-stats.ripe.net<https://certification-stats.ripe.net/>> [cid:0B31B960-BD1A-4907-97DC-DBBE2078304C]
On Tue, Sep 20, 2022 at 5:40 PM Randy Bush <randy@psg.com> wrote:
to remind, ROV is a safety mechanism, not a security mechanism. it is proving, as intended, to mitigate mistakes. which is very cool. but it does not mitigate attacks of any sophistication.
Mitigating against mistakes has value, and in some cases so does being able to strongly suggest that there was a more sophisticated approach taken.
participants (6)
-
Dennis B
-
Fletcher Kittredge
-
Gary Buhrmaster
-
John Curran
-
Josh Luthman
-
Randy Bush