Internet community has had plenty of time and opportunity to self-organize sufficient security measures. The need for security has been long recognized, and it's understandable that powers that be are getting impatient. While obviously it would be preferable that industry would voluntarily do stuff, if they don't then I guess it is justifiable that they get regulated.
BGP operators _have_ self-organized sufficient security measures. Compared to just about any other attack vector on the internet, BGP hijacking is among the least likely to impact most people.
Given that accidents involving BGP within the past several years have led to worldwide outages in the world's most used websites this is just not true. Also thousands of known bad announcements occur every year, which are usually used in a very small window to send large volumes of abusive advertisements.
There's no reason not to force the industry to hold people accountable for false announcements. The privilege of announcement should be acquired by posting a significant amount of capital as a bond, from which damages can be removed when a system makes a false announcement. The vast majority of damages are a result of network operators on the subcontinent -- it is high time we figure out how to make them take the issue seriously, and pay out the nose until they do.
Threat models matter. If you're defending against nation state actors in a military/cyber context it is an essential part of the overall defense strategy. Ignoring BGP on the grounds that "it was always insecure" is then just weird, if not reckless.
The SCION project (Iirc from ZTH) solved all of this and also has been extensively tried in the field.
If you are defending against a nation state, you should be worried about your staff being bribed, otherwise coerced or worse just being foreign agents.
In properly run networks, BGP hijacks shouldn't have a noticeable impact.
But what I do have are a very particular set of skills, skills I have acquired over a very long career. Skills that make me a nightmare for people like you
> Compared to just about any other attack vector on the internet, BGP hijacking is among the least likely to impact most people.
But when it happens, it impacts massive amounts of people - about once a year on average [1]. Sometimes it's censorship gone bonkers, sometimes it's likely a three-letter agency, sometimes it's fat fingers, and sometimes it's cybercriminals attempting to loot cryptocurrency wallets.
BGP hijacking also works on a small scale. If you don't use DNSSEC and somebody hijacks the prefix(es) that host your DNS, they can obtain a letsencrypt certificate and redirect all your traffic.
If you don't have a CAA record and somebody hijacks the prefix(es) where your webserver is hosted, they can also obtain a letsencrypt certificate and redirect your traffic.
I'm not sure you're following. An attacker who controls BGP controls, for some small (or large) section of the Internet, the meaning of IP addresses. No DNS validation gets you around that.
LetsEncrypt does in fact do things to mitigate this attack, but they have nothing to do with DNSSEC: they do multi-perspective lookups, so you'd need Internet-wide routing control.
It seems you miss something, maybe because you don't consider DNSSEC as something that gets actual use.
With DNSSEC, somebody can reroute traffic all they like, they cannot generate fake DNS responses that are DNSSEC valid for DNSSEC secured victim domain. So if the CAA record is properly set to only allow the dns-01 validation method for ACME, there is simply no way to obtain a false certificate even if the attacker controls all of BGP.
That issue isn’t a dnssec problem, it’s that Let’s Encrypt was not familiar with the route hijacking threat model. It was pointed out early to them and they ignored it.
Why blame LetsEncrypt? Instead blame the operators who are refusing to address basic network security.
I run a network, we do the whole shabang of RPKI, DNSSEC, and CAA. It sounds a whole lot like operators who refuse to address clear security issues. LetsEncrypt is not to blame when someone spoofs your address space.
LetsEncrypt is not a LIR/RIR, their business is not IP resources but SSL certificates. They are a CA. They have no tools available to them to address that problem.
If you set the CAA correctly, then letsencrypt will limit validation to the dns method. Together with DNSSEC that is enough to prevent issuing certificates in case of a route hijack.
Legacy prefixes do not support RPKI unless you sign ARIN’s registration agreement and agree to pay. Many early IP address holders (including myself!) have never signed.
You don’t have to pay a dime. But don’t expect the rest of the Internet (that DO pay for their resources) to continue to guarantee reachability to your address space.
If you won’t get on board with RPKI/IRR you can’t cry foul when the rest of the Internet is paying the price to be reachable.
I am a resource holder and I pay my dues. I have no problems with paying for that privilege.
Internet access is not an inalienable right. It is a privilege. Even as it’s become increasingly more and more of a utility. Until laws start to reflect that, it is still a privilege at best.
Edit: before someone says anything about the trust anchors. Reminder, There are two overarching namespaces to the Internet. IP and DNS. You are free to ignore the authorities of both but don’t expect the rest of the Internet to play along when you want to use .billybob as your TLD.
As long as RPKI "unknown" / not-found prefixes are able to be globally routed, I will not pay. I have a legacy ARIN /24 from the 90's. It was cheaper for me to get an ASN and IPv6 block through a RIPE LIR than go through ARIN.
As for IRR, one of my upstreams created an RADB entry for me on behalf of my ASN, so not too concerned there.
Yes. Whether or not a particular standard has been implemented is not interesting. What matters is the result.
Is BGP an attack vector that matters for the vast majority of threat models right now? I would say no. Given that: there is no need for (inevitably) poor regulation.
If your operation includes communication over internet, bgp hijack is in your threat model (or your threat model is incomplete). I don't understand how "endpoints we care about may become unreachable" is not a big point for everyone. (Unless your business is extremely async and a day of delays is insignificant)
By this logic, I should be concerned about defending against raccoon attacks since they are endemic to my area and I often go outside.
The point is that, in practice, the attacks are so uncommon and mitigated by so many other factors that the cost involved of further mitigation it isn't worth it.
You develop a threat model to specifically get rid of concerns like this; not to list every possible attack vector imaginable.
What does the cryptography add? RIRs publish who owns which prefixes, and sign this list. If you're America worried about foreign countries hijacking BGP, you can ignore announcements received from overseas about prefixes that are owned by American actors, unless they add a record indicating they expect to deploy them overseas. You don't need any additional cryptography for this, or any protocol change.
Political routing is a faux pas. Also, not the state(s) is/are a authority.
The RIR's are. They operate a realm, and nation state and/or individual interests don't end at a border. The realm doesn't even have them.
Never the less, you are right about the need for more information being shared although it's hard to oversee what new security issues that may introduce.
You might think the state is not an authority, but everyone else who thought that got jailed by the state, so it seems to be the case that it is one. If the state and some protocol disagree, and the state has the power to imprison people using the protocol if they don't cooperate to subvert it (something like this happened to Ethereum IIRC), the protocol has to just deal with it.
It's outright crazy to see US diplomats work their ass off globally only to see some lower institution ( The FCC ) with less intelligence, capabilities, etc. undermine their work and formal US geopolitical grand strategy & policy.
