Weak links: IP, DNS and BGP
- 08 October, 2002 09:32
In the fine print of the Bush administration's recently released cybersecurity strategy is the stark admission that three critical components of the Internet's infrastructure are highly vulnerable to a variety of attacks.
The three troublesome components underpin all Internet communications. They are: IP; DNS, which matches lengthy, numeric IP addresses to simple names for Web and e-mail traffic; and Border Gateway Protocol (BGP), which controls interdomain routing between carriers.
All three lack a means of authenticating communications. Although the Internet engineering community has spent more than a decade trying to retrofit these protocols with encryption and digital signatures, the security fixes aren't widely used by ISPs or their corporate customers because of the high cost and management overhead involved.
"We've been trying to push security into these protocols for years, but we've gotten no involvement from the operational side of ISPs or enterprises," says Russ Mundy, manager of network security research at Network Associates Laboratories, a division of Network Associates Inc. Now that the security offerings for these protocols are done or close to being done, the ISPs and other potential customers claim the offerings aren't practical or affordable, he says.
Even the U.S. military, which has spent millions of dollars to help develop secure versions of the three protocols, has yet to deploy them across its vast, global network infrastructure.
The Internet's .mil domain can't verify that a .mil name matches a particular IP address, leaving the agency open to hackers who would spoof one of its Web sites. Similarly, the routers at the edge of the Defense Department's networks can't authenticate traffic updates from routers on other backbone networks, creating the possibility of intentional misdirection of the agency's communications. A spokesman for the Defense Information Systems Agency says it will secure .mil "as soon as technically feasible."
The problem is that the fixes - known as IP Security, DNS Security and Secure BGP - are too complex and too expensive for ISPs and companies to deploy. The protocols require hardware and software upgrades to handle the assignment, management and processing of keys, signatures and certificates, as well as additional operator support.
Given today's economic climate, ISPs and domain name registries aren't willing to spend millions of dollars on upgrades when their corporate customers aren't demanding additional security measures. Because none of the Internet's infrastructure players has deployed the secure versions of these protocols, there's no market pressure to upgrade.
It's the classic chicken-and-egg dilemma, and the Bush administration's cybersecurity strategy offers only the possibility of additional federal research dollars in the fiscal 2004 budget. Even with stronger government support, experts say it will take two to five years to deploy these fixes across enough of the Internet infrastructure to eliminate much of the threat.
"There are some in government who say the people who designed the Internet protocols were idiots. Let's go back and redesign it all," says Steve Bellovin, a well-known AT&T researcher and one of the directors of the Internet Engineering Task Force's (IETF) Security Area. "That's mostly a bad and dangerous approach to take."
Instead, Bellovin says the government needs to create market incentives for software vendors and ISPs to build security into their offerings. "What if vendors were liable financially for security problems? That would be an interesting question," he says.
Contributing to the Internet industry's do-nothing approach to secure protocols is because few hackers exploit holes in IP, DNS or BGP. Instead, distributed denial of service (DoS) attacks have caused the most damage, and fixing these three protocols won't prevent distributed DoS attacks.
"Part of the problem is there hasn't been a major attack," says Richard Probst, vice president of product management at Nominum, which develops DNS software. "If somebody took out a bank or a large e-commerce site, that would get everyone's attention."
IPSec proves hard to deploy
IPSec is the most mature of the three security protocols and is used in some VPNs. However, IPSec remains too complex for most network managers, and IPSec products from different vendors don't work with each other.
For a novice to set up IPSec is "virtually impossible," says Mark Kosters, vice president of research at VeriSign Inc.'s Global Registry Services. "If you want widespread adoption, it needs to be trivial to set these things up."
In particular, network managers have trouble configuring IP Security devices because they all use different words to describe various security policies.
"You can only manage an IP Security device with the management tool from the vendor of that IP Security device," Mundy says. "The only way you can configure in a consistent way all the devices on your network is if they're all from the same vendor."
To help fix this problem, the IETF's IP Security Policy working group is developing a consistent set of words to describe the policies that an IPSec device can enforce.
The IETF's IP Security working group also is developing a simpler key exchange technique to help reduce the complexity of IPSec devices.
Also on the horizon is IPv6, an overhaul of IP that mandates the use of IPSec. However, IPv6 is another Internet infrastructure upgrade that has not yet shown much market momentum.
DNS Security considered too costly
DNS Security is not yet deployed in the Internet's root servers or top-level domains. One of the big problems with it is that assigning and managing keys for each domain name causes a huge performance hit for top-level domain operators.
"DNS Security requires 10 times the bytes" for each transaction, says Paul Mockapetris, inventor of DNS and chief scientist at Nominum. "From the standpoint of deploying the service, you have to increase disk space and memory on your DNS servers. It's two to five times the cost of the regular DNS service."
The IETF is working on two fixes to the DNS Security deployment challenge: Delegation Signer Resource Record and Opt In. Both fixes are supported in the latest version of Berkeley Internet Name Domain, the open source software that runs on most DNS servers.
Delegation Signer streamlines how parent domains hand out keys to child domains. For example, Delegation Signer makes it easier for a Web site like www.ibm.com to authenticate all its domain names under the www.ibm.com umbrella.
Delegation Signer has widespread support within the IETF, and participants expect it to be finalized by year-end.
Opt In, a proposal from VeriSign, is more controversial. It lets domain name holders choose whether to adopt DNS Security. This gives operators of large domains a gradual approach for migrating name holders to DNS Security, and it limits the amount of new hardware and software they need to purchase up front.
DNS Security "is very robust. It's as though every door in New York City were unlocked, and we invented locks," Nominum's Probst says. "But the only way it works is to lock all the doors simultaneously, which is hard to do...For large domains like .com, .net or .uk, to lock any entry, they have to lock all entries. We have to get that fixed before they can deploy."
Opt In does not yet have the IETF's backing because it adds to the complexity of DNS resolution systems and it fails to secure all domain names, admits VeriSign's Kosters, one of the authors of the Opt In proposal.
"If Opt In is advanced, we will be ready in six months from the standard being ratified to move ahead with some sort of DNS Security service," Kosters says. He adds that if Opt In is not advanced, VeriSign has no plans to offer DNS Security.
Even if the top-level domain operators migrate to DNS Security, one challenge for network managers is that few operating systems support the protocol. For example, Microsoft doesn't support DNS Security in Windows.
Secure BGP gains little support
Of the three protocols that need security fixes, BGP is the farthest behind. The IETF has not yet agreed to work on a proposal for Secure BGP that was developed by BBN Technologies for the U.S. military. However, the IETF recently created a Routing Protocol Security Requirements working group that might consider Secure BGP.
In the past, ISPs and their enterprise customers have accidentally sent out inaccurate BGP updates that caused traffic disruptions, but no malicious BGP attack has been reported.
Security experts worry about someone deliberately sending Internet traffic down the wrong path. "Somebody playing games on BGP could eavesdrop and hijack sessions rather than just drop sessions," Bellovin says.
Under BBN's Secure BGP proposal, Internet registries would allocate digital certificates to ISPs and corporations when they are assigned blocks of IP addresses. ISP and corporate BGP routers would use these digital certificates to authenticate each other for exchanges of routing updates.
Secure BGP can only work if the Internet registries and the largest ISPs adopt it, but none has yet.
"The ISPs are worried about uptime and traffic delays," says Karen Seo, program manager for Secure BGP at BBN. "Securitywise, all they want to know is how much is this going to cost me."
Seo estimates that each ISP would need to upgrade 250 to 300 routers to add memory for storing keys that are required by Secure BGP. But neither Cisco Systems Inc. nor Juniper Networks Inc. offers backbone routers that can support Secure BGP.
Will secure protocols be enough?
Some experts say that even if ISPs and corporations deploy these three security protocols, the Internet's infrastructure will remain vulnerable to a bigger problem: software patches.
"I'm very much in favor of these efforts to improve the security of BGP, IP and DNS. But I don't think the problem is the protocols," Bellovin says.
"I can't think of any major security incident that was due to a design error in the protocols. Instead, it was bugs in implementation," he adds.