Engineers Ponder Easier Fix to Dangerous Internet Problem

Internet traffic can be maliciously routed in order to spy on communications

By Jeremy Kirk
Thu, April 26, 2012
Page 2

"The broader problem here is that much of this critical infrastructure simply relies on players behaving correctly," said Dan Massey, an associate computer science professor at Colorado State University. "In a truly global system like the internet, you must assume that organizations will occasionally make unintentional mistakes."

But "imagine what a determined adversary might be able to do," Massey said. That could include attacks on critical infrastructure, such as power plants, which have become increasingly reliant on the Internet.

The solution is to have routers verify that the IP address blocks announced by others routers actually belong to their networks. One method, Resource Public Key Infrastructure (RPKI), uses a system of cryptographic certificates that verify an IP address block indeed belongs to a certain network.

RPKI is complex, and deployment has been slow. Experts recently came up with an alternate system, nicknamed ROVER for Route Origin Verification, that may be easier.

ROVER stores the legitimate route information within the DNS, the enormous distributed database that translates a domain name into an IP address that can be called into a browser. That route information can be signed with DNSSEC, the security protocol that allows DNS records to be cryptographically signed, which is being widely adopted.

The advantages with ROVER are that no changes need to be made to existing routers, and it can work alongside RPKI. "The whole infrastructure of securing the answer [of whether the route is legitimate] already exists," said Gersch, who has authored two specifications for how to name a route and the type of record that could be inserted into the DNS.

The specifications are currently in "internet daft" status before the Internet Engineering Task Force. The next step to becoming a standard is for a working group to adopt the documents, Gersch said.

Send news tips and comments to jeremy_kirk@idg.com

Our Commenting Policies