Difference between revisions of "P2pbgpsec"
(→In the news & blogs) |
(→2024) |
||
(49 intermediate revisions by the same user not shown) | |||
Line 19: | Line 19: | ||
==Internet Governance view== | ==Internet Governance view== | ||
− | ** excellent summary by Milton Mueller, Brenden Kuerbis. (2010,09).<br> | + | ** excellent summary by Milton Mueller, Brenden Kuerbis. (2010,09).<br> |
− | and addressing.</i> | + | <i>"Building a new governance hierarchy: RPKI and the future of Internet routing and addressing.</i> |
Retrieved from Internet Governance Project: | Retrieved from Internet Governance Project: | ||
http://internetgovernance.org/pdf/RPKI-VilniusIGPfinal.pdf | http://internetgovernance.org/pdf/RPKI-VilniusIGPfinal.pdf | ||
− | ** <i>"Negotiating a New Governance Hierarchy: An Analysis of the | + | ** <i>"Negotiating a New Governance Hierarchy: An Analysis of the Conflicting Incentives to Secure Internet Routing" </i><br> |
− | Conflicting Incentives to Secure Internet Routing" </i><br> | + | http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2021835 |
− | http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2021835 | ||
==Technical view== | ==Technical view== | ||
Line 33: | Line 32: | ||
http://www.youtube.com/watch?v=Z7Wl2FW2TcA | http://www.youtube.com/watch?v=Z7Wl2FW2TcA | ||
− | * Basic threat scenario: Man in the Middle attack / prefix hijacking, | + | * Basic threat scenario: Man in the Middle attack / prefix hijacking, presented at Defcon, 2008, by Pilosov/Kapela: |
− | presented at Defcon, 2008, by Pilosov/Kapela: | + | ** http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf |
− | http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf | + | ** https://www.youtube.com/watch?v=oWdjsfsS_Do . YouTube - DEF CON 16 - Anton Kapela & Alex Pilosov: Stealing The Internet |
* Enisa report on the routing security: : | * Enisa report on the routing security: : | ||
Line 58: | Line 57: | ||
http://www.cs.bu.edu/~goldbe/papers/RPKImanip.pdf | http://www.cs.bu.edu/~goldbe/papers/RPKImanip.pdf | ||
http://www.cs.bu.edu/~goldbe/papers/RPKImanip.html | http://www.cs.bu.edu/~goldbe/papers/RPKImanip.html | ||
− | |||
* (October 08, 2013) Threat Model for BGP Path Security | * (October 08, 2013) Threat Model for BGP Path Security | ||
http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-threats-07 | http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-threats-07 | ||
+ | |||
+ | * From the Consent of the Routed: Improving the Transparency of the RPKI; Ethan Heilman, Danny Cooper, Leonid Reyzin and Sharon Goldberg. | ||
+ | SIGCOMM'14, Chicago, IL. August 2014. http://www.cs.bu.edu/~goldbe/papers/sigRPKI_full.pdf | ||
+ | |||
+ | * On the Risk of Misbehaving RPKI Authorities; Danny Cooper, Ethan Heilman, Kyle Brogle, Leonid Reyzin and Sharon Goldberg. http://www.cs.bu.edu/~goldbe/papers/hotRPKI_full.pdf | ||
+ | ** Hardening RPKI against misbehaving authorities http://www.cs.bu.edu/~goldbe/papers/RPKImanip.html | ||
+ | |||
+ | * November 2014, RIPE69: Job Snijders on *not* recommending RPKI: https://ripe69.ripe.net/archives/video/184 / https://ripe69.ripe.net/wp-content/uploads/presentations/46-jobsnijders_ripe69_golden_prefixes.pdf | ||
+ | |||
+ | * November 2014 IETF91 http://www.cs.bu.edu/~goldbe/papers/goldberg_sidr_ietf91.pdf | ||
+ | |||
+ | * https://tools.ietf.org/html/draft-ietf-grow-simple-leak-attack-bgpsec-no-help-04 | ||
+ | |||
+ | * Nanog, autumn 2014: why TWC is NOT going to deploy RPKI: https://www.nanog.org/sites/default/files/wednesday_george_adventuresinrpki_62.9.pdf | ||
+ | |||
+ | * Nanog, June 2015: http://mailman.nanog.org/pipermail/nanog/2015-June/075687.html | ||
+ | |||
+ | "There are also potentially significant drawbacks to incorporating PKI into the routing space, including new potential DoS vectors against PKI-enabled routing elements, the potential for enumeration of routing elements, and the possibility of building a true 'Internet kill switch' with effects far beyond what various governmental bodies have managed to do so far in the DNS space. | ||
+ | |||
+ | Once governments figured out what the DNS was, they started to use it as a ban-hammer - what happens in a PKIed routing system once they figure out what BGP is? " | ||
+ | |||
+ | "So, what happens when the authorities in some locale start pressing for the cancellation of relevant certificates utilized in routing PKI, and/or order operators under their jurisdiction to reject same? " | ||
+ | |||
+ | |||
+ | |||
+ | * Another view on "why is the Internet Broken" https://medium.com/@cdn77/why-the-internet-is-broken-4962cdbbd664#.w6osajcyu | ||
+ | |||
+ | |||
+ | * Bamboozling Certificate Authorities with BGP , 27th USENIX Security Symposium. August 15–17, 2018 • Baltimore, MD, USA | ||
+ | ** https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-birge-lee.pdf | ||
+ | |||
+ | ===reported problems in blogs and news=== | ||
+ | |||
+ | 2023: | ||
+ | * https://www.reuters.com/business/media-telecom/australian-telco-optus-ceo-resigns-days-after-network-wide-outage-2023-11-19/ | ||
+ | * https://www.capacitymedia.com/article/2cfchogig2pgc1wnzfgg0/news/what-caused-australias-major-optus-outage | ||
+ | |||
+ | 2022: | ||
+ | * February 28, 2022: Inquiry into Secure Internet Routing (i.e. what is wrong with BGP :-)) https://docs.fcc.gov/public/attachments/FCC-22-18A1.pdf | ||
+ | |||
+ | |||
+ | 2021: | ||
+ | * overview: https://event.on24.com/wcc/r/3603248/27BF652060BB7FCC403076E81F5006D5 | ||
+ | * facebook.. labs... | ||
+ | * https://dev.hicube.caida.org/feeds/hijacks/events/moas/moas-1612540200-13414_136168/104.244.42.0-24 | ||
+ | * https://www.sciencedirect.com/science/article/pii/S1389128621000207 | ||
+ | |||
+ | |||
+ | 2020: | ||
+ | * https://www.itnews.com.au/news/telstra-routing-flub-affects-hundreds-of-networks-worldwide-554097 | ||
+ | * https://exchange.telstra.com.au/an-update-on-our-september-30-bgp-issue/ | ||
+ | |||
+ | |||
+ | 2015: | ||
+ | * https://www.security.nl/posting/437378/Kamervragen+over+gekaapte+IP-adressen+Buitenlandse+Zaken | ||
+ | * http://tweakers.net/nieuws/104414/bulgaarse-criminelen-misbruikten-ip-adressen-nederlandse-overheid.html | ||
+ | |||
+ | 2016: | ||
+ | * http://research.dyn.com/2016/03/ukraine-emerges-as-bogus-routing-source/ | ||
+ | |||
+ | * Sharon Goldberg @goldbe "Slides from my three hour tutorial on BGP security at the Technion TCE Summer School on Computer Security" http://www.cs.bu.edu/~goldbe/papers/BGPsecurityGoldbe.pdf | ||
+ | |||
+ | 2018: | ||
+ | * http://blog.ipspace.net/2017/12/bgp-tragedy-of-commons.html | ||
+ | * https://blog.apnic.net/2018/01/16/really-need-new-bgp/ | ||
==Heartbleed== | ==Heartbleed== | ||
Line 92: | Line 155: | ||
* October 2014: Job Snijders - Golden Prefixes: http://nlnog.com/dag2014/archive/3_nlnogdag2014_job_snijders_bgp_rpki.pdf | * October 2014: Job Snijders - Golden Prefixes: http://nlnog.com/dag2014/archive/3_nlnogdag2014_job_snijders_bgp_rpki.pdf | ||
− | =Current | + | * "Dovetail: Stronger Anonymity in Next-Generation Internet Routing" 2014, PET symposium: |
+ | https://www.petsymposium.org/2014/papers/Sankey.pdf | ||
+ | |||
+ | =Current solutions= | ||
+ | |||
+ | ==IRR== | ||
+ | |||
+ | * https://blog.apnic.net/2022/04/07/irr-hygiene-in-the-rpki-era/ | ||
+ | * https://wiki.techinc.nl/User:Becha/DeeperBGP | ||
+ | * securing bgp, Vesna's talk at 2007 ccc camp https://becha.home.xs4all.nl/routing-registry-bgp-tutorial.pdf | ||
+ | |||
+ | ==RPKI & sBGP== | ||
* IETF wg: SIDR (secure InterDomain Routing) | * IETF wg: SIDR (secure InterDomain Routing) | ||
Line 100: | Line 174: | ||
* Public discussion in European region: (articles, mailing lists, links) | * Public discussion in European region: (articles, mailing lists, links) | ||
http://www.ripe.net/lir-services/resource-management/certification/community-development | http://www.ripe.net/lir-services/resource-management/certification/community-development | ||
+ | * NIST document (July 2017) https://nccoe.nist.gov/sites/default/files/library/project-descriptions/sidr-project-description-final.pdf "SECURE INTER- DOMAIN ROUTING , Part 1: Route Hijacks" | ||
+ | |||
+ | * 2015: http://conferences.sigcomm.org/sigcomm/2015/pdf/papers/p115.pdf | ||
=In the news & blogs= | =In the news & blogs= | ||
− | * | + | See also: https://wiki.techinc.nl/Internet_Governance_and_hackers#News |
− | https:// | + | |
+ | ==2010-2015== | ||
+ | |||
+ | * + '''2006''': https://slashdot.org/story/06/05/08/142229/what-happened-to-blue-security | ||
+ | |||
+ | * 2010: Will feds mandate Internet routing security?, By Carolyn Duffy Marsan, Network World | DECEMBER 15, 2010 | ||
+ | https://www.networkworld.com/article/2196832/will-feds-mandate-internet-routing-security-.html | ||
+ | |||
+ | * https://mailarchive.ietf.org/arch/msg/ietf/7zKmscmqRB102PC7T3ToJCeDXFk/ | ||
− | * RIPE Members Vote To Continue RPKI Work, Nov 03, 2011 11:44 AM PDT | + | * RIPE Members Vote To Continue RPKI Work, Nov 03, 2011 11:44 AM PDT , By Michele Nylon |
− | By Michele Nylon | ||
http://www.circleid.com/post/20111103_ripe_members_vote_to_continue_rpki_wo rk/ | http://www.circleid.com/post/20111103_ripe_members_vote_to_continue_rpki_wo rk/ | ||
− | * | + | * 2011: Malcolm Hutty, from London Internet Exchange: https://archive.is/Tinl9 => https://publicaffairs.linx.net/news/?p=6118 |
− | |||
− | * NANOG: | + | * RPKI for PI users in RIPE region: http://www.ripe.net/ripe/mail/archives/ncc-services-wg/2013-March/002212.html |
+ | |||
+ | * NANOG: Single trust anchor? | ||
http://mailman.nanog.org/pipermail/nanog/2013-August/060199.html | http://mailman.nanog.org/pipermail/nanog/2013-August/060199.html | ||
Line 120: | Line 205: | ||
http://blog.cryptographyengineering.com/2013/09/on-nsa.html | http://blog.cryptographyengineering.com/2013/09/on-nsa.html | ||
− | * (NSA breaking crypto, SSL, etc, by Schneider ) | + | * (NSA breaking crypto, SSL, etc, by Schneider) https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html |
− | https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html | ||
* GOVERNMENTS WANT SUSPENDERS FOR SECURE ROUTING (24 September 2013) | * GOVERNMENTS WANT SUSPENDERS FOR SECURE ROUTING (24 September 2013) | ||
Line 131: | Line 215: | ||
* CSRIC/ Secure BGP deployment, March 2013 http://www.renesys.com/wp-content/uploads/2013/05/CSRIC-III-WG6-Presentation-20130314.pdf | * CSRIC/ Secure BGP deployment, March 2013 http://www.renesys.com/wp-content/uploads/2013/05/CSRIC-III-WG6-Presentation-20130314.pdf | ||
− | * IETF in Vancouver, Sept-November 2013 | + | * IETF in Vancouver, Sept-November 2013 (after Snowden) |
− | https://www.schneier.com/blog/archives/2013/09/take_back_the_i.html | + | https://www.schneier.com/blog/archives/2013/09/take_back_the_i.html |
− | http://www.ietf.org/blog/2013/09/security-and-pervasive-monitoring/ | + | http://www.ietf.org/blog/2013/09/security-and-pervasive-monitoring/ |
− | http://www.ietf.org/blog/2013/11/strengthening-the-internet/ | + | http://www.ietf.org/blog/2013/11/strengthening-the-internet/ |
− | http://www.ietf.org/blog/2013/11/we-will-strengthen-the-internet/ | + | http://www.ietf.org/blog/2013/11/we-will-strengthen-the-internet/ |
− | http://www.ietf.org/media/2013-11-07-internet-privacy-and-security.html | + | http://www.ietf.org/media/2013-11-07-internet-privacy-and-security.html |
− | http://www.economist.com/news/science-and-technology/21589383-stung-revelations-ubiquitous-surveillance-and-compromised-software/ | + | http://www.economist.com/news/science-and-technology/21589383-stung-revelations-ubiquitous-surveillance-and-compromised-software/ |
− | |||
* EXCELLENT OVERVIEW, philosophically, ethically & technically : http://geer.tinho.net/geer.uncc.9x13.txt | * EXCELLENT OVERVIEW, philosophically, ethically & technically : http://geer.tinho.net/geer.uncc.9x13.txt | ||
Line 150: | Line 233: | ||
* September 11, 2014 ACM Volume 12, issue 8 "Why Is It Taking So Long to Secure Internet Routing?" Sharon Goldberg, Boston University http://queue.acm.org/detail.cfm?id=2668966 // http://dl.acm.org/ft_gateway.cfm?id=2668966&ftid=1500097&dwn=1 | * September 11, 2014 ACM Volume 12, issue 8 "Why Is It Taking So Long to Secure Internet Routing?" Sharon Goldberg, Boston University http://queue.acm.org/detail.cfm?id=2668966 // http://dl.acm.org/ft_gateway.cfm?id=2668966&ftid=1500097&dwn=1 | ||
+ | |||
+ | * June 2015: http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/ | ||
+ | |||
+ | "For now — after years of warnings by Perlman, Bellovin, Kent, Clarke and many others — perhaps | ||
+ | the most telling statistic is the percentage of Internet traffic currently secured by the | ||
+ | new system of cryptographic network keys: zero." | ||
+ | |||
+ | * Securing the Internet Routing: Will the SIDR model succeed where the IRR model failed? http://blog.apnic.net/2015/06/01/will-the-sidr-model-succeed-where-the-irr-model-failed-part-i/ & http://blog.apnic.net/2015/06/01/will-the-sidr-model-succeed-where-the-irr-model-failed-part-ii/ | ||
+ | |||
+ | |||
+ | |||
+ | [[File:Screenshot 2024-01-03 at 21.47.57.png|400px|right]] | ||
+ | |||
+ | ==2022== | ||
+ | |||
+ | * https://blog.apnic.net/2022/04/07/irr-hygiene-in-the-rpki-era/ | ||
+ | |||
+ | * https://www.internetsociety.org/resources/doc/2022/internet-impact-brief-how-refusing-russian-networks-will-impact-the-internet/ | ||
+ | |||
+ | * https://www.eff.org/deeplinks/2022/03/wartime-bad-time-mess-internet | ||
+ | |||
+ | * suggestions to use routing to block internet in russia: https://www.pch.net/resources/Papers/Multistakeholder-Imposition-of-Internet-Sanctions.pdf | ||
+ | * https://www.theregister.com/2022/03/10/internet_russia_sanctions/ | ||
+ | * MORE: https://wiki.techinc.nl/TacticalMediaRoom#News | ||
+ | |||
+ | ==2023== | ||
+ | |||
+ | * https://www.kentik.com/blog/a-tale-of-two-bgp-leaks/ | ||
+ | |||
+ | * https://www.reuters.com/business/media-telecom/australian-telco-optus-ceo-resigns-days-after-network-wide-outage-2023-11-19/ | ||
+ | |||
+ | * RPKI's 2023 Year in Review https://mailman.nanog.org/pipermail/nanog/2024-January/224318.html | ||
+ | |||
+ | * https://labs.ripe.net/author/gih/models-of-trust-for-the-rpki/ | ||
+ | |||
+ | ==2024== | ||
+ | |||
+ | * https://www.commerce.gov/news/press-releases/2024/05/us-department-commerce-implements-internet-routing-security | ||
+ | * Marco D'Itri & ARIN: https://www.linux.it/~md/text/rs-arinlegacy-rswg2024.pdf | ||
+ | * Massimo https://packetvis.com/blog/rpki-trust-anchor-malfunctions/ | ||
+ | * https://youtu.be/Xd6evqMe5H0?si=FzNyBWw9l68ZEf8I | ||
+ | * orange_spain_outage_breach : https://www.bleepingcomputer.com/news/security/hacker-hijacks-orange-spain-ripe-account-to-cause-bgp-havoc/ & https://benjojo.co.uk/u/benjojo/h/r1zj333N4L6cF7P1xv & https://doublepulsar.com/how-50-of-telco-orange-spains-traffic-got-hijacked-a-weak-password-d7cde085b0c5 & https://www.ripe.net/publications/news/ripe-ncc-access-security-breach-investigation & https://www.theregister.com/2024/01/04/orange_spain_outage_breach/ & https://arstechnica.com/security/2024/01/a-ridiculously-weak-password-causes-disaster-for-spains-no-2-mobile-carrier/ & https://www.kentik.com/blog/digging-into-the-orange-espana-hack/ & https://nanog.org/stories/industry-news/digging-into-the-orange-espana-hack/ ** https://blog.benjojo.co.uk/post/rpki-signed-but-not-secure | ||
+ | |||
+ | * paper authentication! https://www.first.org/blog/20231222-Is-the-LoA-DoA-for-Routing | ||
=Meshnets media= | =Meshnets media= | ||
− | See also: | + | See also: |
− | |||
− | |||
+ | * https://wiki.techinc.nl/index.php/MeshNet | ||
+ | * [[Privacy_Software_Workshop_Series#Mesh_networks]] | ||
* Becha's article with many links: | * Becha's article with many links: | ||
http://becha.home.xs4all.nl/hackers-philosophers-utopian-network-dec-2012-becha.pdf | http://becha.home.xs4all.nl/hackers-philosophers-utopian-network-dec-2012-becha.pdf |
Latest revision as of 09:06, 15 May 2024
Projects | |
---|---|
Participants | |
Skills | |
Status | Dormant |
Niche | Software |
Purpose | Infrastructure |
Contents
Peer 2 Peer BGP Security
wiki page for participants of p2p-sec mailing list: https://lists.puscii.nl/wws/arc/p2p-sec
Objectives
- to contribute to creation and implementation of the distributed/decentralized (web-of-trust) BGP security.
- to create connections between people who share simmilar concerns about the upcoming introduction of hierarchical BGP-security structures, based on PKI/X.509 technology
- to provide space for disscussion & exchange of opinions, news, materials
- to co-ordinate the efforts among various groups that work on the above topics
Problem statements
Internet Governance view
- excellent summary by Milton Mueller, Brenden Kuerbis. (2010,09).
- excellent summary by Milton Mueller, Brenden Kuerbis. (2010,09).
"Building a new governance hierarchy: RPKI and the future of Internet routing and addressing.
Retrieved from Internet Governance Project: http://internetgovernance.org/pdf/RPKI-VilniusIGPfinal.pdf
- "Negotiating a New Governance Hierarchy: An Analysis of the Conflicting Incentives to Secure Internet Routing"
- "Negotiating a New Governance Hierarchy: An Analysis of the Conflicting Incentives to Secure Internet Routing"
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2021835
Technical view
- How broken is SSL: a talk by Moxie Marlinspike: "SSL And The Future Of Authenticity" at Defcon 2011:
http://www.youtube.com/watch?v=Z7Wl2FW2TcA
- Basic threat scenario: Man in the Middle attack / prefix hijacking, presented at Defcon, 2008, by Pilosov/Kapela:
- http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf
- https://www.youtube.com/watch?v=oWdjsfsS_Do . YouTube - DEF CON 16 - Anton Kapela & Alex Pilosov: Stealing The Internet
- Enisa report on the routing security: :
- Jeroen Massar's presentaton on Routing Security
- Sharon Goldberg: Should we secure routing with the RPKI (19 September 2013) , Princeton CS
http://www.cs.princeton.edu/ajax/abstract/467
- Is the Juice Worth the Squeeze? BGP Security in Partial Deployment
Robert Lychev, Sharon Goldberg, Michael Schapira. SIGCOMM'13, Hong Kong, China. August 2013.
http://arxiv.org/pdf/1307.2690v1 http://arxiv.org/abs/1307.2690
- Impacting IP Prefix Reachability via RPKI Manipulations
Kyle Brogle, Danny Cooper, Sharon Goldberg and Leonid Reyzin. Boston University Technical Report. January 4, 2013.
http://www.cs.bu.edu/~goldbe/papers/RPKImanip.pdf http://www.cs.bu.edu/~goldbe/papers/RPKImanip.html
- (October 08, 2013) Threat Model for BGP Path Security
http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-threats-07
- From the Consent of the Routed: Improving the Transparency of the RPKI; Ethan Heilman, Danny Cooper, Leonid Reyzin and Sharon Goldberg.
SIGCOMM'14, Chicago, IL. August 2014. http://www.cs.bu.edu/~goldbe/papers/sigRPKI_full.pdf
- On the Risk of Misbehaving RPKI Authorities; Danny Cooper, Ethan Heilman, Kyle Brogle, Leonid Reyzin and Sharon Goldberg. http://www.cs.bu.edu/~goldbe/papers/hotRPKI_full.pdf
- Hardening RPKI against misbehaving authorities http://www.cs.bu.edu/~goldbe/papers/RPKImanip.html
- November 2014, RIPE69: Job Snijders on *not* recommending RPKI: https://ripe69.ripe.net/archives/video/184 / https://ripe69.ripe.net/wp-content/uploads/presentations/46-jobsnijders_ripe69_golden_prefixes.pdf
- November 2014 IETF91 http://www.cs.bu.edu/~goldbe/papers/goldberg_sidr_ietf91.pdf
- Nanog, autumn 2014: why TWC is NOT going to deploy RPKI: https://www.nanog.org/sites/default/files/wednesday_george_adventuresinrpki_62.9.pdf
- Nanog, June 2015: http://mailman.nanog.org/pipermail/nanog/2015-June/075687.html
"There are also potentially significant drawbacks to incorporating PKI into the routing space, including new potential DoS vectors against PKI-enabled routing elements, the potential for enumeration of routing elements, and the possibility of building a true 'Internet kill switch' with effects far beyond what various governmental bodies have managed to do so far in the DNS space.
Once governments figured out what the DNS was, they started to use it as a ban-hammer - what happens in a PKIed routing system once they figure out what BGP is? "
"So, what happens when the authorities in some locale start pressing for the cancellation of relevant certificates utilized in routing PKI, and/or order operators under their jurisdiction to reject same? "
- Another view on "why is the Internet Broken" https://medium.com/@cdn77/why-the-internet-is-broken-4962cdbbd664#.w6osajcyu
- Bamboozling Certificate Authorities with BGP , 27th USENIX Security Symposium. August 15–17, 2018 • Baltimore, MD, USA
reported problems in blogs and news
2023:
- https://www.reuters.com/business/media-telecom/australian-telco-optus-ceo-resigns-days-after-network-wide-outage-2023-11-19/
- https://www.capacitymedia.com/article/2cfchogig2pgc1wnzfgg0/news/what-caused-australias-major-optus-outage
2022:
- February 28, 2022: Inquiry into Secure Internet Routing (i.e. what is wrong with BGP :-)) https://docs.fcc.gov/public/attachments/FCC-22-18A1.pdf
2021:
- overview: https://event.on24.com/wcc/r/3603248/27BF652060BB7FCC403076E81F5006D5
- facebook.. labs...
- https://dev.hicube.caida.org/feeds/hijacks/events/moas/moas-1612540200-13414_136168/104.244.42.0-24
- https://www.sciencedirect.com/science/article/pii/S1389128621000207
2020:
- https://www.itnews.com.au/news/telstra-routing-flub-affects-hundreds-of-networks-worldwide-554097
- https://exchange.telstra.com.au/an-update-on-our-september-30-bgp-issue/
2015:
- https://www.security.nl/posting/437378/Kamervragen+over+gekaapte+IP-adressen+Buitenlandse+Zaken
- http://tweakers.net/nieuws/104414/bulgaarse-criminelen-misbruikten-ip-adressen-nederlandse-overheid.html
2016:
- Sharon Goldberg @goldbe "Slides from my three hour tutorial on BGP security at the Technion TCE Summer School on Computer Security" http://www.cs.bu.edu/~goldbe/papers/BGPsecurityGoldbe.pdf
2018:
- http://blog.ipspace.net/2017/12/bgp-tragedy-of-commons.html
- https://blog.apnic.net/2018/01/16/really-need-new-bgp/
Heartbleed
Possible alternative technical approaches
- "trust agility", a talk by Moxie Marlinspike: "SSL And The Future Of Authenticity" at Defcon 2011:
http://www.youtube.com/watch?v=Z7Wl2FW2TcA
https://www.eff.org/deeplinks/2011/11/sovereign-keys-proposal-make-https-and-email-more-secure
- October 21, 2013: "Evolving the Web Public Key Infrastructure", IAB Security Program
http://tools.ietf.org/html/draft-tschofenig-iab-webpki-evolution-00
- Various suggestions in comments on Scheider's blog post about Renesys artcle, November 2013
https://www.schneier.com/blog/archives/2013/11/rerouting_inter.html
- October 2014: Job Snijders - Golden Prefixes: http://nlnog.com/dag2014/archive/3_nlnogdag2014_job_snijders_bgp_rpki.pdf
- "Dovetail: Stronger Anonymity in Next-Generation Internet Routing" 2014, PET symposium:
https://www.petsymposium.org/2014/papers/Sankey.pdf
Current solutions
IRR
- https://blog.apnic.net/2022/04/07/irr-hygiene-in-the-rpki-era/
- https://wiki.techinc.nl/User:Becha/DeeperBGP
- securing bgp, Vesna's talk at 2007 ccc camp https://becha.home.xs4all.nl/routing-registry-bgp-tutorial.pdf
RPKI & sBGP
- IETF wg: SIDR (secure InterDomain Routing)
- Software: http://www.rpki.net/
- RIPE NCC: https://www.ripe.net/lir-services/resource-management/certification
- Public discussion in European region: (articles, mailing lists, links)
http://www.ripe.net/lir-services/resource-management/certification/community-development
- NIST document (July 2017) https://nccoe.nist.gov/sites/default/files/library/project-descriptions/sidr-project-description-final.pdf "SECURE INTER- DOMAIN ROUTING , Part 1: Route Hijacks"
In the news & blogs
See also: https://wiki.techinc.nl/Internet_Governance_and_hackers#News
2010-2015
- 2010: Will feds mandate Internet routing security?, By Carolyn Duffy Marsan, Network World | DECEMBER 15, 2010
https://www.networkworld.com/article/2196832/will-feds-mandate-internet-routing-security-.html
- RIPE Members Vote To Continue RPKI Work, Nov 03, 2011 11:44 AM PDT , By Michele Nylon
http://www.circleid.com/post/20111103_ripe_members_vote_to_continue_rpki_wo rk/
- 2011: Malcolm Hutty, from London Internet Exchange: https://archive.is/Tinl9 => https://publicaffairs.linx.net/news/?p=6118
- RPKI for PI users in RIPE region: http://www.ripe.net/ripe/mail/archives/ncc-services-wg/2013-March/002212.html
- NANOG: Single trust anchor?
http://mailman.nanog.org/pipermail/nanog/2013-August/060199.html
- (after PRISM) "there's a circumstantial case that the NSA and GCHQ are either directly accessing Certificate Authority keys** or else actively stealing keys from US providers, possibly (or probably) without executives' knowledge. This only requires a small number of people with physical or electronic access to servers, so it's quite feasible.*** The one reason I would have ruled it out a few days ago is because it seems so obviously immoral if not illegal, and moreover a huge threat to the checks and balances that the NSA allegedly has to satisfy in order to access specific users' data via programs such as PRISM."
http://blog.cryptographyengineering.com/2013/09/on-nsa.html
- (NSA breaking crypto, SSL, etc, by Schneider) https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html
- GOVERNMENTS WANT SUSPENDERS FOR SECURE ROUTING (24 September 2013)
- "...allowing the US the power to arbitrarily shut countries off the net is [...] what deployment of DNSSEC and the rPKI under the current models would do.
- CSRIC/ Secure BGP deployment, March 2013 http://www.renesys.com/wp-content/uploads/2013/05/CSRIC-III-WG6-Presentation-20130314.pdf
- IETF in Vancouver, Sept-November 2013 (after Snowden)
https://www.schneier.com/blog/archives/2013/09/take_back_the_i.html http://www.ietf.org/blog/2013/09/security-and-pervasive-monitoring/ http://www.ietf.org/blog/2013/11/strengthening-the-internet/ http://www.ietf.org/blog/2013/11/we-will-strengthen-the-internet/ http://www.ietf.org/media/2013-11-07-internet-privacy-and-security.html http://www.economist.com/news/science-and-technology/21589383-stung-revelations-ubiquitous-surveillance-and-compromised-software/
- EXCELLENT OVERVIEW, philosophically, ethically & technically : http://geer.tinho.net/geer.uncc.9x13.txt
.Tradeoffs in Cyber Security .Dan Geer, 9 October 13, UNCC
- December 21013: http://www.internetsociety.org/blog/2013/12/resilience-commons-addressing-routing-security-challenges
- September 11, 2014 ACM Volume 12, issue 8 "Why Is It Taking So Long to Secure Internet Routing?" Sharon Goldberg, Boston University http://queue.acm.org/detail.cfm?id=2668966 // http://dl.acm.org/ft_gateway.cfm?id=2668966&ftid=1500097&dwn=1
"For now — after years of warnings by Perlman, Bellovin, Kent, Clarke and many others — perhaps the most telling statistic is the percentage of Internet traffic currently secured by the new system of cryptographic network keys: zero."
- Securing the Internet Routing: Will the SIDR model succeed where the IRR model failed? http://blog.apnic.net/2015/06/01/will-the-sidr-model-succeed-where-the-irr-model-failed-part-i/ & http://blog.apnic.net/2015/06/01/will-the-sidr-model-succeed-where-the-irr-model-failed-part-ii/
2022
- suggestions to use routing to block internet in russia: https://www.pch.net/resources/Papers/Multistakeholder-Imposition-of-Internet-Sanctions.pdf
- https://www.theregister.com/2022/03/10/internet_russia_sanctions/
- MORE: https://wiki.techinc.nl/TacticalMediaRoom#News
2023
- RPKI's 2023 Year in Review https://mailman.nanog.org/pipermail/nanog/2024-January/224318.html
2024
- https://www.commerce.gov/news/press-releases/2024/05/us-department-commerce-implements-internet-routing-security
- Marco D'Itri & ARIN: https://www.linux.it/~md/text/rs-arinlegacy-rswg2024.pdf
- Massimo https://packetvis.com/blog/rpki-trust-anchor-malfunctions/
- https://youtu.be/Xd6evqMe5H0?si=FzNyBWw9l68ZEf8I
- orange_spain_outage_breach : https://www.bleepingcomputer.com/news/security/hacker-hijacks-orange-spain-ripe-account-to-cause-bgp-havoc/ & https://benjojo.co.uk/u/benjojo/h/r1zj333N4L6cF7P1xv & https://doublepulsar.com/how-50-of-telco-orange-spains-traffic-got-hijacked-a-weak-password-d7cde085b0c5 & https://www.ripe.net/publications/news/ripe-ncc-access-security-breach-investigation & https://www.theregister.com/2024/01/04/orange_spain_outage_breach/ & https://arstechnica.com/security/2024/01/a-ridiculously-weak-password-causes-disaster-for-spains-no-2-mobile-carrier/ & https://www.kentik.com/blog/digging-into-the-orange-espana-hack/ & https://nanog.org/stories/industry-news/digging-into-the-orange-espana-hack/ ** https://blog.benjojo.co.uk/post/rpki-signed-but-not-secure
- paper authentication! https://www.first.org/blog/20231222-Is-the-LoA-DoA-for-Routing
Meshnets media
See also:
- https://wiki.techinc.nl/index.php/MeshNet
- Privacy_Software_Workshop_Series#Mesh_networks
- Becha's article with many links:
http://becha.home.xs4all.nl/hackers-philosophers-utopian-network-dec-2012-becha.pdf