Revision as of 09:08, 2 June 2015

Projects
Participants
Skills
Status	Dormant
Niche	Software
Purpose	Infrastructure

Peer 2 Peer BGP Security

wiki page for participants of p2p-sec mailing list: https://lists.puscii.nl/wws/arc/p2p-sec

Objectives

to contribute to creation and implementation of the distributed/decentralized (web-of-trust) BGP security.
to create connections between people who share simmilar concerns about the upcoming introduction of hierarchical BGP-security structures, based on PKI/X.509 technology
to provide space for disscussion & exchange of opinions, news, materials
to co-ordinate the efforts among various groups that work on the above topics

Problem statements

Internet Governance view

- excellent summary by Milton Mueller, Brenden Kuerbis. (2010,09).
  "Building a new governance hierarchy: RPKI and the future of Internet routing

and addressing. Retrieved from Internet Governance Project: http://internetgovernance.org/pdf/RPKI-VilniusIGPfinal.pdf

- "Negotiating a New Governance Hierarchy: An Analysis of the

Conflicting Incentives to Secure Internet Routing"
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2021835

Technical view

How broken is SSL: a talk by Moxie Marlinspike: "SSL And The Future Of Authenticity" at Defcon 2011:

http://www.youtube.com/watch?v=Z7Wl2FW2TcA

Basic threat scenario: Man in the Middle attack / prefix hijacking,

presented at Defcon, 2008, by Pilosov/Kapela: http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf

Enisa report on the routing security: :

http://www.enisa.europa.eu/act/res/technologies/tech/routing/state-of-the-art-deployment-and-impact-on-network-resilience

Jeroen Massar's presentaton on Routing Security

http://www.swinog.ch/meetings/swinog21/p/14_SwiNOG21%20-%20Security,%20DDOS%20Mitigation,%20AntiSpam.ppt

Sharon Goldberg: Should we secure routing with the RPKI (19 September 2013) , Princeton CS

http://www.cs.princeton.edu/ajax/abstract/467

Is the Juice Worth the Squeeze? BGP Security in Partial Deployment

Robert Lychev, Sharon Goldberg, Michael Schapira. SIGCOMM'13, Hong Kong, China. August 2013.

  http://arxiv.org/pdf/1307.2690v1
  http://arxiv.org/abs/1307.2690

Impacting IP Prefix Reachability via RPKI Manipulations

Kyle Brogle, Danny Cooper, Sharon Goldberg and Leonid Reyzin. Boston University Technical Report. January 4, 2013.

  http://www.cs.bu.edu/~goldbe/papers/RPKImanip.pdf
  http://www.cs.bu.edu/~goldbe/papers/RPKImanip.html

(October 08, 2013) Threat Model for BGP Path Security

http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-threats-07

From the Consent of the Routed: Improving the Transparency of the RPKI; Ethan Heilman, Danny Cooper, Leonid Reyzin and Sharon Goldberg.

SIGCOMM'14, Chicago, IL. August 2014. http://www.cs.bu.edu/~goldbe/papers/sigRPKI_full.pdf

On the Risk of Misbehaving RPKI Authorities; Danny Cooper, Ethan Heilman, Kyle Brogle, Leonid Reyzin and Sharon Goldberg. http://www.cs.bu.edu/~goldbe/papers/hotRPKI_full.pdf
- Hardening RPKI against misbehaving authorities http://www.cs.bu.edu/~goldbe/papers/RPKImanip.html

November 2014, RIPE69: Job Snijders on *not* recommending RPKI: https://ripe69.ripe.net/archives/video/184 / https://ripe69.ripe.net/wp-content/uploads/presentations/46-jobsnijders_ripe69_golden_prefixes.pdf

November 2014 IETF91 http://www.cs.bu.edu/~goldbe/papers/goldberg_sidr_ietf91.pdf

Nanog, autumn 2014: why TWC is NOT going to deploy RPKI: https://www.nanog.org/sites/default/files/wednesday_george_adventuresinrpki_62.9.pdf

Heartbleed

http://xkcd.com/1354/

http://lorddoig.svbtle.com/heartbleed-should-bleed-x509-to-death

http://lorddoig.svbtle.com/should-we-make-a-working-group-to-kill-x509

Possible alternative technical approaches

"trust agility", a talk by Moxie Marlinspike: "SSL And The Future Of Authenticity" at Defcon 2011:

http://www.youtube.com/watch?v=Z7Wl2FW2TcA

http://convergence.io/

Soveregn Keys, Peter Eckersley from EFF mp4 HQ mp4 LQ

https://www.eff.org/deeplinks/2011/11/sovereign-keys-proposal-make-https-and-email-more-secure

"Trusted BGP Observers, an extension to RPKI"

October 21, 2013: "Evolving the Web Public Key Infrastructure", IAB Security Program

http://tools.ietf.org/html/draft-tschofenig-iab-webpki-evolution-00

Various suggestions in comments on Scheider's blog post about Renesys artcle, November 2013

https://www.schneier.com/blog/archives/2013/11/rerouting_inter.html

October 2014: Job Snijders - Golden Prefixes: http://nlnog.com/dag2014/archive/3_nlnogdag2014_job_snijders_bgp_rpki.pdf

Current solution: RPKI & sBGP

IETF wg: SIDR (secure InterDomain Routing)
- e.g. http://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-threats/
Software: http://www.rpki.net/
RIPE NCC: https://www.ripe.net/lir-services/resource-management/certification
Public discussion in European region: (articles, mailing lists, links)

http://www.ripe.net/lir-services/resource-management/certification/community-development

In the news & blogs

Malcolm Hutty, from London Internet Exchange:

https://publicaffairs.linx.net/news/?p=6118

RIPE Members Vote To Continue RPKI Work, Nov 03, 2011 11:44 AM PDT

By Michele Nylon http://www.circleid.com/post/20111103_ripe_members_vote_to_continue_rpki_wo rk/

RPKI for PI users in RIPE region:

http://www.ripe.net/ripe/mail/archives/ncc-services-wg/2013-March/002212.html

NANOG: SIngle trust anchor?

http://mailman.nanog.org/pipermail/nanog/2013-August/060199.html

(after PRISM) "there's a circumstantial case that the NSA and GCHQ are either directly accessing Certificate Authority keys** or else actively stealing keys from US providers, possibly (or probably) without executives' knowledge. This only requires a small number of people with physical or electronic access to servers, so it's quite feasible.*** The one reason I would have ruled it out a few days ago is because it seems so obviously immoral if not illegal, and moreover a huge threat to the checks and balances that the NSA allegedly has to satisfy in order to access specific users' data via programs such as PRISM."

http://blog.cryptographyengineering.com/2013/09/on-nsa.html

(NSA breaking crypto, SSL, etc, by Schneider )

https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html

GOVERNMENTS WANT SUSPENDERS FOR SECURE ROUTING (24 September 2013)

http://www.internetgovernance.org/2013/09/24/keep-your-pants-on-governments-want-suspenders-for-secure-routing/

"...allowing the US the power to arbitrarily shut countries off the net is [...] what deployment of DNSSEC and the rPKI under the current models would do.

http://www.circleid.com/posts/20131027_nobody_has_proposed_sustainable_model_for_internet_governance_yet/

CSRIC/ Secure BGP deployment, March 2013 http://www.renesys.com/wp-content/uploads/2013/05/CSRIC-III-WG6-Presentation-20130314.pdf

IETF in Vancouver, Sept-November 2013:

https://www.schneier.com/blog/archives/2013/09/take_back_the_i.html http://www.ietf.org/blog/2013/09/security-and-pervasive-monitoring/ http://www.ietf.org/blog/2013/11/strengthening-the-internet/ http://www.ietf.org/blog/2013/11/we-will-strengthen-the-internet/ http://www.ietf.org/media/2013-11-07-internet-privacy-and-security.html http://www.economist.com/news/science-and-technology/21589383-stung-revelations-ubiquitous-surveillance-and-compromised-software/

EXCELLENT OVERVIEW, philosophically, ethically & technically : http://geer.tinho.net/geer.uncc.9x13.txt

.Tradeoffs in Cyber Security
.Dan Geer, 9 October 13, UNCC

December 21013: http://www.internetsociety.org/blog/2013/12/resilience-commons-addressing-routing-security-challenges
- http://www.internetsociety.org/doc/relisence-commons-routing-security // http://www.internetsociety.org/sites/default/files/bp-resilience-20131217-en..pdf

November 2014: http://research.dyn.com/2014/11/chinese-routing-errors-redirect-russian-traffic/

September 11, 2014 ACM Volume 12, issue 8 "Why Is It Taking So Long to Secure Internet Routing?" Sharon Goldberg, Boston University http://queue.acm.org/detail.cfm?id=2668966 // http://dl.acm.org/ft_gateway.cfm?id=2668966&ftid=1500097&dwn=1

June 2015: http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/

"For now — after years of warnings by Perlman, Bellovin, Kent, Clarke and many others — perhaps 
the most telling statistic is the percentage of Internet traffic currently secured by the 
new system of cryptographic network keys: zero."

Meshnets media

& http://wiki.techinc.nl/index.php/Privacy_Software_Workshop_Series#Mesh_networks

Becha's article with many links:

http://becha.home.xs4all.nl/hackers-philosophers-utopian-network-dec-2012-becha.pdf

Difference between revisions of "P2pbgpsec"

Revision as of 09:08, 2 June 2015

Contents

Peer 2 Peer BGP Security

Problem statements

Internet Governance view

Technical view

Heartbleed

Possible alternative technical approaches

Current solution: RPKI & sBGP

In the news & blogs

Meshnets media

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

readme

wiki tools

Tools

@@ Line 164: / Line 164: @@
 * June 2015: http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/
-  "For now — after years of warnings by Perlman, Bellovin, Kent, Clarke and many others — perhaps the most telling statistic is the percentage of Internet traffic currently secured by the new system of cryptographic network keys: zero."
+  "For now — after years of warnings by Perlman, Bellovin, Kent, Clarke and many others — perhaps
+ the most telling statistic is the percentage of Internet traffic currently secured by the
+ new system of cryptographic network keys: zero."
 =Meshnets media=