[HN Gopher] White House asks agencies to step up internet routin...
___________________________________________________________________
White House asks agencies to step up internet routing security
efforts
Author : arkadiyt
Score : 80 points
Date : 2024-09-08 18:25 UTC (4 hours ago)
(HTM) web link (www.reuters.com)
(TXT) w3m dump (www.reuters.com)
| throw0101c wrote:
| This article leans more towards a general audience. For more a
| tech-leaning audience, perhaps see:
|
| * https://arstechnica.com/tech-policy/2024/06/fcc-pushes-isps-...
|
| * https://www.techspot.com/news/104590-white-house-declares-bg...
|
| * https://www.securityweek.com/white-house-outlines-plan-for-a...
|
| WH PR (linked to by Reuters):
|
| > _While there is no single solution to address all internet
| routing vulnerabilities, the roadmap advocates for the adoption
| of Resource Public Key Infrastructure (RPKI) as a mature, ready-
| to-implement approach to mitigate BGP's vulnerabilities. RPKI
| consists of two primary components: Route Origin Authorizations
| (ROA) and Route Origin Validation (ROV). A ROA is a digitally-
| signed certificate that a network is authorized to announce a
| specific block of internet space (i.e., IP addresses). ROV is the
| process by which BGP routers use ROA data to filter BGP
| announcements flagged as invalid. Importantly, ROV can help
| protect an organization's internet address resources only if that
| organization has created ROAs._
|
| * https://www.whitehouse.gov/oncd/briefing-room/2024/09/03/fac...
|
| Roadmap/whitepaper (PDF):
|
| * https://www.whitehouse.gov/wp-content/uploads/2024/09/Roadma...
| kortilla wrote:
| RPKI unfortunately doesn't prevent BGP hijacking though. You
| need every message to be signed.
| fach wrote:
| It solves a class of hijacks, where an autonomous system
| announces a prefix it is not authorized to announce. This is
| typically the operator error use case or uneducated bad actor
| use case. What it does not cover is if an autonomous system
| crafts an announcement containing the valid origin autonomous
| system in which case you would need a mechanism to validate
| the entire AS_PATH itself. ROA is only concerned about the
| origin in the AS_PATH.
| Stevvo wrote:
| The whole thing feels dishonest. BGP is working as intended,
| so should we really call hijacking a "vulnerability"? A
| failure to acknowledge that the protocol is fundamentally
| flawed and not fit for purpose.
| xyst wrote:
| So ROA/ROV are for preventing prefix hijacking and IANA will
| personally issue a certificate to verify organization owns ASN.
|
| But what impacts does this have on performance? Great we solved
| hijacking issue. But this other ASN which used to be a
| preferred route doesn't use ROA/ROV (yet or refuses).
|
| Now traffic reroutes to a less efficient path?
| d33 wrote:
| I don't want this to sound cynical, but do we have any examples
| where the US government successfully got the corporations to
| actually increase security, as opposed to just gaming the
| regulations to make more money instead?
| saghm wrote:
| Assuming I'm understanding the article correctly, this seems to
| be about federal agencies being tasked with increasing the
| security of their own networks, not private companies being
| regulated. I don't think federal agencies tend to make a
| profit, and they're usually the ones making the regulations,
| not gaming them.
| AnthonyMouse wrote:
| > they're usually the ones making the regulations, not gaming
| them.
|
| Government agencies regularly game regulations that apply to
| them in the same way as corporations. See e.g. FOIA, Fourth
| Amendment, qualified immunity, civil asset forfeiture.
| unethical_ban wrote:
| Yes.
|
| Edit: SOX, HIPAA, NIST CSF.
|
| Government is not always bad.
| AnthonyMouse wrote:
| These aren't great examples.
|
| HIPAA is extraordinarily expensive, meanwhile healthcare
| providers continue to have abominable security because
| compliance is offloaded to a "compliance team" who comes
| around once in a while to check boxes without really
| understanding the system, which is managed by other people
| who don't really understand HIPAA. This is one of the reasons
| security in large organizations is hard. Bureaucracies
| gravitate toward bureaucratic solutions, but then the left
| hand doesn't know what the right hand is doing, which is a
| direct mechanism for security to get messed up.
|
| SOX isn't really about "security", it's about auditing and so
| on, but it suffers from a disadvantageous trade off. Large
| companies are less likely to have accounting problems than
| smaller ones. The law was passed in response to major
| outliers like Enron, but basing rules on rare outliers
| generally results in bad rules. Meanwhile the smaller
| companies have disproportionately higher compliance costs, to
| the point that there have been proposals to exempt smaller
| companies. But that implies it probably isn't worth it for
| large companies because the rate of fraud is so low and it
| probably isn't worth it for small companies because the
| compliance costs are so high, and then there's nothing left.
|
| Whereas NIST CSF is a different kind of thing because it's
| _voluntary_. This is where government publications can really
| do some good, because if they publish rubbish then nobody has
| to pay any attention to it and the cost is limited to the
| money they spent creating it, but if it 's good then it's
| valuable to anyone who uses it. The government should
| definitely lean towards this method, but it's hard to call
| this one "regulations" -- and the criticism you're responding
| to was that corporations would end up "just gaming the
| regulations".
| kjellsbells wrote:
| There are many, but perhaps the second part of your question is
| invisible, but is the meaningful one: "in a short timeframe" or
| "at reasonable cost" or something.
|
| People like to dump on government but they can move the
| acceptable window/best practice to a place that corps would not
| have gotten to by themselves. Crypto is one, OWASP springs to
| mind, etc. But the government is not a homogeneous monolithic
| entity and it necessarily has to have some confliction built
| into it. You could have a bulletproof secure system for
| identity for example come out of NIST, say,...but the CIA would
| immediately need a workaround so that agents could assume new
| IDs in the field.
| ddtaylor wrote:
| I think there is a good argument to be made that many
| companies would have created a better infrastructure by now
| if the government wasn't involved.
| treflop wrote:
| Yeah, like moving to IPv6 in a small time frame.
|
| People arguing about public vs. private are missing the
| mark entirely. It has nothing to do with that. It's all
| about how many people have to do a task.
|
| The US govt got to the moon and created a nuclear bomb in a
| relatively tiny amount of time, all entirely because it was
| a relatively small number of people focused on the same
| task. As for people who own routers? Thousands and
| thousands of them who all have different interests who
| aren't all focused on the same goal.
|
| Getting a large group of people to do one simple task is
| 100x harder than getting a small group of people to do a
| complex task. This is why humanity got to the moon but
| still are stuck on IPv4.
| IAmGraydon wrote:
| The moon and the bomb are both examples of what happens
| when you take aim at a problem with completely unlimited
| money and zero red tape. 400,000 people contributed to
| the moon landing and the Manhattan Project employed over
| 130,000 people. These were not small groups.
| edent wrote:
| Obama was calling for 2FA back in 2016.
| https://www.wsj.com/articles/protecting-u-s-innovation-from-...
|
| > we're launching a new national awareness campaign to raise
| awareness of cyberthreats and encourage more Americans to move
| beyond passwords--adding an extra layer of security like a
| fingerprint or codes sent to your cellphone
|
| Amongst other things.
| kevincox wrote:
| And now every website has an excuse to require a verified
| phone number...
|
| I guess it probably does raise the baseline, but at the cost
| of those who have good security practices.
| AnthonyMouse wrote:
| There's a simple way to tell if 2FA is being used for
| security or to harvest phone numbers: Does the site let you
| use an email instead of a phone number? If you can't use an
| email, the purpose is to harvest phone numbers.
| ChrisArchitect wrote:
| [dupe] Some more discussion:
| https://news.ycombinator.com/item?id=41453975
|
| And official release: https://www.whitehouse.gov/oncd/briefing-
| room/2024/09/03/pre...
|
| (https://news.ycombinator.com/item?id=41439488)
| throwaway63467 wrote:
| It's interesting how easy it is to get someone to announce your
| prefixes, it often just takes a credible letter of authority, in
| my understanding all processes rely on manual due diligence. If
| an organization e.g. has a valid RIPE database entry that it can
| announce a given prefix under its own ASN I could set up an
| account at a cloud provider like Vultr using the business data of
| said company, charge it with 10 USD and then ask them to announce
| the prefixes of the organization under their ASN, pulling in
| traffic for these IPs. I could then try to reroute them to the
| actual destination (not always trivial but often doable), giving
| me a MitM setup. Not sure if it would work but it's essentially
| what I did for my own organization and in my RIPE data there's
| nothing that specifically says Vultr can announce my prefixes. I
| think today you need a service that monitors all BGP routes for
| your prefixes to detect this kind of incident, and then of course
| someone from the announcing ASN needs to delete the announcement.
| growse wrote:
| > what I did for my own organization and in my RIPE data
| there's nothing that specifically says Vultr can announce my
| prefixes
|
| In RIPE, each as-num should list out a policy of which other
| ASNs can import/export routes from that ASN. I think there
| should also be a route/route6 object.
|
| Do vultr not check/enforce this? (Other providers do).
| Onavo wrote:
| Can get US government also strong arm the organizations to do
| so?
| aucisson_masque wrote:
| > The White House said on Tuesday it wants federal agencies to
| boost internet routing security on networks in the face of
| concerns raised by U.S. officials about China's ability to divert
| internet traffic.
|
| Isn't that funny when the white house has been exposed secretly
| tapping every single non American (Chinese included) and American
| online activity, phones calls, mails, etc.
|
| I'm not saying the Chinese should be able to do what the USA is
| already doing to the world but it's like seeing a thieft getting
| robbed by another criminal. Somehow its funny.
___________________________________________________________________
(page generated 2024-09-08 23:00 UTC)