from Hacker News

White House asks agencies to step up internet routing security efforts

by arkadiyt on 9/8/24, 6:25 PM with 55 comments

  • by throw0101c on 9/8/24, 6:48 PM

    This article leans more towards a general audience. For more a tech-leaning audience, perhaps see:

    * https://arstechnica.com/tech-policy/2024/06/fcc-pushes-isps-...

    * https://www.techspot.com/news/104590-white-house-declares-bg...

    * https://www.securityweek.com/white-house-outlines-plan-for-a...

    WH PR (linked to by Reuters):

    > While there is no single solution to address all internet routing vulnerabilities, the roadmap advocates for the adoption of Resource Public Key Infrastructure (RPKI) as a mature, ready-to-implement approach to mitigate BGP’s vulnerabilities. RPKI consists of two primary components: Route Origin Authorizations (ROA) and Route Origin Validation (ROV). A ROA is a digitally-signed certificate that a network is authorized to announce a specific block of internet space (i.e., IP addresses). ROV is the process by which BGP routers use ROA data to filter BGP announcements flagged as invalid. Importantly, ROV can help protect an organization’s internet address resources only if that organization has created ROAs.

    * https://www.whitehouse.gov/oncd/briefing-room/2024/09/03/fac...

    Roadmap/whitepaper (PDF):

    * https://www.whitehouse.gov/wp-content/uploads/2024/09/Roadma...

  • by throwaway63467 on 9/8/24, 7:41 PM

    It’s interesting how easy it is to get someone to announce your prefixes, it often just takes a credible letter of authority, in my understanding all processes rely on manual due diligence. If an organization e.g. has a valid RIPE database entry that it can announce a given prefix under its own ASN I could set up an account at a cloud provider like Vultr using the business data of said company, charge it with 10 USD and then ask them to announce the prefixes of the organization under their ASN, pulling in traffic for these IPs. I could then try to reroute them to the actual destination (not always trivial but often doable), giving me a MitM setup. Not sure if it would work but it’s essentially what I did for my own organization and in my RIPE data there’s nothing that specifically says Vultr can announce my prefixes. I think today you need a service that monitors all BGP routes for your prefixes to detect this kind of incident, and then of course someone from the announcing ASN needs to delete the announcement.

  • by d33 on 9/8/24, 7:18 PM

    I don't want this to sound cynical, but do we have any examples where the US government successfully got the corporations to actually increase security, as opposed to just gaming the regulations to make more money instead?

  • by aucisson_masque on 9/8/24, 10:18 PM

    > The White House said on Tuesday it wants federal agencies to boost internet routing security on networks in the face of concerns raised by U.S. officials about China's ability to divert internet traffic.

    Isn't that funny when the white house has been exposed secretly tapping every single non American (Chinese included) and American online activity, phones calls, mails, etc.

    I'm not saying the Chinese should be able to do what the USA is already doing to the world but it's like seeing a thieft getting robbed by another criminal. Somehow its funny.

  • by 1over137 on 9/9/24, 2:39 AM

    So my ISP fails https://isbgpsafeyet.com/

    What would be the most convincing arguments to email my ISP with?

  • by ChrisArchitect on 9/8/24, 7:23 PM

  • by motohagiography on 9/8/24, 11:39 PM

    it looks like route views and bgpmon got embraced, extended, and largely extinguished by cisco? I've been out of this loop for a long time. is there a free service around for monitoring tables or something you can connect an openbgpd instance to for doing analysis?