{"id":459,"date":"2009-01-16T21:15:36","date_gmt":"2009-01-17T05:15:36","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/?p=459"},"modified":"2009-01-16T21:20:27","modified_gmt":"2009-01-17T05:20:27","slug":"current-event-government-plans-massive-internet-backbone-security-upgrade","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2009\/01\/16\/current-event-government-plans-massive-internet-backbone-security-upgrade\/","title":{"rendered":"Current Event: Government plans massive internet backbone security upgrade"},"content":{"rendered":"<p><span>The U.S. Federal government is planning to spend millions of dollars upgrading the backbone of the internet\u2019s routing system. Specifically the Department of Homeland Security (DHS) is planning to quadruple its budget for improvements (from $600,000 to $2.5 million per year), which supposedly should improve the security of communications on the internet.<\/span><\/p>\n<p><span><span> <\/span>By implementing these changes, the DHS hopes that man in the middle attacks as well as the modification of data can be prevented. These upgrades target two major portions of the internet\u2019s infrastructure; the border gateway protocol (BGP), and the domain name system (DNS). For BGP, the updated protocol will be called BGPsec. This adds digital signatures to BGP announcements. Security researchers have claimed that BGP is one of the weakest links of the internet because of its numerous vulnerabilities. Attacks against this protocol can be disastrous because they are often targeted at large portions of the infrastructure and not individual hosts. For DNS, the improved DNSsec will hopefully make it harder for attackers to hijack web traffic because hosts will be able to verify their domain names and IP addresses with digital signatures and public-key encryption.<\/span><\/p>\n<p><span><!--more--><br \/>\n<\/span><\/p>\n<p><span><span> <\/span>The desire to upgrade these systems has recently come to the attention of researchers because there have been a number of devastating attacks against internet infrastructure. For example, security researcher Dan Kaminsky discovered in 2008 a critical DNS bug that allowed for cache poisoning. This bug required a large number of companies to address this issue as an attack could easily fake a legitimate website and conduct attacks on its visitors. Another major security threat occurred when a telecom company from Pakistan blocked the site YouTube due to a misconfiguration of BGP.<\/span><\/p>\n<p><span><span> <\/span>Prior to this announcement, the DHS should have consulted other agencies that deal with internet traffic. Also, there could be many other potential solutions to this problem that the DHS might be overlooking. I am sure that other internet agencies as well as many security companies would prefer to have their opinions and ideas considered when a drastic change to the fundamental internet routing protocols is being proposed.<\/span><\/p>\n<p><span><span> <\/span>The modification of these protocols will have an impact world wide. The DHS plans to begin implementing the upgraded protocols for all .gov domains beginning in 2009. However it will be difficult to expand it beyond domains that the DHS controls, because the change will have to be implemented globally so that the security benefits can be put to use. For this reason, it could take years if not decades for the protocols to be updated globally. Furthermore, it seems it would be beneficial for a change as significant as this to be thought out by an international consortium, as the effect of it will be felt globally. The DHS cannot expect others to adopt it simply because it is more secure, as it is likely to also become a political issue protesting U.S. control of the internet and its forced adoption.<\/span><\/p>\n<p><span><span> <\/span>The DHS\u2019s proposed improvements change the basic structure of the internet from being decentralized to one where the Internet Assigned Numbers Authority (IANA) and large internet registries issue certificates for routing packets. Although they assert that their intentions are good, they have the power to prevent traffic from being delivered to entire portions of the world by denying certain digital signatures.<\/span><\/p>\n<p><span><span> <\/span>Although this change could be beneficial to preventing widespread attacks, it must be carefully thought out as it has vast implications for the way that the internet is structured and for potential political problems.<\/span><\/p>\n<p><span>Via Slashdot: <a href=\"http:\/\/tech.slashdot.org\/article.pl?sid=09\/01\/16\/0044241\"><span>http:\/\/tech.slashdot.org\/article.pl?sid=09\/01\/16\/0044241<\/span><\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The U.S. Federal government is planning to spend millions of dollars upgrading the backbone of the internet\u2019s routing system. Specifically the Department of Homeland Security (DHS) is planning to quadruple its budget for improvements (from $600,000 to $2.5 million per &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2009\/01\/16\/current-event-government-plans-massive-internet-backbone-security-upgrade\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":87,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,8],"tags":[169,168],"class_list":["post-459","post","type-post","status-publish","format-standard","hentry","category-current-events","category-policy","tag-bgp","tag-dns"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/459","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/87"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=459"}],"version-history":[{"count":5,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/459\/revisions"}],"predecessor-version":[{"id":473,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/459\/revisions\/473"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=459"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=459"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=459"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}