by Danny Bradbury
An experiment to make the internet safer ended up breaking parts of it last week.
Researchers were testing a way to make the Border Gateway Protocol (BGP) more secure. BGP is the language that routes traffic between autonomous system networks (ASNs), which are the large networks that make up the internet. However, BGP is vulnerable to multiple attacks including route hijacking, in which someone corrupts BGP routing tables to change the way that traffic travels between autonomous systems.
The researchers were testing a concept called Decentralized Infrastructure for Securing and Certifying Origins (DISCO). This anti-route hijacking system is supposed to solve the problems associated with the existing approach, which manually assigns digital certificates to IP address blocks. The problem with the manual method, according to the researchers, is that it takes work, meaning that few people do it. When they do it the records are often wrong, adds the DISCO research paper. This can cause routing problems of its own.
DISCO takes an alternative approach by watching traffic over time to verify that it’s going to the right destination. Its inventors say that this eliminates the need to change BGP routers, and tested it out on the public internet to see how it worked.
Not all routers handled the experiment well. It crashed routers running Free Range Routing (FRR), which is an IP routing protocol suite that began developing in March 2017. That project, forked from an existing routing suite called Quaggo, is now part of the Linux Foundation and is gaining significant traction.
DISCO researcher Italo Cunha explained what happened in a post to the North American Network Operators Group (NANOG):
Despite the announcement being compliant with BGP standards, FRR routers reset their sessions upon receiving it. Upon notice of the problem, we halted …
Author: Danny Bradbury