« NY Times: Quake Players to Reenact 1994 Friends Episode | Main | NYC Government Officials Briefed on Likelyhood of New al Qaeda Attacks »

Are Bugs in BGP Implementation a National Security Issue?

Slashdot pointed out an article on ZDnet that related the main points of a talk by Stephen Dugan about problems in the current implementation of Border Gateway Protocol. The talk took place at a Black Hat Security Briefing on Thursday in Seattle.

The key points in the article were that:

  • BGP has a number of security holes that stem from the implicit trust that routers running BGP have for each other, and
  • architects proposing BGP changes to the Internet Engineering Task Force are not funded sufficiently when the magnitude of the technical problems they are dealing with is taken into account.

We do not need to look back very far to see the potential impact of BGP-related problems on the Internet infrastructure. In January, we reported on the widespread routing failures that took place during the SQL Slammer worldwide network attack. These were attributed by some analysts to widespread BGP session loss and problems with the Cisco Express Forwarding algorithm in low memory or extremely high traffic conditions.

The other obvious issue underlying any possible flaws in BGP is the homogeneity of routing on the Internet. How many practical high-performance routing alternatives really exist to BGP for Internet Service Providers and large corporations?

Earlier last week, an astute Slashdot reader pointed out the fact that one of the 13 root DNS servers changed from BIND to NSD. This was done "...to increase the diversity of software in the root name server system, the lack of which is widely considered to be a potential vulnerability. The nsd software... has no design commonalities with bind, the currently prevalent DNS implementation." If administrators of core DNS servers are acting proactively, shouldn't other administrators of critical infrastructure also evaluate their options?

You have to wonder if all of the core services and protocols on the Internet, except for basic transport, should have widely deployed alternatives. And, if such alternatives don't exist, isn't the entire U.S. telecom infrastructure at risk of a well-crafted attack?

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


CTDATA Venutures (CTDATA) develops Internet and Intranet applications for corporations and non profit organizations. Our services include:

  • Consulting services for Movable Type and TypePad-based publishing systems (visit our Weblog Improvement website for more information),
  • Financial services business process consulting,
  • Content management system and knowledge management system consulting,
  • Apache web server engineering and hosting,
  • MySQL, Sybase, and Microsoft SQL Server architecture and development,
  • SOAP, REST, and XML-RPC system architecture and programming, including Amazon Web Services and
  • Weblog publishing.
For more information, contact Dave Aiello by email at dave [at] daveaiello.com or call him at +1-267-352-4420.
Copyright © 1995-2010, CTDATA Ventures. All Rights Reserved.
Powered by
Movable Type 4.25