“Rob #NCCoE and @NISTcyber recently published a document describing an approach and proof of concept to secure BGP routing updates. Check out the SIDR project @ https://nccoe.nist.gov“

I believe that document is the recently released draft practice guide “NIST SP 1800-14, Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation.” Here is an overview of the guidance package from NCCoE. And here are some highlights from the complete guide:

1.1 Challenge

[…] Protocols have been defined that are designed to provide protection against many of the routing attacks mentioned above. The technique that is the subject of this Practice Guide, RPKI-based ROV {RPKI: Resource Public Key Infrastructure, ROV: Route Origin Validation}, enables operators to verify that the AS that has originated a BGP route advertisement is in fact authorized to do so. Use of RPKI-based ROV can provide protection against accidental and some malicious route hijacks. A second protocol, BGPsec, allows network operators to verify the validity of the entire routing path across the internet (referred to as path validation). The use of RPKI-based ROV in conjunction with BGPsec can provide protection against malicious route hijacks as well as other routing attacks. Unfortunately, the adoption of both ROV and BGPsec is still very limited. In the case of BGPsec, while the specification of the BGPsec-based path validation is complete [RFC 8205], [RFC 8 207], [RFC 8210 ], and open-source implementations [NIST BGP-SRx] [Parsons BGPsec] are available, there is still a lack of commercial implementations available from router vendors.

BGPsec also has several other obstacles impeding its deployment, as compared with ROV, such as the fact that support for it will be resource-intensive because it increases the size and number of routing messages that are sent, and each message will require a cryptographic verification of at least one, and most likely multiple, digital signatures. Digital signature verification will be processing-intensive and may require hardware upgrades and/or software optimizations [NANOG69] [V_Sriram]. It also adds a level of complexity with respect to the acquisition and management of public keys for BGP routers, as well as the X.509 certificates used in sharing those keys. […]

1.2 Solution

This Practice Guide (NIST SP 1800-14) describes how to use available security protocols, products, and tools to provide RPKI-based ROV. This Practice Guide focuses on a proof-of-concept implementation of the IETF security protocols and the NIST implementation guidance needed to protect ISPs and ASes against widespread and localized route hijacking attacks. Although it would have been preferable to protect against additional types of routing attacks by also focusing on the more comprehensive solution of BGP path validation in conjunction with ROV, the lack of commercial vendor implementation support for BGPsec makes providing a BGP path validation solution impractical at this time. Hence, this Practice Guide is focusing only on providing ROV. […]

I wonder if there is a total cost, schedule, and success rate anticipated for these protocol implementations. The audience for the guidance is listed as those involved with the safety and security of business IT networks. Will it be the responsibility of each private/public entity to install and/or implement the updated security products and protocols?

BGP hacking is how large intelligence agencies manipulate Internet routing to make certain traffic easier to intercept.

This https://bgp.us/ looks like a very nice website that explains it all. The Internet was from its inception a project of the U.S. military, and is still managed by a host of “three-letter agencies.” Encrypt your stuff if you don’t want it “intercepted.”

The NSA calls it “network shaping” or “traffic shaping.”

That is the political opposition to “network neutrality” supported by EFF et alia. Problem is that when you prioritize some traffic over other, people encrypt their traffic and send it over the prioritized channels, which defeats the purpose of “shaping” or bandwidth limiting.

A commercial “T1” or “E1” line or the like has no more nominal channel capacity than a residential consumer DSL line, but it isn’t supposed to be “oversubscribed.” The politics all come down to the “consumer” level, because even fairly sizable businesses are treated as “consumers” by the whole Cisco / AT&T / telco cartel.

If they treated public policy human rights and services seriously, London would not be a global hub of corruption, a magnet for shady characters, and so forth. The cousins would not chuck them under the chin and say good girl nearly so often.

you will see that everything pass through uk

Yes, this is why London is entertained as a global hub of corruption according to what has been said on some documentaries. The belief being that if London is a magnet for shady characters and leaders in exile this gives the UK leverage with espionage and influence.

This wouldn’t be so bad if UK government had an economic policy and treated public policy human rights and services seriously but the UK hasn’t for some decades now.

I have found it!
Petrolio – La spia invisibile – 29/12/2014
https://www.raiplay.it/video/2014/12/Speciale-Petrolio-del-29122014-affd5fd3-bced-4521-958d-11fcc2d22a09.html

Bruce schneier is in the episode too!

ITA:
“…Qual è il futuro della rete? Qual è il limite tra libertà e illegalità? Internet delle cose sarà il passo definitivo per creare il GRANDE FRATELLO che saprà tutto di noi? Rispondono alle domande Sir Tim Berners-Lee, inventore di internet, Bruce Schneier, esperto internazionale di Sicurezza…”

ENG:
“…What is the future of the network? What is the limit between freedom and illegality? Internet of things will be the definitive step to create the BIG BROTHER who will know all about us? Sir Tim Berners-Lee, internet inventor, Bruce Schneier, international security expert, answers the questions…”