Root Causes 441: New White House Initiative Targets BGP

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  We are looking at a press release from the White House dated September 3, 2024 and the title of it is, the headline is, White House Office of the National Cyber Director Releases Roadmap to Enhance Internet Routing Security. This is about BGP.

• 

  Jason Soroko

  Border Gateway Protocol, Tim, which is such an esoteric, in the noise, kind of a theoretical attack right now. We have actually podcast on the subject multiple times. Typically, under the topic name of Multi-Perspective Domain Validation, or its more newer name, MPIC.

• 

  Tim Callan

  Multi-Perspective Issuance Corroboration. Corroboration. That's a great one to confuse with all kinds of other things. Not collaboration. Corroboration. But go on.

• 

  Jason Soroko

  The reason why we wanted to talk about this today on this podcast was to simply just note something that was front of mind for Certificate Authorities, BGP attacks, because of its risk of fouling up domain control validation. It’s just very important for CAs to be thinking about it. Obviously, the initiatives around MPIC are good, and all the CAs will be having to deal with that in the very near future.

  I just never thought it would become a White House initiative where they're actually talking about BGP attacks. I think what happened here, Tim, is that there was a nation state out there that I'm not going to talk about that was apparently misrouting United States internet traffic on a few occasions and I think the White House got worried about this, and actually started to ask its own departments, Federal government departments, to begin to start taking action. Basically, I don't think anything is concrete at the moment except Federal departments have to list a set of baseline actions is the way it has been worded. Basically, how are you dealing with this? This is where it becomes quite confusing, because I'm not even sure what those baseline actions would be. I know what they are for CAs though.

• 

  Tim Callan

  Sure. So, just to be clear, what this really is, is this is a mandate that federal organizations have a plan for what to do about the BGP vulnerability. But it doesn't specify what that plan needs to be.

• 

  Jason Soroko

  However, there's been a lot of talk around RPKI, Tim, and I think that that's part of what's interesting here, with respect to people throwing out ideas for how to solve this problem as a whole. The problem, of course, with RPKI and, Resource Public Key Infrastructure, is the fact that it actually takes quite a quite a large collaborative effort amongst internet infrastructure companies to work together to implement RPKI. I think it was Cloudflare who's been recently, because they're a major part of that, and they were talking about less than half of the internet has any kind of RPKI implemented, and to do the rest of the internet would be quite an effort.

  Why would you use RPKI, Tim? I think in the most simplistic terms, is if you're going to do some kind of a double check in terms of who is issuing BGP commands across the Internet to make sure that what is the origin, what is the identity of the origin of these commands, it can really go a long way to help sorting out who's who making BGP commands, and to know whether the commands are legitimate or not, would probably go a long way to help solving this. But just like it says in the article, and I think everybody agrees, it's definitely not a silver bullet here.

• 

  Tim Callan

  Sure. I think you talked about MPIC. I think MPIC is a very robust solution for the very specific needs of DCV. But that's not really extensible to solving the broader problem.

• 

  Jason Soroko

  That's correct. Certificate Authorities can implement MPIC and BGP attacks will still be occurring in the wider internet. That's for certain.

• 

  Tim Callan

  Now MPIC does go a long way, because when we get to the point where all certificates are issued using MPIC, then if somebody commits a BGP attack, if they're directing you to a place where there's a certificate, then that certificate is not going to be issued for the correct domain. If they're directing you to a place where there's no certificate, then that itself likely is going to be a problem. Proper rod use of MPIC goes a long way - correct me if I'm wrong - but goes a long way to knocking the knees out from under BGP attacks more generally. Do you agree with that?

• 

  Jason Soroko

  It's interesting. I think that whenever you are using an internet address for purposes of, hey, where are you? Any kind of a DNS check, any kind of a of a double check on an internet address, I think multi-perspective type of schemes are definitely useful. So I think concepts behind MPIC can be very, very useful as a secondary check, depending on the use case that you're worried about. Absolutely. I think that multi-perspective - -

• 

  Tim Callan

  I'm just thinking. I'm going to pretend to be a domain that I am not as part of an attack. I'm going to use BGP to enable that. If MPIC is rigorously applied everywhere, and I am incapable of defeating it, let's say, then as the attacker, I have two choices.

  Choice number one is, I use a certificate that mismatches the domain I'm pretending to be. Okay. Big problem. We've all thought about this scenario. The software on the other end, if it’s modern commercial software we’ll gag on that.

  Scenario number two is, I choose to use no certificate at all. Well, okay, again, depending on the system that's connecting to me, that might be a non-starter right there, or even if it isn't a non-starter, that might be a throw an alert and pause scenario. If we saw really rigorous implementation among client software out in the world of demanding that there be a certificate or I won't move ahead, or I won't move ahead without some kind of manual override or something like that, then that could - and I know we're talking about this real generally and vaguely, and these things could be implemented 10,000 different ways - but it feels like most of those 10,000 different ways are going to have a real problem if MPIC is universally applied, and if there is universal, or near universal expectation that a valid certificate for the right URL is going to be on the server I'm connecting to.

  So I feel like MPIC ought to be a big part of solving most of this just because of the foundational place that certificates have in our trust infrastructure.

• 

  Jason Soroko

  If it is involving the identity or ownership of domains and internet properties, yes, absolutely, completely agreed. I think MPIC is a great idea. I think, though, that because it is a specific implementation by users and people who are providing those kinds of certificate issuance services, the CAs, because it is a very specific use case, it is solved very specifically. And, and it will be because there is an overall agreement. We have the CA/Browser Forum. We’ve got people who were thinking about this, and we have a centralized way of governing how we're going to roll this out. I think it's going to be very successful.

  However. I think what's going on here with the White House chat and these articles that you're seeing on the internet, I think, though, that the call to arms is, how do we solve this from an internet infrastructure level which is a completely different type of thinking, and I don't think we're going to get there anytime soon, Tim. And I think our RPKI as interesting as it is, I just don't see it being the 100% solution in the next X number of years.

• 

  Tim Callan

  Speaking of not getting there anytime soon, the MPIC, I'll just remind the listeners, MPIC turns into a “should monitor” this fall. It turns into a “must monitor”, but no action is required this spring. It is more than a year until it turns into a “must take action”, and even then, it's only on two. So - on two points. So there is a non-trivial window. If we really know that highly sophisticated actors, nation state level of sophistication, are using this today, they've got some time where that defense is not in place yet. Now we can't really accelerate that defense. It is what it is. But we should also be cognizant of the fact that right now, this is a vulnerability that's just remaining a vulnerability for a considerable amount of time.

• 

  Jason Soroko

  Isn't it interesting, Tim, that what was even an esoteric subject with respect to publicly trusted certificates is now - - Whoa. The internet is not working properly, and bad guys can do bad things.

• 

  Tim Callan

  If your point, which I think is valid, Jay, is what a year this has been for BGP. Think about what's happened in the 12 last months in terms of visibility, awareness, attacks, responses to attacks, industry standards. Like this has been the year for BGP and obviously, not a minute too soon.

• 

  Jason Soroko

  Therefore that's the reason, Tim, we have reported on this multiple times, so that you guys, the audience, are aware of this. We're probably going to report on this again, because I'm very curious to see, are we going to start to see more attacks, or more specific types of attacks. It looks like it's being used for bigger, scarier things at the moment, which is bad enough. If that's the case, I'm doubting we're going to go another 12 months without hearing much about this again.

• 

  Tim Callan

  Especially since that window is not being accelerated. Like that window closes, we all know when that window is closing, and between now and then, it ain't closing. If any actor who is set up to take advantage of this today is going to keep right on taking advantage of it, you may not invest. If it's a big investment to get yourself ready to do BGP attacks. As we get closer to that date, you might be unwilling to make that investment. But anybody who's made that investment and is using this as a weapon right now is going to keep right on using it until the day they have to stop.

• 

  Jason Soroko

  That's exactly right, Tim. So, for the CAs, maybe take advantage of that “should” period and don't wait all the way to the “must” period. I don't know.

• 

  Tim Callan

  I think the “should” period is in recognition of the fact that this is a very complicated thing. I think we're expecting CAs to implement solutions that don't quite work as expected and make modifications and try it again. I think you should think of the “should” period as a development period, and even CAs with the best of intentions may find that what they implement isn't exactly what they need, may have to go back to the drawing board, rip it out, put it together. So, I agree or you can use the “must” period to be monitoring, and you're still not required that you actually start to act on the results and CAs who are confident everything is working correctly, could act on the results earlier than the deadline for that and that and that certainly is something I think would be a good idea to encourage CAs to do.

• 

  Jason Soroko

  Right on, Tim. I think that the only reason we should stay calm right now is because I haven't heard any reports about BGP attack in a box for script kiddies being available.

  Like that's just, that's not out there. That kind of attack is in the hands of nation states and typically, nation states don't commit just minor fraud for the fun of it, and nation states aren't using this for small things. They're only going to pull it out for the big issues. The thing is, though, is that's one reason to stay calm and I doubt even that this kind of attack is going to be easy, be made easy anytime soon. However, however. I think the call to arms to get MPIC going ASAP is definitely there. I like what you said. I think that the way to think about these periods might shift with these kinds of news items.