Cloudflare Wants Internet Route Leaks To Be a Thing of the Past

Cloudflare wants routing issues to be a thing of the past by deploying a new feature to try to stop route leaks and hijacks in their tracks. From a report: Cloudflare told TechCrunch that rolling out resource public key infrastructure (RPKI) to all of its customers for free will make it far more difficult to reroute traffic -- either by accident or deliberately. RPKI, in a nutshell, helps to ensure that traffic goes to the right place through a route that's verified as legitimate and correct by using cryptographically signed certificates.

"When two networks connect with each other -- say, AT&T and Verizon -- they announce the set of IP addresses for which they should be sent traffic," said Nick Sullivan, Cloudflare's head of cryptography. "The RPKI is a security framework to make sure a network announces only its legitimate IP addresses." Cloudflare's push in the right direction follows an effort by the National Institute for Standards and Technology, which last week published its first draft of a new standard, which incorporates RPKI as one of three components that will help prevent route leaks and hijacks. A possible approval is expected in the coming weeks.

Lag due to PKI?

[sinij]

PKI isn't quick, especially and particularly due to OCSP/CRL lookups. Is this going to spike my ping times as a result? If yes, I am not interested.

Re:

[jon3k]

Is this going to spike my ping times as a result?

No.

Re:Lag due to PKI?

[Anonymous Coward]

This may very slightly increase the time taken to form a route after a network comes online. Seeing that this only happens after a major outage or when a new network is commissioned these few milliseconds won't matter at all.

It is desperately needed btw, it is super easy to make a mistake in BGP configuration that makes you announce the ip ranges of another party. If you are lucky you can route that traffic and nothing goes down, but usually this causes major problems.

Re:

[silas_moeckel]

There are a lot of routers in the DFZ that are already hurting for CPU time.

How quickly will something get hacked because somebody left the private key either on the router or someplace else exposed.

Re:

[skovnymfe]

Unless you live in a part of the internet where the routes are re-calculated and re-established every time you send a packet, in which case, please do tell which ISP you use cause then I'll walk in a large circle around them.

Re:

[themusicgod1]

[citation needed]

That's funny

[themusicgod1]

Because we want Cloudflare [notabug.org] to be a thing of the past. It is a central point of failure for the whole of the world wide web at this point, and making them moreso a central point of failure for the internet is not a good idea at all.

Blockchain

[QuietLagoon]

Cloudflare shudda used "blockchain" in the PR headline, it would have gotten a lot more attention.

Static routes are fine in your office

[raymorris]

Static routes are okay with your building, if the building isn't too big. If a router goes offline, everybody waits for the network admin to get back from lunch and fix it. For the backbones, we currently re-route in milliseconds sometimes dpending on network conditions. No waiting around for a sysadmin.

> What is stopping someone anywhere within the RPKI to lie, mislead, or be misled through layer 2 and 3 attack

Routing is in layer 3, so this is preventing some layer 3 attacks. For securing layer 2, see http://google.com/search?q=lay... [google.com]
Routing protocols at layer 3 aren't supposed to address issues of layer 2.

And I want a pony

[WillAffleckUW]

Only one of us will be happy, and I'm shopping on ponies dot com right now.

Route that.