{"id":837,"date":"2023-04-19T16:34:00","date_gmt":"2023-04-19T20:34:00","guid":{"rendered":"https:\/\/zayo1.burbledev.com\/?post_type=resources&p=837"},"modified":"2024-07-15T23:27:31","modified_gmt":"2024-07-16T05:27:31","slug":"a-secure-public-internet-is-it-possible","status":"publish","type":"resources","link":"https:\/\/zayoeutrans.burbledev.com\/de\/resources\/a-secure-public-internet-is-it-possible\/","title":{"rendered":"A Secure Public Internet? Is it Possible?"},"content":{"rendered":"\n

The public Internet is a lot of things. It\u2019s a low-cost connection for remote offices. It\u2019s student access to countless public learning tools. It\u2019s the delivery mechanism for the world\u2019s knowledge to our devices. It\u2019s every company\u2019s lifeline to their customers.<\/p>\n\n\n\n

For all the good the Internet delivers, we can agree that the Internet is not secure. Internet Service Providers (ISPs) worldwide are now starting to change that. To understand how, let\u2019s quickly review what makes the Internet hum.<\/p>\n\n\n\n

The Internet is an interconnected network of networks. The core foundation of the Internet is the interlinked networks of the largest Internet service providers (ISPs) \u2013 the \u201cTier-1s.\u201d A Tier-1 ISP has access to the entire Internet without having to pay for IP Transit.<\/p>\n\n\n\n

They do this through \u201cpeering\u201d, which establishes inter-ISP settlement-free interconnections used to pass traffic from one network to another needed for the delivery of the packet. These agreements are voluntary, unpaid, mutually beneficial, bilateral, direct to other Tier-1s or strategic networks, and serve the needs of their mutual customers and the Internet at large.<\/p>\n\n\n\n

Through these \u201cpeering\u201d arrangements, the Tier-1s exchange and transmit data between their networks, and smaller ISPs purchase Internet access from the Tier-1s. Peered Tier-1 ISPs maintain their networks by always ensuring adequate bandwidth to support the content and \u201ceyeball\u201d traffic exchanged between them.<\/p>\n\n\n\n

The Internet wouldn\u2019t work as cohesively without such inter-company cooperation. <\/p>\n\n\n\n

Interconnection through peering is just the first step. The next step provides the rules of how packets are exchanged \u2013 how routing occurs. All interconnected networks exchange packets according to the rules defined by a protocol called BGP \u2013 Border Gateway Protocol \u2013 the global Internet traffic routing system. <\/p>\n\n\n\n

BGP is one of the core protocols of the Internet. But it was not built with security in mind.<\/p>\n\n\n\n

Resource Public Key Infrastructure (RPKI) is a \u201ccompanion\u201d technology created to make BGP routing more secure. It does this by validating traffic origins. RPKI allows network operators to validate the authenticity of BGP route advertisements, ensuring their validity, and rejecting the route advertisement when it originates from an unauthorized source.<\/p>\n\n\n\n

\n
\n
\"\"<\/figure>\n<\/div>\n\n\n\n
\n

RPKI \u2013 The Internet\u2019s \u201cBouncer\u201d<\/h2>\n\n\n\n

RPKI puts a keener eye on the announcements heading into an ISP\u2019s network, ensuring they\u2019re authorized. <\/p>\n\n\n\n

Imagine that you\u2019re a bouncer at a nightclub, and a guest comes to the door claiming VIP status. You first ask for their name, obtain it, and check it against the information you have on your VIP guest list. If their name is found on the VIP guest list \u2013 you may let them in.<\/p>\n\n\n\n

<\/p>\n<\/div>\n<\/div>\n\n\n\n

Or\u2026 as with RPKI, you may also require proof that they are who they said they are and ask for a form of ID which will match the details on their VIP pass. Only after they produce these items, and these items are validated, is the guest admitted. <\/p>\n\n\n\n

RPKI is the Internet\u2019s club bouncer. When networks claim authority to announce routes (enter the club), the bouncer validates authority and identity against a virtual VIP pass. <\/p>\n\n\n\n

These VIP passes are the digital certificates published by the five global Regional Internet Registries (RIRs), and assigned to each club guest. The five RIRs are AfriNIC (Africa), APNIC (Asia-Pacific), ARIN (North America), LACNIC (Latin America), and RIPE NCC (Europe, MIddle East, and Central Asia). The certificates are published in the RPKI (our bouncer\u2019s list).<\/p>\n\n\n\n

RPKI checks this digital certificate against the information in its system. If this digital VIP pass is recognized\u00a0and\u00a0<\/em>signed by a trusted authority, it\u2019s allowed access.<\/p>\n\n\n\n

Like the Whole Internet, RPKI takes Cooperation to Work<\/h2>\n\n\n\n

RPKI validation occurs in two directions: by both the originating network and the receiving network. Similar to the voluntary good behaviour of peering, RPKI also requires voluntary good behaviour from peered ISPs in order to protect all Internet users. The protection of verifying origin identity becomes most meaningful when networks \u201csign\u201d or identify their own route origins, and <\/em>when they validate the origins of the traffic destined for their networks.<\/p>\n\n\n\n

As a Tier-1 ISP, Zayo understands the responsibility of maintaining sound, balanced, and well distributed peering. We also take to heart the responsibility of adopting technologies like RPKI to make the entire Internet safer. Zayo is proud to be among the Tier-1 ISPs to embrace this technology, first by validating the route origins of traffic entering our network, and later this year by \u201csigning\u201d \u2013 creating and attaching digital signatures to our own routes to ensure their authenticity. <\/p>\n\n\n\n

Beyond RPKI\u2019s initial foundation described here is its ultimate promise \u2013 still ahead. Its foundation is built and is currently being adopted by ISPs worldwide. This foundation will yield future improvements, such as Autonomous System Provider Authorization (ASPA) Objects, adding autonomous system (AS) paths, and ultimately BGPSec, in which BGP will include signed advertisements.<\/p>\n\n\n\n

Specifically, what does RPKI currently do?<\/h2>\n\n\n\n

RPKI technology guards against route hijacking. BGP route hijacking is a common attack where the attacker (club guest claiming VIP status) announces a false route (presents a forged ID or VIP pass, pretending to be who they are not) in order to divert traffic to the attacker\u2019s own network. Why would they do this? Because the diverted traffic contains the sorts of desired information that can be used for malicious intent, information such as account numbers, passwords, or other personal details.<\/p>\n\n\n\n

These attacks have real consequences.\u00a0<\/p>\n\n\n\n

\n
\n

A Successful Hijack:<\/h3>\n\n\n\n

In 2018, a\u00a0large-scale attack<\/a>\u00a0was launched against MyEtherWallet, a cryptocurrency wallet service. The attackers gained control of the BGP routers and were able to redirect traffic destined for MyEtherWallet to a phishing site hosted by the attackers\u2019 own servers. The site looked identical to the MyEtherWallet site, so users had no idea they had been redirected. They entered their usernames and passwords, and with that, the attackers had access to their login credentials (and stole their funds). If the routes were properly validated using RPKI, the redirect would have been rejected and traffic would have continued to its real, intended destination.<\/p>\n<\/div>\n\n\n\n

\n
\"\"<\/figure>\n<\/div>\n<\/div>\n\n\n\n

More Successful Hijacks:<\/h3>\n\n\n\n

Very similar BGP hijack attacks<\/a> occurred to cryptocurrency \u201cbridging services\u201d in 2022: Ronin Network ($600M stolen), Wormhole Network ($325M stolen), and Harmony Horizon Bridge ($100M stolen).<\/p>\n\n\n\n

Outside of the obvious lucrative crypto attacks, BGP hijackers also target ISPs and DNS provider traffic in order to redirect users to their own servers. Why? To control access to certain sites, to intercept, monitor, and decode sensitive information within the traffic stream, or simply to disrupt Internet service. Since 2020, there have been over 1,400 BGP hijacking incidents \u2013 about 14 every day \u2013 and no matter the reason for the attack, the\u00a0attackers seem to be succeeding<\/a>\u00a0in meeting their goals.<\/p>\n\n\n\n

Accidental \u201cHijacks\u201d \u2013 the Devastation of a Typo<\/h3>\n\n\n\n

BGP redirects aren\u2019t always intentional or malicious. Accidental BGP redirects are called \u201croute leaks\u201d and can occur due to human programming errors, bugs in software, configuration issues, or other unintentional errors. For example<\/a>, in 2019, a large portion of Verizon\u2019s Internet traffic was accidentally redirected to pass through one of their customer\u2019s IP networks. This customer, a small Pennsylvania metals manufacturer, found their system quickly overwhelmed, and Verizon\u2019s IP users never reached their intended destinations. <\/p>\n\n\n\n

Because BGP always looks for the most efficient routing through the Internet, accidental miscoding or other errors can redirect many users, causing widespread outages, degraded performance, and interrupted trips to the most popular destinations<\/a> such as Google, Facebook, YouTube, Amazon, Netflix, and other popular sites.<\/p>\n\n\n\n

Like our club bouncer, RPKI provides the safeguards that can plug BGP\u2019s security holes. Whether BGP redirects are intentional or accidental, RPKI will ensure that when ISPs route traffic, they\u2019re routing it to pre-approved, authorized, and valid destinations.<\/p>\n\n\n\n

Zayo\u2019s is invested in our Customers\u2019 Success<\/h2>\n\n\n\n

In the past two years, Zayo has enhanced our network considerably, ensuring its performance for our customers. We are enhancing our network, expanding its reach, and modernizing our IP layer. Our priorities were simple: adding geographic coverage, keeping our customers \u2013 and ultimately their customers \u2013 safe, while delivering bandwidth flexibility in an automated fashion.<\/p>\n\n\n\n

Zayo\u2019s role in building RPKI into the foundation of the Internet is part of this overall network strategy. Another initiative is requiring two-factor authentication<\/em> for any BGP routing changes customers request. Zayo is among the first Internet providers to tighten BGP security in this manner.<\/p>\n\n\n\n

Summarized, Zayo\u2019s most recent IP-related network updates include:<\/p>\n\n\n\n