GoKawiilFeature BGP, the Border Gateway Protocol, was not designed to be secure. It was designed to work – to route packets between the thousands of autonomous systems that make up the internet, quickly and at scale.
For four decades, it has done exactly that. It has also, throughout those four decades, been exploited, misconfigured, and abused in ways that were predictable from the start. Route hijacks reroute traffic through hostile networks. Route leaks knock services offline. Nation-state cyber crews weaponize BGP to intercept communications at scale. These are not theoretical threats. They are documented, recurring events, and they remain possible today for one simple reason: BGP has no native way to verify that a network claiming to own a block of addresses actually does.
Log files that describe the history of the internet are disappearing. A new project hopes to save them READ MORE
A series of patches and extensions like Resource Public Key Infrastructure (RPKI), BGPsec, and RPKI-based Route Origin Authorization (ROA) have been layered over the original protocol in an attempt to address the worst of these vulnerabilities. They help at the margins. They do not solve the underlying problem.
There is, however, a system that does, or at least claims to. SCION, which stands for Scalability, Control, and Isolation On Next-Generation Networks, is an internet routing architecture developed at ETH Zürich. Unlike the patches applied to BGP, SCION does not attempt to retrofit security onto a 40-year-old foundation. It replaces the foundation entirely. That redesign is the life's work of Adrian Perrig, professor of computer science at ETH Zürich and the principal architect of SCION.
The boat full of holes
Perrig has been worrying about internet security since 1991, when he first worked with Cisco routers before starting his bachelor's degree at EPFL. He has spent most of the intervening years trying to make the internet more secure. Eventually, he concluded it was the wrong approach. "You cannot bolt on security," says Perrig. "You cannot get to a truly secure global network unless you actually change the design. It's like saying you want to go to the Moon, so let's put rocket boosters on an airplane. No, you have to design the vehicle differently."
Perrig launched SCION in 2009 after gaining tenure and the freedom to pursue something most of his colleagues told him was career suicide. His core frustration was simple: the same vulnerabilities had been documented since the 1980s, and nobody had tried to fix them at the architectural level. "The best security companies in the world are still being exploited through them," he says. "There has not even been an attempt to address them properly."
Kevin Curran, a cybersecurity professor at Ulster University who has been teaching computer networks for 27 years, offers an independent assessment that lands in the same place. The internet, he says, was built without security in mind, and what followed was a succession of workarounds. "What we have had over 40 years is a series of Band-Aids," says Curran. "Nothing has come close to addressing the need for truly secure paths across an adversarial network."
Dijkstra's algorithm won't be replaced in production routers any time soon READ MORE
... continue reading