[Dshield] Commentary on Recent BGP Hijacking Demo

Jon Kibler Jon.Kibler at aset.com
Sun Sep 7 16:32:26 GMT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The recent BGP hijacking demo is interesting. However, the fact that the
routing has been hijacked is immediately obvious -- just do a traceroute.

More insidious would be MPLS hijacking. There, the only way to tell that
label switching (routing) has been hijacked would be an increase in
packet latency -- which would not always be significant enough to be
detectable.

The biggest problem with MPLS is that service providers are in deep
denial that MPLS has any security issues. They rate hijacking as an
"impossibility."

Worse, service providers claim that MPLS is "totally secure." They try
to sell MPLS as "so secure you do not need encryption." I have even had
one service provider threaten to block all IPSec traffic because it
introduced "too much needless network overhead." Others have threatened
to remark all IPSec traffic as default precedence and ignore customer
DSCP markings.

I fear that too many users of MPLS are falling for the security
marketing hype that is prevalent with MPLS and they are not encrypting
their MPLS traffic. They forget that if their traffic crosses national
borders, it is probably being monitored. If you have sensitive
intellectual property that transits national borders on unencrypted MPLS
networks, you can pretty much guarantee that foreign governments are
stealing this information in transit for distribution to their country's
companies, giving them a competitive advantage through
government-sponsored industrial espionage.

Using MPLS? Not encrypting? Not concerned? You should be. It could be
the weakest link in your organization's security.



My $0.02 worth.

Jon
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjEAhoACgkQUVxQRc85QlNMaQCfUdgU1z7j95jM6laJ1hwb/OaR
2wsAn2NkMUyN/OpxbW+TG38htdF2/fh6
=R+iu
-----END PGP SIGNATURE-----




=========================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the Dshield mailing list