Skip to main content

Routing layer security on the public internet is hopeless

I have mostly come to the conclusion that trying to secure the routing layer of the internet is hopeless. Protocols like DNSSEC impose pretty significant costs on service providers and clients/recursive resolvers, and at the same time don't provide any substantive security guarantees that I'd be willing to rely on. I still want end-to-end security—confidentiality and integrity, in particular—of the data stream, something provided by TLS and support systems around TLS (e.g., certificate transparency).

DNSSEC doesn't even try to give me the one thing I'd really like out of the routing layer, which is privacy: it provides a base level of integrity...and that's it.

"Securing" BGP in a similar way would be worth even less, because routing decisions at that level can't even really be checked by clients as they don't have the context to understand why paths are configured with particular costs, nor do they know where state-level actor tap points exist, so it's not like they could sound an alarm on the existence of a suspicious route: how would you define or detect "suspicious"?

It's also worth considering that all widely-used protocols on the internet are built in layers: protocols at each layer are designed to create resiliency and add features beyond those which are provided by lower layers. Just as TCP takes IP and adds reliability and flow control, TLS takes TCP and adds a degree of end-to-end security. This is not simply chance or expediency: there's a reason things are built this way.

Note that I'm not claiming a perfect TLS provides us with all the security we want. The one gaping hole in TLS security that would be solved by a proper security design for the routing layer is that TLS provides confidentiality only of the actual bits being moved around: the metadata (routing information, size of data transferred, etc.) is wide open for analysis. But until something like TOR can accomplish this in a demonstrable (and preferably provable) way in an overlay network subject to constant surveillance, it's actually counterproductive to add some crypto at the lower layers, declare "we have routing layer security!", and call it a day.

Not only that, but the biggest problem with TLS—the trust model and how it is implemented in browsers—is not solved by adding DNSSEC-like security to the routing layer.

So, just to be clear, I'm not opposed to adding security to the routing layer... but it has to provide enough value to balance out the cost. What the TOR/Silk Road debacle tells me is that routing layer privacy is a hard problem: a protocol designed explicitly for privacy over untrusted networks nonetheless was vulnerable to targeted analysis. What makes me hopeless on this subject is that at some level even TOR relies on systems that know where packets are going to end up, so it's not clear that routing layer security of the sort I want is even possible.


Moneylove said…
I think you are right. What about multiple IP address on same unit and Encryption at the local device. Oh and masking local addresses

Popular posts from this blog

10 best albums of the 1990's

I haven't done a blog in a while, and there's nothing that's stoking the political fires enough to make me want to write. Therefore... I present my opinion of the best 10 albums of the 1990's. If you know anything about me, you know that I'm a hard-core metal fan, so that preference inevitably colors this list. 10. Loreena McKennitt / the mask and mirror (1994). While not her strongest album, it speaks volumes about the quality of her albums that I would still include this among my top 10 of the 1990's. Ethereal, textured, haunting: these are all adjectives that accurately describe the music. Ms. McKennitt's voice, however, is what really draws me to the music: her range is huge, and her power at the high end unmatched by any of the other non-Opera singers I've heard. 9. Pearl Jam / Vs. (1993). Their best album is also the finest example of alternative rock: plenty of anthems balanced with slower, more personal poems. With the exception of a

I hate when a good comment gets buried

I hate when I post a good comment to reddit and it gets buried because either no one noticed it or it was a tangent to the OP. Here's one such case: One of the consequences of MMT is that the national debt is meaningless: it's an accounting fiction. One of the interesting properties of fiat (government-issued paper) currency is that the government must run a net deficit or there can be no money in circulation: if government doesn't spend the money first (i.e., before collecting taxes), how can there be any in circulation for private payments or tax payments? Note that MMT isn't prescriptive, just descriptive. It's critical for people to understand how our monetary system actually works in order for sane policy to be created. Of course what I said above isn't true on a gold standard, for instance; but we aren't on a gold standard, so unless we go