The Resource Public Key Infrastructure (RPKI) system is designed to prevent hijacking of routes at their origin AS. If you don’t know how this system works (and it is likely you don’t, because there are
In this community roundtable, Eyvonne and I talk to Eric Osterweil about the increasing reliance on analytics in the realm of security.
Users—particularly those who do not understand technology as well—have long been taught to “look for the green lock in your web browser” to be certain they are communicating with a “trusted” site. For instance, here
I have written elsewhere about the problems with the “little green lock” shown by browsers to indicate a web page (or site) is secure. In that article, I considered the problem of freely available certificates,
How do attackers find a vulnerability, write a piece of code to take advantage of that vulnerability -- i.e., build an exploit -- build a software delivery system around the exploit and then deliver the
Stronger passwords are always better—at least this is the working theory of most folks in information technology, security or otherwise. Such blanket rules should raise your suspicions, however; the rule11 maxim if you haven’t found
We often treat security as an absolute, "that which must be done, and done perfectly, or is of no value at all." It's time to take this myth head on, and think about how we
Way back in the old days, the unit I worked at in the US Air Force had a room with a lot of equipment used for processing classified information. Among this equipment was a Zenith
I was recently invited to a webinar for the RIPE NCC about the future of BGP security. The entire series is well worth watching; I was in the final session, which was a panel discussion
Side channel attacks are not something most network engineers are familiar with; I provided a brief introduction to the concept over at The Network Collective in this Short Take. If you aren't familiar with the
In this short take, recently posted over at the Network Collective, I discuss what a side channel attack is, and why they are important.
Yet another protocol episode over at the Network Collective. This time, Nick, Jordan, Eyvonne and I talk about BGP security.
The recent Meltdown and Spectre attacks illustrate the problematic nature of modern computing systems. While the earlier Rowhammer attack could read or attack one process running in a virtual environment from another process running on
Over at the ACM blog, there is a terrific article about software design that has direct application to network design and architecture. The problem is that once you give a monkey a club, he is
In simple terms Meltdown and Spectre are simple vulnerabilities to understand. Imagine a gang of thieves waiting for a stage coach carrying a month's worth of payroll. There are two roads the coach
In a recent comment, Dave Raney asked: Russ, I read your latest blog post on BGP. I have been curious about another development. Specifically is there still any work related to using BGP Flowspec in
Replaced by this page.
Three articles of interest on the new WiFi KRACK— This is not a crypto bug but a protocol bug (a pretty obvious and trivial protocol bug). When a client connects to the network, the access-point
An interesting incident this last week brings password managers back to the front of the pile— OneLogin, an online service that lets users manage logins to sites and apps from a single platform, says it
A good bit has been written about the recent WannaCry outbreak over the last few weeks; rather than stringing the best out through Worth Reading posts, I have collected the three best posts on the
I've been reading a lot about the repeal of the rules putting the FCC in charge of privacy for access providers in the US recently—a lot of it rising to the level of hysteria and
When the inevitable 2AM call happens—"our network is under attack"—what do you do? After running through the OODA loop (1, 2, 3, 4), used communities to distribute the attack as much as possible, mitigated the
Many years ago, when multicast was still a "thing" everyone expected to spread throughout the Internet itself, a lot of work went into specifying not only IP multicast control planes, but also IP multicast control
Most engineers focus on purely technical mechanisms for defending against various kinds of cyber attacks, including "the old magic bullet," the firewall. The game of cannons and walls is over, however, and the
The other day several of us were gathered in a conference room on the 17th floor of the LinkedIn building in San Francisco, looking out of the windows as we discussed some various technical matters.
In the first post on DDoS, I considered some mechanisms to disperse an attack across multiple edges (I actually plan to return to this topic with further thoughts in a future post). The second post
Your first line of defense to any DDoS, at least on the network side, should be to disperse the traffic across as many resources as you can. Basic math implies that if you
Distributed Denial of Service is a big deal—huge pools of Internet of Things (IoT) devices, such as security cameras, are compromised by botnets and being used for large scale DDoS attacks. What are
Assume, for a moment, that you have a configuration something like this— Some host, A, is sending queries to, and receiving responses from, a database at C. An observer, B, has access to the packets
BGP security: where we are now, where we are going, as presented at LACNOG 26 in November of 2016.
One interesting trend of the last year or two is the rising use of data analytics and ANI (Artificial Narrow Intelligence) in solving network engineering problems. Several ideas (and/or solutions) were presented this year at
Over at TechBeacon, my friend Chris Romeo has an article up about DevOps and security. It's interesting to me because this is actually an area I'd never thought about before, even though it makes sense.
I really dislike corporate VPNs that don't allow split tunneling—disconnecting from the VPN to print on a local printer, or access a local network attached drive, puts a real crimp in productivity. In the case
Over the past several weeks, there's been a lot of talk about something called "differential privacy." What does this mean, how does it work, and... Is it really going to be effective? The basic concept
DDoS attacks, particularly for ransom—essentially, "give me some bitcoin, or we'll attack your server(s) and bring you down," seem to be on the rise. While ransom attacks rarely actually materialize, the threat of DDoS overall
Spam might seem like an annoyance in the US and other areas where bandwidth is paid for by the access rate—and what does spam have to do with BGP security? In many areas of the
When Cyrus wanted to capture Babylon, he attacked the river that flows through the city, drying it out and then sending his army under the walls through the river entrance and exit points. In a
What would it take to secure BGP? Let’s begin where any engineering problem should begin: what problem are we trying to solve? This series of posts walks through a wide range of technical and business
The next proposed (and actually already partially operational) system on our list is the Router Public Key Infrastructure (RPKI) system, which is described in RFC7115 (and a host of additional drafts and RFCs). The RPKI
There are a number of systems that have been proposed to validate (or secure) the path in BGP. To finish off this series on BGP as a case study, I only want to look at
Throughout the last several months, I've been building a set of posts examining securing BGP as a sort of case study around protocol and/or system design. The point of this series of posts isn't to
In the last post on this series on securing BGP, I considered a couple of extra questions around business problems that relate to BGP. This time, I want to consider the problem of convergence speed
In my last post on securing BGP, I said— Here I’m going to discuss the problem of a centralized versus distributed database to carry the information needed to secure BGP. There are actually, again, two
This is the second post in the two part series on BGP path validation over on the LinkedIn Engineering blog. We left off last time after having described the eight operational requirements that must be
It's not like they're asking for a back door for every device. If the world goes dark through encryption, we'll be back to the wild west! After all, if it were your daughter who had
This week I was peacefully reading the March 9th issue of ACM Queue when I received a bit of a surprise. It seems someone actually buys the "blame the victim" game, arguing that governments are
In part 1 of this series, I looked at the general problem of securing BGP, and ended by asking three questions. In part 2 and part 3, I considered the third question: what can we
https://www.youtube.com/watch?v=x9akH7TpZ5c&feature=youtu.be This is my talk on BGP security from the latest NANOG. Some of the questions I discuss in this talk, and some of the solutions, interact with the series I currently have running on
To recap (or rather, as they used to say in old television shows, "last time on 'net Work..."), this series is looking at BGP security as an exercise (or case study) in understanding how to
In part 1 of this series, I pointed out that there are three interesting questions we can ask about BGP security. The third question I outlined there was this: What is it we can actually
What would it take to secure BGP? Let's begin where any engineering problem should begin: what problem are we trying to solve? In this network—in any collection of BGP autonomous systems—there are three sorts of
Despite the bad rap it sometimes gets, anonymity – and anonymity technology – is used all the time by everyday people. Think about it: just walking in a park without being recorded or observed or
In case you're confused about the modern state of security, let me give you a short lesson. Your network is pictured to the left. When I first started working on networks in the USAF we
I was teaching a class last week and mentioned something about privacy to the students. One of them shot back, "you're paranoid." And again, at a meeting with some folks about missionaries, and how best
As I learned in my early days in electronics, every wire is an antenna. This means that a signal in any wire, given enough power, can be transmitted, and that same signal, in an adjacent