* https://arstechnica.com/tech-policy/2024/06/fcc-pushes-isps-...
* https://www.techspot.com/news/104590-white-house-declares-bg...
* https://www.securityweek.com/white-house-outlines-plan-for-a...
WH PR (linked to by Reuters):
> While there is no single solution to address all internet routing vulnerabilities, the roadmap advocates for the adoption of Resource Public Key Infrastructure (RPKI) as a mature, ready-to-implement approach to mitigate BGP’s vulnerabilities. RPKI consists of two primary components: Route Origin Authorizations (ROA) and Route Origin Validation (ROV). A ROA is a digitally-signed certificate that a network is authorized to announce a specific block of internet space (i.e., IP addresses). ROV is the process by which BGP routers use ROA data to filter BGP announcements flagged as invalid. Importantly, ROV can help protect an organization’s internet address resources only if that organization has created ROAs.
* https://www.whitehouse.gov/oncd/briefing-room/2024/09/03/fac...
Roadmap/whitepaper (PDF):
* https://www.whitehouse.gov/wp-content/uploads/2024/09/Roadma...
But what impacts does this have on performance? Great we solved hijacking issue. But this other ASN which used to be a preferred route doesn’t use ROA/ROV (yet or refuses).
Now traffic reroutes to a less efficient path?
No performance impact: a routing table is a very (ahaha) binary thing, it takes a destination address and does a longest prefix match search in a table to find the next hop interface, to which it routes the packet.
Route validity is considered (alongside a bunch of other routing policy inputs) when constructing the table, not when a packet arrives.
The purported performance hit wouldn't be from the propagation delay on any given router, but rather from shifts in traffic resulting in a longer path.
In practice, I suspect there will be very little impact for most traffic, since typical aspath lengths are, like, 2. (Mostly, direct peering between CDNs and ISPs if the data isn't cached within the ISP network to begin with)
edit for source:
> The average AS path length in a well-developed content network is about 1. Maybe 1.1.
You are right, I neglected to point out that origin validation is (in the absence of shenanigans) not going to cause one path to be preferable to another: if the origin is the same AS, either both paths or neither is valid.
If the origin in two paths is two different ASes, either both are valid or shenanigans are afoot - perhaps there's a hijack being prevented, perhaps the network operator has screwed up their ROAs, perhaps the network operator is measuring sBGP uptake, perhaps the network operator is doing a rather bizarre and ineffectual form of traffic ingress management, or perhaps the network is in a transition from one AS to another, but those are all "shenanigans" in which routing efficiency is secondary to some other goal.
An alternative source for average BGP path length is https://blog.apnic.net/2024/01/10/bgp-in-2023-bgp-updates/ - where many other similar statistics can be found, and independently repeatable methodology is available. The average BGP path length for IPv4 is around 5.5 hops, and for IPv6 it is just shy of 5 hops. These numbers have been stable for a while with IPv4 slowly shrinking and IPv6 slowly growing, albeit in both cases by around 0.2 hops a decade.
And perhaps also relevant to the parent's question: path length itself is a pretty poor indicator of network performance by just about any measure you can name (excepting perhaps the TTL field), and is a last resort measure used only when all else is equal. The case of a prefix hijack being thwarted by origin validation is an extreme example in which the shorter (invalid) path represents 100% packet loss and the longer (valid) path given preference due to origin validation is infinitely more performant.
edit: oh, disclaimer - I am a co-author of one of the RPKI RFCs, and while I am personally not involved in secure BGP at present my employer definitely is. Opinions presented are mine.
> And perhaps also relevant to the parent's question: path length itself is a pretty poor indicator of network performance by just about any measure you can name (excepting perhaps the TTL field), and is a last resort measure used only when all else is equal.
Perhaps I focused the conversation in the wrong direction by mentioning AS path (and then further by describing the AS path between CDNs and end-users and framing that as "typical"). For a major CDN, most of the bytes served are originating from and destined to the same metro. Unless those CDNs have some serious problems with their RPKI setups, I expect that those bytes are going to continue flowing the same way they have been.
If anyone knows of a place in which a border router is only one (or 1.1 average) hop away from every other network on the planet, please let me know what real estate prices are like there, though.
(I suspect the 1.1 figure measures something quite different - the average path length inside a CDN or similar, which probably should be closer to one but might involve sneaky things like an overlay network).
Most of the major players in the space (Netflix, Akamai, YouTube, Facebook, etc) have boxes inside ISP networks across major metros, so the path length to reach those ISPs' users is in fact 1 assuming a cache hit, and the RTT is certainly less than 20ms.
And BGP is not really fundamentally flawed, what is fundamentally flawed is trying to get everyone to build an authoritative database on who owns which IPs and how they connect to their upstreams/downstreams, without it being possible for someone to manipulate that database nefariously. As we are on hacker news, you are probably aware that there is no such thing as a hack-proof system. The old IRR system would have been perfect if every IRR hoster had a dedicated team of highly trained NOC engineers who are capable of making cross references using the RIR databases to the fullest and investigate any anomalies to prevent any malicious submissions. Unfortunately, that doesn't scale as well as rolling out something smarter like RPKI. Unfortunately, everything was already setup to use the IRRs and some people like it that way, so getting to 100% RPKI adoption has been slow, just like IPv4 addresses will probably always be worth more than IPv6 even though in principle, IP address space should have zero inherent value because it's just a number and should not have any limited supply.
Source: Former RADB admin.
In RIPE, each as-num should list out a policy of which other ASNs can import/export routes from that ASN. I think there should also be a route/route6 object.
Do vultr not check/enforce this? (Other providers do).
Government agencies regularly game regulations that apply to them in the same way as corporations. See e.g. FOIA, Fourth Amendment, qualified immunity, civil asset forfeiture.
People like to dump on government but they can move the acceptable window/best practice to a place that corps would not have gotten to by themselves. Crypto is one, OWASP springs to mind, etc. But the government is not a homogeneous monolithic entity and it necessarily has to have some confliction built into it. You could have a bulletproof secure system for identity for example come out of NIST, say,...but the CIA would immediately need a workaround so that agents could assume new IDs in the field.
Those programs have now out competed every corporate service in the space and are either the main clearing house/provider or the second main provider in each type of US bank transfer.
They now have FedNow which is a "next gen" for these types of transfer systems and over the course of the next few years to the next decade it'll probably eat all the other systems as well as the many corporate offerings as well.
https://en.wikipedia.org/wiki/Fedwire
People arguing about public vs. private are missing the mark entirely. It has nothing to do with that. It's all about how many people have to do a task.
The US govt got to the moon and created a nuclear bomb in a relatively tiny amount of time, all entirely because it was a relatively small number of people focused on the same task. As for people who own routers? Thousands and thousands of them who all have different interests who aren't all focused on the same goal.
Getting a large group of people to do one simple task is 100x harder than getting a small group of people to do a complex task. This is why humanity got to the moon but still are stuck on IPv4.
> we’re launching a new national awareness campaign to raise awareness of cyberthreats and encourage more Americans to move beyond passwords—adding an extra layer of security like a fingerprint or codes sent to your cellphone
Amongst other things.
I guess it probably does raise the baseline, but at the cost of those who have good security practices.
Or TOTP.
SMS, on the other hand, is an abomination to this very day and should not be used by anyone for anything.
Does anyone have TOTP-only authentication?
Edit: SOX, HIPAA, NIST CSF.
Government is not always bad.
HIPAA is extraordinarily expensive, meanwhile healthcare providers continue to have abominable security because compliance is offloaded to a "compliance team" who comes around once in a while to check boxes without really understanding the system, which is managed by other people who don't really understand HIPAA. This is one of the reasons security in large organizations is hard. Bureaucracies gravitate toward bureaucratic solutions, but then the left hand doesn't know what the right hand is doing, which is a direct mechanism for security to get messed up.
SOX isn't really about "security", it's about auditing and so on, but it suffers from a disadvantageous trade off. Large companies are less likely to have accounting problems than smaller ones. The law was passed in response to major outliers like Enron, but basing rules on rare outliers generally results in bad rules. Meanwhile the smaller companies have disproportionately higher compliance costs, to the point that there have been proposals to exempt smaller companies. But that implies it probably isn't worth it for large companies because the rate of fraud is so low and it probably isn't worth it for small companies because the compliance costs are so high, and then there's nothing left.
Whereas NIST CSF is a different kind of thing because it's voluntary. This is where government publications can really do some good, because if they publish rubbish then nobody has to pay any attention to it and the cost is limited to the money they spent creating it, but if it's good then it's valuable to anyone who uses it. The government should definitely lean towards this method, but it's hard to call this one "regulations" -- and the criticism you're responding to was that corporations would end up "just gaming the regulations".
Also notice that a large part of the cost is poorly accounted for, because the way many of the non-destructed entities comply with it is by adopting cloud-hosted EMR systems that handle a lot of the compliance burden for them. Which aren't exactly cheap, but more than that they're usability fiascos that imperil patient care.
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/ad...
It's 115 pages. Just training the staff to comprehend what's in it is a non-trivial undertaking, assuming people are actually going to comply with it.
It has some fun provisions, like prohibiting disclosure of certain information except where disclosure is mandatory, which means there is no "err on the side of caution" and you need staff to know exactly what the conditions are if you want to avoid breaking the law.
There are various rules about computer systems and access controls that are all reasonable and expected in a large bureaucracy but not anything a small medical practice is going to be familiar with. So they'll have someone host it for them who has lawyers on staff and pay them a premium for it. That makes it "easier" and then the expense gets accounted for as something else. But now we're back to many of these systems being proprietary and miserable, because they're specialized to the limited (and extremely "enterprise") market of customers who need HIPAA compliance, and now small entities have to deal with the daily horrors of using "enterprise software" for their ordinary work.
Compliance costs also often seem low because people aren't actually complying. But then you're creating a competitive disadvantage for companies that actually follow the law.
It's not my impression that HIPAA is one of the more burdensome regs regimes, and this comment sort of reinforces that belief.
Isn't that funny when the white house has been exposed secretly tapping every single non American (Chinese included) and American online activity, phones calls, mails, etc.
I'm not saying the Chinese should be able to do what the USA is already doing to the world but it's like seeing a thieft getting robbed by another criminal. Somehow its funny.
Trusting US/Five eyes controlled companies with your data is a bad move. No matter if private or enterprise.
It is like people being perplexed about people complaining about some company or product. 'So choose another one?' Ye well others might wanna know about it too...
Security issues is a security issue, the justification is mostly just puffery. Even the white house statement is vague as hell with things some adversary might be able to do grasping at something to relate what is an industry-specific esoteric issue to some hypothetical tangible real world consequence.
It's like how Net Neutrality had that fake Comcast ad where you had to pay for tiers of internet to try to make sense of what really was a B2B market intervention to stop ISPs from rent-seeking tech companies. It made it relatable even if it wasn't at all what would have (and didn't happen I suppose) happened.
Russia (and before them the Soviets), the Chinese, the French, the Brits, and many others have been doing it for decades.
This isn’t a response from China to US revelations, it’s a continuation and escalation of a practice they’ve been doing all along.
What would be the most convincing arguments to email my ISP with?
And official release: https://www.whitehouse.gov/oncd/briefing-room/2024/09/03/pre...