Has BGP routing security failed (yet)?

▼ In the thorough style we've come to expect from him, Geoff Huston tries to answer the question Is Secured Routing a Market Failure? Please read about the market aspect (and the limitations imposed on the IETF by big router vendors) in that article. His final conclusion is broader, through:

But mostly it's a failure because it does not deliver. Security solutions that offer only a thin veneer of the appearance of improvement while offering little in the way of improved defence against determined attack are perhaps worse than a placebo.

20 years ago I went to my first IETF meeting and there I learned about S-BGP and soBGP. It would take another almost ten years for RPKI to be standardized and fifteen years for the BGPSEC specification (which is largely S-BGP with the RPKI functionality removed) to be published. RPKI is gaining some traction but hasn't been able to stop at least some determined attackers. There are no production level implementations of BGPSEC after five years.

So why is that? True, if people would be prepared to pay extra for secure routing, we'd have it by now.

But I think the bigger issue is failure to understand the problem.

Looking at the valley-free model, we can observe that the right hand part of the network hierarchy is trusted by the sender of the routing updates / receiver of the packets, while the left hand side is trusted by the receiver of the routing updates / sender of the packets.

This hierarchy is pretty flat, so there's usually only a handful of networks on each side. So telling the world that those are networks you trust should be something we can do reasonably efficiently. Then, the only thing is to make sure that there are no network hops in the path that aren't trusted by either side.

Earlier this year, RFC 9234 "Route Leak Prevention and Detection Using Roles in UPDATE and OPEN Messages" was published. This adds some information to BGP that lets it detect paths that aren't valley-free. The nice thing about this mechanism is that it protects two networks that implement the mechanism against mistakes made by networks that don't implement the mechanism.

We still need better mechanisms to thwart determined, purposeful attackers, but the good news is that we've made life a lot harder for those already. So even though we're not there yet when it comes to secured routing, it's not so much that we've failed, but that we are taking too much time to succeed.

Permalink - posted 2022-12-13

Smart home Matter and Thread misconceptions (or not?)

▼ I just saw a Youtube video kind of reviewing the new Thread smart home communication protocol. I'm not linking to it because it attributed a bunch of things to Thread that are Matter, unless I'm very much mistaken. (And the latter is certainly possible. Do your own research before buying new stuff.)

Matter is the new IP-based system that lets a smart home "ecosystems" such as Amazon Alexa, Google Home, Apple HomeKit and Samsung SmartThings talk to smart home accessories. Matter has two big advantages. The first one is that you're no longer locked into a single ecosystem or a limited number of ecosystems. Every ecosystem that supports Matter can control accessories that use Matter. Even better, multiple ecosystems can control the same accessories.

Thread, on the other hand, is simply a wireless protocol for talking to smart home accessories. Other protocols that accomplish the same thing are Zigbee, Z-Wave and bluetooth LE (low energy). Zigbee and Thread share the same underlying IEEE 802.15.4 mesh technology. The difference is that with Zigbee, the applications talk more directly to the IEEE 802.15.4 layer, while Thread uses 6LoWPAN to make IP(v6) communicate over the limited bandwidth and packet size 802.15.4 protocol efficiently.

So a smart home controller that uses Matter can simply use IP packets to talk to Thread-connected accessories the same way it would talk to Wi-Fi-connected accessories. The only extra thing needed for that is a "Thread border router" that connects to the Wi-Fi or Ethernet home network and also to the Thread mesh network.

No more bridges?

The big advantage of Thread over existing solutions is that once you get a Thread border router, you don't need any additional bridges or hubs like the Philips Hue bridge. The range will be better than bluetooth low energy (used by Eve Homekit accessories) and the reliability better than bluetooth or Wi-Fi due to the mesh networking, where accessories that are connected to mains power will forward packets for other accessories.

But it's unlikely that you'll be able to get rid of your existing bridges. For instance, the Hue bridge will get an update that implements Matter in the first half of 2023, but the individual Hue lights won't be updated to support Matter or Thread. Those lights and other Hue accessories will continue to talk to the Hue bridge using Zigbee. That is probably the right choice as moving all those individual lights, some 10 years old, to the new Thread protocol without losing current functionality would be a gargantuan task.

However, it's likely that a Thread border router will be your last new bridge. If that is going to be a separate device in the first place. The thread border router functionality is (or already has been) added to a lot of new devices, such as Apple's latest Homepod Mini and AppleTV 4K and the LG 2022 OLED TVs.

Hue, Thread and Matter

Signify (the maker of Hue) has said that they don't want to make light bulbs that support Matter, as the Hue bridge has an important role to fulfill in a Hue installation. However, their current lights do support bluetooth so you can control a few lights directly from the phone app without the need to buy the relatively expensive Hue bridge. I wonder if they'll move that functionality from bluetooth to Thread. Then again, this requires a Thread border router, so perhaps that doesn't help their "no bridge" use case.

Even though Hue won't support using Thread itself, it would be really great if Signify could add Thread border router functionality to the Hue bridge. As the bridge already supports IEEE 802.15.4 and apparently has some processing/memory capacity to spare, this should be possible...

What now?

Although the smart home future looks bright with Matter and Thread, for those of us who already have a bunch of accessories in a single ecosystem, these new standards won't really change anything. This is really all about the future when getting new smart home accessories might be as simple as to check for the Thread logo.

For now though, this probably means waiting a bit to see where different systems end up. Hue is pretty clear: the Hue bridge isn't going anywhere and (existing) lightbulbs won't get Thread. But the bridge will get a software update to get Matter support. So if you already have a Hue bridge, no need to stop buying Hue right now for products where the high price is justified.

But the cheap smart light bulb product space is probably going to be a war zone next year as those cheap bulbs gain Matter/Thread support and no longer require separate bridges.

Eve has already been building Thread support into its new Homekit accessories, so Eve is now more attractive as this allows you to remove the bluetooth performance/reliability bottleneck, and with Matter support it will leave the Homekit-only limitation behind. But again, there will probably cheap alternatives next year.

Unless you can get a killer deal, I wouldn't buy any cheaper brand non-Thread, non-Matter accessories. Better alternatives will become available in the relatively near future.

Permalink - posted 2022-12-03