Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

NIST Publishes SP 800-189, Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation

NIST has published Special Publication (SP) 800-189, "Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation," which superseded SP 800-54, "Border Gateway Protocol Security."

In recent years, numerous routing control plane anomalies such as Border Gateway Protocol (BGP), prefix hijacking, and route leaks have resulted in denial of service (DoS), unwanted data traffic detours, and performance degradation. Large-scale distributed denial of service (DDoS) attacks on servers using spoofed internet protocol (IP) addresses and reflection-amplification in the data plane have caused significant disruption of services and resulting damages.

NIST Special Publication (SP) 800-189, Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation, provides technical guidance and recommendations for technologies that facilitate resilient interdomain traffic exchange (RITE). Technologies recommended in this document for securing the interdomain routing control traffic include Resource Public Key Infrastructure (RPKI), BGP origin validation (BGP-OV), and prefix filtering. Additionally, technologies recommended for mitigating DoS and DDoS attacks include prevention of IP address spoofing using source address validation with access control lists (ACLs) and unicast Reverse Path Forwarding (uRPF). Other technologies such as remotely triggered black hole (RTBH) filtering, flow specification (Flowspec), and response rate limiting (RRL) are also recommended as part of the overall security mechanisms.

The document is intended to guide information security officers and managers of federal enterprise networks. The guidance also applies to the network services of hosting providers (e.g., cloud-based applications and service hosting) and internet service providers (ISPs) when they are used to support federal IT systems. The guidance may also be useful for enterprise and transit network operators and equipment vendors in general.

The final publication of SP 800-189 incorporates comments that were received on the second public draft (October 2019); see the publication details for the initial and second public drafts for a summary of comments received and NIST’s responses to those comments.

SP 800-189 supersedes SP 800-54Border Gateway Protocol Security, which has been withdrawn.

Released December 17, 2019