In the FY 2016 ITL staff made significant contributions in the design, standardization, test and measurement of technologies to improve the security and robustness of the Internet’s global routing protocol BGP. NIST staff are key contributors to Internet Engineering Task Force (IETF) standards to add cryptographic validation to BGP (see, https://tools.ietf.org/html/draft-ietf-sidr-bgpsec-protocol/), and to address robustness issues associated with large scale routing policy violations (see, https://www.rfc-editor.org/rfc/rfc7908.txt). In addition, NIST developed and released an open source reference implementations of these emerging IETF specifications, on-line test tools to foster their adoption and measurement systems to track their operational deployment. Below is a visualization generated by once such monitoring tool, of the emerging global structure of the Resource Public Key Infrastructure (RPKI). The RPKI has been designed to provide the trust infrastructure upon which Internet routing security technologies can be based.
In FY 2016, as technology specifications and implementations matured, ITL staff began a series of outreach efforts with the networking industry to increase the understanding, and foster adoption, of these new BGP security mechanisms. ITL staff organized and led a workshop at the June North American Network Operators Group (NANOG) meeting aimed and addressing the practical issues, state of vendor support and existing operational experience with emerging BGP security technologies (see, https://www.nanog.org/meetings/abstract?id=2846). ITL staff also initiated a nationwide BGP security pilot deployment project with the Internet2 research and education community.
ITL’s High Assurance Domains (HAD) project aims to leverage NIST’s previous successes in the development and deployment of Domain Name System Security (DNSSEC) technologies, to enable scalable solutions other long standing Internet security issues. In FY 2016 the project focused
HAD project staff also collaborated in the NCCoE DNS-Based Secured Email project (see, https://nccoe.nist.gov/projects/building_blocks/secured_email) which tested and produced detailed deployment guidance for commercial implementations of DANE-based server-to-server security for Email transport.
ITL staff in Advanced Distributed Denial of Service (DDoS) Mitigation Techniques project, are working with the community to document and quantitatively characterize the applicability, effectiveness and impact of various approaches to filtering spoofed Internet Protocol (IP) traffic st
In FY 2017 the major milestones for Internet Infrastructure Program will include:
- Completing publication of IETF standards for BGP security and increasing outreach and pilot deployment activities to foster commercial deployment of these technologies.
- Continuing to develop and mature DANE specifications and technologies for scalable key management in the Internet and conducting research in their applicability to emerging problems domains such as authentication in consumer networks.
- Publishing NIST guidance on current DDoS mitigation techniques and continuing to research and develop new approaches based upon emerging SDN technologies.