Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Summary

Internet Routing Infrastructure
We live in a network-centric society that increasingly relies on the Internet’s routing infrastructure to facilitate human communication, connect users to online services, interconnect distinct components of modern cloud computing systems, and enable devices to interact in the Internet of Things.     

 

As originally designed, the Internet’s routing infrastructure has systemic vulnerabilities that expose many critical systems to theft of service, loss of privacy, and wide-scale outages.  NIST is working with industry to design, standardize and foster deployment of technologies to improve the security and resilience of Internet Routing

 

Description

RIDR logo

Today’s global Internet is comprised of roughly 800,000 distinct destinations interconnected by 60,000 enterprise and Internet service provider (ISP) networks.   The Border Gateway Protocol (BGP) is the “glue” that enables the modern Internet, by exchanging reachability information about each destination among interconnected ISPs.  Each autonomous network uses BGP data, along with its own business policies, to compute the paths which user data will follow. 

BGP Hijacks steal and divert Internet traffic to attackers.
BGP Hijacks steal and divert Internet traffic to attackers.

As currently deployed, BGP lacks the ability to authentica te these global information exchanges and doesn’t provide means to detect and mitigate large-scale policy violations.  The result is ever-increasing occurrences of “BGP Hijacks” in which malicious parties falsely claim reachability to destinations to steal their traffic, or forge information about their paths to detour traffic along routes that facilitate other attacks on the communicating systems and the information they exchange.

In addition to malicious hijacks, common configuration errors often result in large-scale “BGP leaks” in which routing information is exchanged in violation of contracted business policies and engineered network capacity designs.  These leaks often result in wide-scale outages that affect entire national-scale communication infrastructures for hours.

Increasing vulnerability of Internet's Routing Infrastructure.
Credit: https://securityintelligence.com/bgp-internet-routing-what-are-the-threats/
Increasing vulnerability of Internet's Routing Infrastructure.

NIST, in collaboration with the Department of Homeland Security Science and Technology Directorate, is working closely with the internet industry to design, standardize and foster deployment of extensions to BGP to address these security and robustness issues.    

NIST staff are leading contributors to the development of Internet Engineering Task Force (IETF) specifications for  BGP protocol extensions to mitigate malicious attacks and route leaks.  NIST developed reference implementations, test systems, measurement tools, performance analyses and deployment guidance are serving as a catalyst for the emerging global deployment of these critical technologies.

Major Accomplishments

  • Summer 2018 – Project staff developed and employed scalable test tools to examine the scalability and robustness of emerging commercial implementations and production services for RPKI-based origin validation in support the NCCoE SIDR Project.
  • Spring 2018 – Project staff led IETF deliberations on the design and standardization of BGP route leak mitigation techniques and BGP-enabled DDoS mitigation techniques.
  • Fall 2017 – Project staff led IETF efforts to finalize BGPsec specifications and update NIST reference implementations to the final version of the specification.
  • Summer 2017 – Project staff and collaborators publish research on high-performance cryptography and optimization techniques to dramatically improve the performance of BGPsec implementations.
  • Fall 2016 – Project staff conducted on behalf of industry partners extensive performance / scaling analysis of emerging BGPsec prototype implementations.
  • Summer 2016 – Project staff lead industry outreach workshops with the North American Network Operators Group to examine the station of products and services for BGP origin validation based upon RPKI.
  • Spring 2016 – Project staff led the development of IETF specifications for Route Leak problem definition.
  • 2010 through 2015 – Project staff led the modeling and analysis activities in support of emerging IETF protocol designs for BGP security extensions.
  • 2006 through 2010 – Project conduct modeling and analysis of the problem space for BGP security, including modeling of large-scale attack scenarios and comparative analysis of BGP anomaly detection algorithms and other approaches that do not require changes to the existing routing system.

For further details on NIST accomplishments, contributions and impact, see Associated Products .

 

The fundamental design premise of the Internet is that it comprises the ubiquitous interconnection of many independent networks, owned and autonomously operated by distinct administrative domains (network operators, enterprises, hosted service providers).   The Border Gateway Protocol (BGP) was developed in the late 1980s to exchange routing information and compute routes between the networks that make up the Internet.   Over time, BGP has evolved into the fundamental “glue” that interconnects the commercial Internet. 

Today BGP supports a distributed control system spanning the globe, operating on millions of routers, interconnecting ~60,000 distinct administrative domains (known as Autonomous Systems (ASs)), and providing routing information to ~700,000 destination networks.   BGP was designed to address the prevailing business models of Internet Service Provider (ISP) interconnection by providing the means to support policy-based routing, selective information hiding, and inter-domain traffic engineering.   Today, ISPs employ extremely complex BGP policies and mechanisms to orchestrate information flow across the Internet.

BGP concerns

As the Internet has evolved, significant concerns have arisen about the security and robustness of the global BGP routing system.  These concerns fall into three broad categories:

  • Scale - The growth of the Internet has created serious scaling concerns for the global dynamics of BGP as a distributed control system.   The volume of BGP control traffic, the speed of system convergence, and stability of routes are issues with the current size of the Internet.  Internet growth projected for the near future (e.g., mobile networks, Internet of Things, virtualized networking and computing, support for newer Internet Protocols (IPv6)) raises concerns about the ability to continue to scale up current BGP technologies. 
  • Complexity – As features are added to BGP to support the implementation of complicated business and engineering policies and the overall scale of the system grows, our ability to understand, control, and optimize the behavior of the BGP system as a whole decrease.
    • Route Leaks,   the propagation of routing information beyond its intended policy scope, are one example of a serious robustness problem that arises from the complexity of the BGP routing system.
  • Security – BGP was originally designed in an era in which Internet security was not a significant concern.   As a result, the current BGP system is largely based on a model of mutual global trust and the legacy BGP protocol generally lacks any explicit mechanisms to protect itself from malicious attacks and damaging accidental misconfigurations.   While security concerns about BGP protocol have been recognized for many years, it is only recently that the general Internet community has come to fully understand the potential to:
    • Detour data traffic to eavesdrop, enable attacks on end-to-end security mechanisms, cause delays and/or disruption of traffic.  Detoured traffic eventually makes it to the intended destination, but not over the intended path.
    • Misdeliver data traffic to malicious endpoints.
    • Hijack address space through unauthorized BGP announcements to use as a launching pad for spam, cyber attacks, etc.
    • Deny service by “black-holing” entire networks so that others cannot reach them.
    • Cause routing instability by injecting spurious BGP messages into the system that affect global BGP stability/control algorithms.

Example BGP Incidents

The vulnerabilities of the BGP system are real and commonly observed in limited scale events [2]. It is fortunate that to date there haven’t been more focused and malicious attempts to exploit them.   Well documented events of increasing significance over the last decade have awakened the community to the real threat potential:

  • 2017 – The hijack of a large number of routes to US and global financial institutions by an ISP thought to have ties to the Russian government [3].
  • 2017 and 2016 – The use of BGP hijacking by Iranian state-owned telecom (TIC) to enforce censorship.  The hijacked routes spilled over into Russia and some Asian countries.  Apple iTunes service was also targeted and impacted [4].
  • 2015 – Large scale BGP hijacks by Bharti Airtel (in India) and acceptance and propagation of the hijacked routes by major global ISPs, resulting in widespread disruption affecting thousands of networks globally for over 10 hours [5].
  • 2014 – An elaborate scheme that operated for months to redirect traffic within the Bitcoin crypto-currency infrastructure so as to steal financial payments [6].
  • 2013 – Ongoing intentional BGP attacks that detour traffic destined for ~1,500 address blocks through routers in Belarus and Iceland [7].  Destinations subjected to this attack included banks, telephony providers, Government agencies, and foreign ministries.
  • 2010 – Incorrect announcement of 50,000 address blocks (15% of the entire Internet) by China Telecom causes traffic to be misrouted through China.   Falsely announced routes: 1) included networks in 170 countries, many US companies, and Government agencies and 2) the routes were widely accepted and used throughout the Internet, raising significant concern [8] [9].
  • 2008 – Researchers at DEFCON (a leading hacking convention) demonstrate stealthy BGP misrouting of commercial Internet traffic for purposes of eavesdropping [10].
  • 2008 – Pakistan Telecom purposely hijacks routes to deny service to YouTube in Pakistan [11].

Example BGP Hijack Attack
Example BGP route hijack attack scenario.

The most recent observed events confirm what has long been known in the research community: as originally designed and commercially deployed, the global BGP routing system has significant vulnerabilities.  If carefully exploited by malicious parties, BGP attacks are very difficult to detect, diagnose and mitigate, suggesting that many more exploits might be occurring that go unreported to the general community.  While the scale and duration of most attacks experienced to date have been limited, their impact on the global routing system indicates that broader, sustained attacks by a determined adversary might have catastrophic effects on the global Internet.

Technical Approach

The systemic vulnerabilities of the global BGP routing system have been the subject of concern for at least the last decade [12] [13].   Significant effort has been devoted within the research community to design and evaluate numerous approaches to improving the security and robustness of the BGP routing system [14] [15].

In 2003, the National Strategy to Secure Cyberspace [16] identified the need to secure the BGP routing system as a USG priority.  In response, the DHS Science and Technology Directorate and the NIST Information Technology Laboratory initiated collaborative efforts [17] [18] to work with the

Internet industry to design, standardize and foster deployment of security extensions for BGP.   Working within the Internet Engineering Task Force (IETF) Secure Inter-Domain Routing (SIDR) working group [19], DHS and NIST have collaborated with key industry players (e.g., Google, Cisco, Juniper, BBN Technologies, Verizon, Deutsche Telecom, Time Warner Cable, Neustar, Parsons and others) to develop technical specifications for protocol extensions and supporting infrastructures to add security protections to BGP.   The overall approach, known as Secure Inter-Domain Routing (SIDR), has three main components:

  • Resource Public Key Infrastructure (RPKI) – A global Resource Public Key Infrastructure [20] to enable third parties to cryptographically validate claims of ownership of Internet address blocks and AS numbers, and to permit such resource holders to declare routing relationships.   Route Origin Authorizations (ROAs) are RPKI signed objects that declare which ISPs (ASs) are authorized to announce a given block of IP addresses in BGP.  The RPKI is also used to store the router keying material necessary for full path validation (see below).
  • BGP Origin Validation (BGP-OV) – Protocol extensions and tools to allow BGP routers to use RPKI ROA information to detect and filter unauthorized BGP route announcements [21].  The techniques for BGP origin validation are designed so as to not modify the basic BGP protocol and not require routers to perform cryptographic operations.   Origin validation will deter simple route hijack attacks and misconfigurations such as those seen in the China Telecom, Bharti Airtel and Pakistan Telecom incidents above.
  • BGP PATH Validation (BGP-PV)– BGP protocol extensions to further leverage the RPKI to enable BGP routers to cryptographically verify the sequence of networks (AS PATH) that comprise a BGP route [22].  The techniques for full PATH validation do require changes to the BGP protocol and would require routers to perform additional cryptographic operations to create and validate digitally signed PATHS.  Full BGP PATH validation will deter more sophisticated and stealthy route detour attacks such as those discovered in 2013 and demonstrated at DEFCON in 2008.

The combination of RPKI, BGP-OV, and BGP-PV provide a complete solution to the routing vulnerabilities identified above and are based upon a common and verifiable global trust infrastructure.   While there are other research and commercial approaches to some aspects of this problem (e.g., detecting hijacks [23]), no other approach provides a viable basis for a global mitigation strategy.

Current Status – RPKI and Origin Validation

Substantial progress has been made in the IETF, Regional Internet Registry (RIR) and vendor communities to design and develop BGP security solutions.   Today, the components necessary to address the origin validation problem are commercially available.  All five global RIRs have operational RPKI infrastructures [24] and services in place and major router vendors have implemented mechanisms to support BGP-OV based upon RPKI data. Initial adoption of RPKI to create authorization data has been slow but steady (~7% of global BGP announcements are currently covered by ROAs [25]). RPKI adoption in Europe (~30% of its announced address space is currently covered by ROAs) and Latin America (~13% of its announced address space is currently covered by ROAs) is proceeding much faster than in North America (~3% of its announced address space is currently covered by ROAs). 

The adoption and use of RPKI data by network operators to actively filter spurious routes is harder to measure, but in general, is known to be lagging.  Questions remain to be answered about the robustness and manageability of emerging RPKI and BGP-OV products and services.   Other key barriers may not be strictly technical, as many ISPs and large enterprise users have questions about the economic, legal and policy issues that surround RPKI adoption and use.  More testing and subsequent guidance are necessary to assist major ISPs and enterprise networks to develop tactical adoption and operations plans and to initiate deployment to get beyond first-mover barriers in the industry.

NIST RPKI Deployment Monitor
NIST RPKI Deployment Monitor

Current Status – PATH Validation

The base specifications for full BGP path validation are nearly complete [26].  Initial commercial and research prototypes are under development [27] [28].   Because BGP-PV requires cryptographic processing to be added to routers, there are questions in the community about the performance impact that might have on existing equipment. Further performance analysis and strategic planning is necessary for router vendors to ensure that future products have the capabilities (processing, storage) necessary to support full BGP-PV. 

NIST Roles / Activities

NIST and DHS have been actively collaborating with the Internet industry to address the BGP security problem.  NIST activities to date include: threat and vulnerability analysis, test and evaluation of non-cryptographic robustness mechanisms, development of near-term BGP security guidance, modeling and analysis of BGP-PV design alternatives, development of open source reference implementations of BGP-OV and BGP-PV, development of SIDR testing tools and development of global SIDR measurement and monitoring techniques [18]. DHS activities to date include design and standardization of the RPKI infrastructure, development of open source RPKI management suite, standardization of BGP-OV and BGP-PV protocol extensions, and the development of open source SIDR management tools [28].

NIST Follow-on Activities

While NIST and DHS have led the design, development, and standardization of the SIDR suite of technologies, fostering wide-scale deployment in the public Internet will require future efforts to focus on technology transfer activities and practical barriers to adoption.  Ongoing and planned activities to foster wide-scale deployment include:    

  • Near-Term – Continue to work with North American Network Operators Group (NANOG) to foster awareness of SIDR technologies [29].  Develop a National Cybersecurity Center of Excellence (NCCoE) project to examine the detailed deployment issues for SIDR technologies [30].  Develop detailed deployment guidance and plans for USG adoption for RPKI and BGP-OV technologies [31].  Collaborate with the NSF to sponsor an analysis of the legal, policy and economic barriers to BGP-OV adoption.
  • Mid Term – Finalize standards for BGP-PV and address performance issues associated with its adoption [27].  Work with industry to develop plans to incorporate BGP-PV vendor platforms and network operating environments.
  • Long-Term – Identify other threats to the robustness of the global routing system and potential mitigation techniques.   Issues to include: BGP policy enforcement mechanisms (e.g., "route leaks"), new BGP mechanisms to facilitate DDoS mitigation, etc.  Initial research into the policy enforcement issues has begun under NIST leadership within the IETF [32].

Each class of activity will be conducted on a relatively short time frame with significant contributions possible in a 1-2 year time frame.


References

 

[1]

C. Timberg, "Net of Insecurity: The Long Life of a Quick 'Fix'," The Washington Post, 31 May 2015. [Online].  

[2]

BGPMon, "BGP Stream - free resource for receiving alerts about hijacks, leaks, and outages in the Border Gateway Protocol.," OpenDNS. [Online].  

[3]

D. Goodin, "Russian-controlled telecom hijacks financial services’ Internet traffic," Arstechnica 27 April 2017. [Online].  

[4]

D. Madory, "Iran Leaks Censorship via BGP Hijacks," Oracle+Dyn, January 2017. [Online].  

[5]

A. Toonk, "Large scale BGP hijack out of India," BGPMON, November 2015.[Online].  

[6]

J. Stewart, "BGP Hijacking for Cryptocurrency Profit," SecureWorks, 7 August 2014. [Online].  

[7]

K. Zetter, "Someone’s Been Siphoning Data Through a Huge Security Hole in the Internet," Wired, 5 December 2013. [Online].  

[8]

N. Anderson, "How China swallowed 15% of ‘Net traffic for 18 minutes," Arstechnica, 17 November 2010. [Online].  

[9]

U.S.-CHINA ECONOMIC AND SECURITY REVIEW COMMISSION, "US-China Economic and Security Review Commission – 2010 Report to Congress.," [Online].

[10]

K. Zetter, "Revealed: The Internet’s Biggest Security Hole.," Wired, 26 August 2008. [Online]. 

[11]

RIPE NCC, "YouTube Hijacking: A RIPE NCC RIS case study.," RIPE Network Coordination Centre, 17 March 2008. [Online]. 

[12]

S. Murphy, "RFC4272: BGP Security Vulnerabilities Analysis," Internet Engineering Task Force (IETF), January 2006. [Online]. 

[13]

D. Montgomery and S. Murphy, "Toward Secure Routing Infrastructures," IEEE Security & Privacy, September 2006. [Online]. 

[14]

K. Butler, T. R. Farley, P. McDaniel and J. Rexford, "A Survey of BGP Security Issues and Solutions," January 2010. [Online]. 

[15]

G. Huston, M. Rossi and G. Armitage, "Securing BGP — A Literature Survey," IEEE Communications Society, Many 2010. [Online]. 

[16]

The Office of the President, "The National Strategy to Secure Cyberspace," Feb 2003. [Online]. 

[17]

Department of Homeland Security, "Secure Protocols for the Routing Infrastructure," DHS Science and Technology, Cyber Security Division, [Online]. 

[18]

NIST Information Technology Laboratory, "Internet Infrastructure Protection: Robust Inter-Domain Routing," [Online]. 

[19]

IETF, "IETF Secure Inter-Domain Working Group," Internet Engineering Task Force, [Online]. 

[20]

M. Lepinski and S. Kent, "RFC6480: An Infrastructure to Support Secure Internet Routing," February 2012. [Online]. 

[21]

P. Mohapatra, J. Scudder, D. Ward, R. Bush and R. Austein, "RFC6811: BGP Prefix Validation," Internet Engineering Task Force, January 2013. [Online]. 

[22]

M. Lepinski and S. Turner, "An Overview of BGPsec," Internet Engineering Task Force (IETF), [Online]. 

[23]

BGPMon, "BGPMon - BGP monitoring and alerting service.," OpenDNS, [Online]. 

[24]

Wikipedia, "Resource Public Key Infrastructure," [Online]. 

[25]

NIST Information Technology Laboratory, "NIST RPKI Deployment Monitor and Test System," June 2016. [Online]. 

[26]

M. Lipinski and K. Sriram, "BGPSec Protocol Specification," Internet Engineering Task Force, April 2017. [Online]. 

[27]

M. Adalier, K. Sriram, O. Borchert, K. Lee and D. Montgomery, "High Performance BGP Security: Algorithms and Architectures," North American Network Operators Group (NANOG 69), February 2017. [Online]. 

[28]

Parsons Inc., "Ensuring and Accelerating Routing Security (EARS)," [Online]. 

[29]

D. Montgomery and S. Murphy, " Practical BGP Origin Validation using RPKI: Vendor Support, Signing and Validation Services, and Operational Experience," North American Network Operators Group (NANOG 67), June 2016. [Online]. 

[30]

National Cybersecurity Center of Excellence, "Secure Inter-Domain Routing," May 2017. [Online]. 

[31]

National Institute of Standards and Technology, "Secure Inter-Domain Networking. Part 1: Routing," NIST Special Publication 800-189, To Appear.

[32]

K. Sriram, D. Montgomery, D. McPherson, E. Osterwell and B. Dickson, "RFC7908: Problem Definition and Classification of BGP Route Leaks," Internet Engineering Task Force, June 2016. [Online]. 


Created August 14, 2016, Updated October 23, 2019