Today’s global Internet is comprised of roughly 800,000 distinct destinations interconnected by 60,000 enterprise and Internet service provider (ISP) networks. The Border Gateway Protocol (BGP) is the “glue” that enables the modern Internet, by exchanging reachability information about each destination among interconnected ISPs. Each autonomous network uses BGP data, along with its own business policies, to compute the paths which user data will follow.
As currently deployed, BGP lacks the ability to authentica te these global information exchanges and doesn’t provide means to detect and mitigate large-scale policy violations. The result is ever-increasing occurrences of “BGP Hijacks” in which malicious parties falsely claim reachability to destinations to steal their traffic, or forge information about their paths to detour traffic along routes that facilitate other attacks on the communicating systems and the information they exchange.
In addition to malicious hijacks, common configuration errors often result in large-scale “BGP leaks” in which routing information is exchanged in violation of contracted business policies and engineered network capacity designs. These leaks often result in wide-scale outages that affect entire national-scale communication infrastructures for hours.
NIST, in collaboration with the Department of Homeland Security Science and Technology Directorate, is working closely with the internet industry to design, standardize and foster deployment of extensions to BGP to address these security and robustness issues.
NIST staff are leading contributors to the development of Internet Engineering Task Force (IETF) specifications for BGP protocol extensions to mitigate malicious attacks and route leaks. NIST developed reference implementations, test systems, measurement tools, performance analyses and deployment guidance are serving as a catalyst for the emerging global deployment of these critical technologies.