Skip to main content
U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock ( ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Summary

 

We live in a network-centric society that increasingly relies on the Internet’s routing infrastructure to facilitate human communication, connect users to online services, interconnect distinct components of modern cloud computing systems, and enable devices to interact in the Internet of Things (IoT).     

Internet Routing Infrastructure

As originally designed, the Internet’s routing infrastructure has systemic vulnerabilities that expose many critical systems to theft of service, loss of privacy, and wide-scale outages.  NIST is working with industry to design, standardize, and foster deployment of technologies to improve the security and resilience of Internet Routing

Description

Robust Inter-Domain Routing project info graphic

Today’s global Internet is comprised of roughly 800,000 distinct destinations interconnected by 60,000 enterprise and Internet Service Provider (ISP) networks.   The Border Gateway Protocol (BGP) is the “glue” that enables the modern Internet, by exchanging reachability information about each destination among interconnected ISPs.  Each autonomous network uses BGP data, along with its own business policies, to compute the paths which user data will follow. 

As currently deployed, BGP lacks the ability to authenticate these global information exchanges and doesn’t provide means to detect and mitigate large-scale policy violations.  The result is ever-increasing occurrences of “BGP Hijacks” in which malicious parties falsely claim reachability to destinations to steal their traffic, or forge information about their paths to detour traffic along routes that facilitate other attacks on the communicating systems and the information they exchange.

BGP Hijacks steal and divert Internet traffic to attackers.
BGP Hijacks steal and divert Internet traffic to attackers.

In addition to malicious hijacks, common configuration errors often result in large-scale “BGP leaks” in which routing information is exchanged in violation of contracted business policies and engineered network capacity designs.  These leaks often result in wide-scale outages that affect entire national-scale communication infrastructures for hours.

 

Bar graph of the number of internet route hijacks and leaks in 2019
Credit: https://bgpstream.com/

NIST, in collaboration with the Department of Homeland Security Science and Technology Directorate (DHS S&T), is working closely with the internet industry to design, standardize and foster deployment of extensions to BGP to address these security and robustness issues.    

NIST staff are leading contributors to the development of Internet Engineering Task Force (IETF) specifications for  BGP protocol extensions to mitigate malicious attacks and route leaks.  NIST developed reference implementations, test systems, measurement tools, performance analyses and deployment guidance are serving as a catalyst for the emerging global deployment of these critical technologies.

 

Major Accomplishments

  • Winter 2020 –  Project staff published comprehensive guidance for enterprises and ISPs addressing BGP Security and DDoS Mitigation techniques (NIST SP.800-189).
  • Winter 2020 - Project staff lead the design and standardization of techniques to enhance the utility of Reverse Path Filtering as a means to mitigate internet DDoS threats (RFC 8704).
  • Summer 2018 – Project staff developed and employed scalable test tools to examine the scalability and robustness of emerging commercial implementations and production services for RPKI-based origin validation in support the NCCoE SIDR Project.
  • Spring 2018 – Project staff led IETF design and standardization of BGP route leak mitigation techniques and BGP-enabled DDoS mitigation techniques.
  • Fall 2017 – Project staff led IETF efforts to finalize BGPsec standard specifications and update NIST reference implementations to the final version of the specification.
  • Summer 2017 – Project staff and collaborators publish research on high-performance cryptography and optimization techniques to dramatically improve the performance of BGPsec implementations.
  • Spring 2017 - Project staff release online system to test and measure global deployment of RPKI routing security infrastructure.
  • Fall 2016 – Project staff conducted on behalf of industry partners extensive performance / scaling analysis of emerging BGPsec prototype implementations.
  • Summer 2016 – Project staff lead industry outreach workshops with the North American Network Operators Group to examine the station of products and services for BGP origin validation based upon RPKI.
  • Spring 2016 – Project staff led the development of IETF specifications for Route Leak problem definition.
  • 2010 through 2015 – Project staff led the modeling and analysis activities in support of emerging IETF protocol designs for BGP security extensions.
  • 2006 through 2010 – Project conduct modeling and analysis of the problem space for BGP security, including modeling of large-scale attack scenarios and comparative analysis of BGP anomaly detection algorithms and other approaches that do not require changes to the existing routing system.
Created August 14, 2016, Updated September 3, 2020