The fundamental design premise of the Internet is that it is comprised of the ubiquitous interconnection of many independent networks, owned and autonomously operated by distinct administrative domains (ISPs, enterprises, etc). The Border Gateway Protocol (BGP) was developed in the late 1980s to exchange routing information and compute routes between the networks that comprise Internet. Overtime, BGP has evolved into the fundamental “glue” that enables the commercial Internet.
Today BGP is a live distributed control system spanning the globe; operating on millions of routers; interconnecting ~50K distinct administrative domains (known as Autonomous Systems (ASs) in BGP); and providing routing information to ~500K destination networks. BGP was designed to address the prevailing business models of ISP interconnection; providing means to support policy-based routing, selective information hiding and inter-domain traffic engineering. Today, ISPs employ extremely complex BGP policies and mechanisms to orchestrate the macroscopic behaviors of information flows across the Internet.
As the scale, complexity and threat model of the global Internet has evolved; significant concerns have arisen about the robustness of the global BGP routing system. These concerns fall into three categories:
- Scale - The growth of the Internet has created serious scaling concerns for the global dynamics of BGP as a distributed control system. The volume of BGP control traffic, speed of system convergence and stability routes are issues with the current size of the Internet. The additional Internet growth projected for the near future (e.g., mobile growth, Internet of things, virtualized networking and computing, support of IPv6) raises concerns about the ability to continue to scale-up BGP deployment.
- Complexity – Related to the size problem is the issue of complexity. As more and more features are added to BGP to support implementation of complicated business and engineering policies and the overall scale of the system grows, our ability to understand and control the behavior of the BGP system as a whole decreases. Our demising ability to diagnose the underlying cause of routing failures and assure the stability of the global control system represents another long-term robustness concern.
- Security – BGP was originally designed in an era in which security was not a significant concern. As a result, the current BGP system is largely based on a model of mutual global trust and the BGP protocol generally lacks any explicit mechanisms to protect itself from malicious attacks and damaging accidental misconfigurations. While general security concerns about BGP protocol have been recognized for ~10 years, it is only recently that the community has come to fully understand the full threat model, which includes the potential to:
- Detour data traffic to eavesdrop, man-in-the-middle attack security mechanisms, cause delay and/or disrupt traffic. Traffic eventually makes it to real destination, but not over the path you thought.
- Misdeliver data traffic to malicious endpoints.
- Hijack address space (both unallocated and allocated) to use as a launching pad for spam, attacks, etc.
- Deny service by “black holing” entire networks so that others cannot reach them.
- Cause Routing instability by injecting bogus advertisements into the system that effect global BGP stability/control algorithms.
- Overload Routing System by injecting a volume of updates that exhausts the processing power of router’s control plane.
While the vulnerabilities of the BGP system are real, we have been lucky to date that there haven’t been more focused attempts to exploit them. A few recent events have awakened the community to the real threat potential:
- 2013/12 – Evidence has been found of on-going intentional BGP attacks that detour traffic destined for ~1,500 address blocks through routers in Belarus and Iceland[i]. Destinations subject to this attack include banks, telephony providers, Government agencies, and foreign ministries.
- 2010 – China Telecom incorrectly advertised 50,000 address blocks (15% of the entire Internet) causing traffic to be mis-routed to pass through China. The fact falsely advertised routes included networks in 170 countries and many US companies and Government agencies and that the routes were widely accepted and used throughout the Internet raised significant concern[ii] [iii].
- 2008 – Researchers at DEFCON demonstrate stealthy BGP misrouting of commercial Internet traffic for purposes of eavesdropping[iv].
- 2008 – Pakistan Telecom purposefully hijacks routes and denies service to YouTube[v].
The most recent observed events demonstrate what has long been suspected in the research community; as originally designed and commercially deployed, the global BGP routing system has significant vulnerabilities. What has also been realized is that if carefully exploited by malicious parties, BGP attacks are very difficult to detect and diagnose, leading many to suspect that many more exploits might be occurring that go unreported to the general community.
The systemic vulnerabilities of the global BGP routing system have been the subject of concern for the last decade [vi] [vii]. During this period significant effort has been devoted within the research community to design and evaluate numerous approaches to improving the security and robustness of the BGP routing system [viii] [ix].
In 2003, the National Strategy to Secure Cyberspace[x] identified the need to secure the BGP routing system as a USG priority. In response, the DHS Science and Technology Directorate and NIST Information Technology Laboratory initiated a collaborative effort to work with the Internet industry to design, standardize and foster deployment of security extensions for BGP. Working within the Internet Engineering Task Force (IETF) Secure Inter-Domain Routing (SIDR) working group[xi] DHS & NIST have collaborated with key industry players (e.g., Sparta, Google, Cisco, Juniper, BBN Technologies, Google, Verizon, Deutsche Telecom, Time Warner Cable, and others) to develop technical specifications for protocol extensions and supporting infrastructures to add cryptographic protections to BGP. The over all approach, know as BGPSEC, has three main components:
- RPKI – A global Resource Public Key Infrastructure[xii] to enable 3rd parties to cryptographically validate claims of ownership of Internet address blocks and AS numbers, and to permit such resource holders to declare routing relationships. Route Origin Authorizations (ROAs) are RPKI signed objects that declare which ISPs (ASs) are authorized to advertise a given block of IP addresses in BGP.
- BGP Origin Validation – Protocol extensions and tools to allow BGP routers to use RPKI ROA information to detect and filter unauthorized BGP route announcements[xiii]. The techniques for BGP origin validation are designed so as to not modify the basic BGP protocol and not require routers to perform cryptographic operations. Origin validation will deter simple route hijack attacks and misconfigurations such as those see in the China Telecom and Pakistan Telecom incidents above.
- BGP PATH Validation – BGP protocol extensions to further leverage the RPKI to enable BGP routers to cryptographically verify the sequence of networks (AS PATH) that comprise a BGP route[xiv]. The techniques for full PATH validation do require changes to the BGP protocol and would require routers to perform additional cryptographic operations to create and validate signed PATHS. Full BGP PATH validation will deter more sophisticated and stealthy route detour attacks such as those discovered in 2013 and demonstrated at DEFCON in 2008.
Substantial progress has been made in the IETF, Regional Internet Registry (RIR) and vendor community to design and develop BGP security solutions. Today, the components necessary for addressing the BGP origin validation problem are reasonably mature. All 5 RIRs have operational RPKI infrastructures[xv] in place and major router vendors[xvi] [xvii]have implemented mechanisms to support BGP origin validation based upon RPKI ROA data. At this stage, origin validation technology is ready for wide scale deployment and operational evaluation. What is currently needed is for major ISPs and enterprise networks to develop tactical adoption and operations plans and to initiate deployment to get beyond first-mover barriers in the industry.
Designs[xviii] and specifications[xix] for full BGP path validation are relatively stable. Initial commercial and research prototypes are under development. Further strategic planning is necessary for router vendors to insure that future products have the capabilities (processing, storage) necessary to support full BGPSEC. As initial implementations emerge, large distributed test and evaluation pilots need to be conducted to evaluate the impact and implications of full PATH validation on global BGP operations.
Finally, recent BGP security efforts have focused on two tractable aspects of the BGP vulnerability space: origin and path validation. Other aspects of the BGP protocol may require additional efforts to design and develop security extensions. Topics such as BGP policy enforcement, cryptographic protection of other protocol attributes, protection against BGP resource attacks, etc have been discussed in the community. Further development of the threat scenarios and security requirements for such issues will focus and direct future standards development.
NIST Roles / Activities:
NIST has been actively collaborating with DHS and the Internet industry to address the BGP security problem. NIST activities include: threat and vulnerability analysis[xx], test and evaluation of non-cryptographic robustness mechanisms[xxi], development of near term security guidance[xxii], modeling and analysis of BGPSEC design alternatives, development of BGPSEC deployment guidance[xxiii], development of open source reference implementations[xxiv], development of BGPSEC testing tools[xxv], and development of global RPKI/BGPSEC measurement and monitoring techniques[xxvi].
Potential Follow on Activities:
Industry sectors and affinity groups interested in improving the robustness and security of the global BGP routing system should consider a range of activities that include:
- Near Term – Develop and execute guidance/plans to implement BGP origin validation and employ the RPKI to certify resources.
- Mid Term – Examine emerging standards for BGP path validation and develop plans to incorporate in vendor platforms and network operation environments.
- Long Term – Identify other threats to the robustness of the global routing system and potential mitigation techniques. Ideas to include: BGP policy enforcement mechanisms (e.g., "route leaks"), new BGP mechanisms to facilitate DDoS mitigation, etc.
Each class of activity could be conducted on a relatively short time frame with significant contributions possible in a 1-2 year time frame.
- [i] Someone’s Been Siphoning Data Through a Huge Security Hole in the Internet. http://www.wired.com/threatlevel/2013/12/bgp-hijacking-belarus-iceland/
- [ii] China’s 18-Minute Mystery. http://www.renesys.com/blog/2010/11/chinas-18-minute-mystery.shtml
- [iii] US-China Economic and Security Review Commission – 2010 Report to Congress. http://www.uscc.gov/Annual_Reports/2010-annual-report-congress
- [iv] Revealed: The Internet’s Biggest Security Hole. http://www.wired.com/threatlevel/2008/08/revealed-the-in/
- [v] YouTube Hijacking: A RIPE NCC RIS case study. http://www.ripe.net/news/study-youtube-hijacking.html
- [vii] Toward Secure Routing Infrastructures. http://www.computer.org/csdl/mags/sp/2006/05/j5084-abs.html
- [viii] A Survey of BGP Security Issues and Solutions. http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=5357585
- [ix] Securing BGP — A Literature Survey. http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5473881
- [x] National Strategy to Secure Cyberspace. http://www.dhs.gov/national-strategy-secure-cyberspace
- [xiv] An overview of BGPSEC. http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-overview/
- [xv] Resource Public Key Infrastructure. http://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure
- [xvi] Cisco – BGP Origin AS Validation. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-origin-as.pdf
- [xvii] Juniper – Origin Validation for BGP. http://www.juniper.net/techpubs/en_US/junos12.2/topics/topic-map/bgp-origin-as-validation.html
- [xviii] An overview of BGPSEC. http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-overview/
- [xix] BGPSEC Protocol Specification. http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-protocol/
- [xx] Study of BGP Peering Session Attacks and Their Impacts on Routing Performance. http://www.antd.nist.gov/bgp_security/publications/BGP_Security_Sriram_IEEE_JSAC.pdf
- [xxi] A Comparative Analysis of BGP Anomaly Detection and Robustness Algorithms. http://www.antd.nist.gov/bgp_security/publications/NIST_BGP_Robustness.pdf
- [xxii] Border Gateway Protocol Security Recommendations. http://csrc.nist.gov/publications/nistpubs/800-54/SP800-54.pdf
- [xxiii] Use Cases and Interpretation of RPKI Objects for Issuers and Relying Parties. http://tools.ietf.org/html/draft-ietf-sidr-usecases/