The fundamental design premise of the Internet is that it comprises the ubiquitous interconnection of many independent networks, owned and autonomously operated by distinct administrative domains (network operators, enterprises, hosted service providers). The Border Gateway Protocol (BGP) was developed in the late 1980s to exchange routing information and compute routes between the networks that make up the Internet. Over time, BGP has evolved into the fundamental “glue” that interconnects the commercial Internet.
Today BGP supports a distributed control system spanning the globe, operating on millions of routers, interconnecting ~60,000 distinct administrative domains (known as Autonomous Systems (ASs)), and providing routing information to ~700,000 destination networks. BGP was designed to address the prevailing business models of Internet Service Provider (ISP) interconnection by providing the means to support policy-based routing, selective information hiding, and inter-domain traffic engineering. Today, ISPs employ extremely complex BGP policies and mechanisms to orchestrate information flow across the Internet.
As the Internet has evolved, significant concerns have arisen about the security and robustness of the global BGP routing system. These concerns fall into three broad categories:
The vulnerabilities of the BGP system are real and commonly observed in limited scale events [2]. It is fortunate that to date there haven’t been more focused and malicious attempts to exploit them. Well documented events of increasing significance over the last decade have awakened the community to the real threat potential:
Example BGP route hijack attack scenario.
The most recent observed events confirm what has long been known in the research community: as originally designed and commercially deployed, the global BGP routing system has significant vulnerabilities. If carefully exploited by malicious parties, BGP attacks are very difficult to detect, diagnose and mitigate, suggesting that many more exploits might be occurring that go unreported to the general community. While the scale and duration of most attacks experienced to date have been limited, their impact on the global routing system indicates that broader, sustained attacks by a determined adversary might have catastrophic effects on the global Internet.
The systemic vulnerabilities of the global BGP routing system have been the subject of concern for at least the last decade [12] [13]. Significant effort has been devoted within the research community to design and evaluate numerous approaches to improving the security and robustness of the BGP routing system [14] [15].
In 2003, the National Strategy to Secure Cyberspace [16] identified the need to secure the BGP routing system as a USG priority. In response, the DHS Science and Technology Directorate and the NIST Information Technology Laboratory initiated collaborative efforts [17] [18] to work with the
Internet industry to design, standardize and foster deployment of security extensions for BGP. Working within the Internet Engineering Task Force (IETF) Secure Inter-Domain Routing (SIDR) working group [19], DHS and NIST have collaborated with key industry players (e.g., Google, Cisco, Juniper, BBN Technologies, Verizon, Deutsche Telecom, Time Warner Cable, Neustar, Parsons and others) to develop technical specifications for protocol extensions and supporting infrastructures to add security protections to BGP. The overall approach, known as Secure Inter-Domain Routing (SIDR), has three main components:
The combination of RPKI, BGP-OV, and BGP-PV provide a complete solution to the routing vulnerabilities identified above and are based upon a common and verifiable global trust infrastructure. While there are other research and commercial approaches to some aspects of this problem (e.g., detecting hijacks [23]), no other approach provides a viable basis for a global mitigation strategy.
Substantial progress has been made in the IETF, Regional Internet Registry (RIR) and vendor communities to design and develop BGP security solutions. Today, the components necessary to address the origin validation problem are commercially available. All five global RIRs have operational RPKI infrastructures [24] and services in place and major router vendors have implemented mechanisms to support BGP-OV based upon RPKI data. Initial adoption of RPKI to create authorization data has been slow but steady (~7% of global BGP announcements are currently covered by ROAs [25]). RPKI adoption in Europe (~30% of its announced address space is currently covered by ROAs) and Latin America (~13% of its announced address space is currently covered by ROAs) is proceeding much faster than in North America (~3% of its announced address space is currently covered by ROAs).
The adoption and use of RPKI data by network operators to actively filter spurious routes is harder to measure, but in general, is known to be lagging. Questions remain to be answered about the robustness and manageability of emerging RPKI and BGP-OV products and services. Other key barriers may not be strictly technical, as many ISPs and large enterprise users have questions about the economic, legal and policy issues that surround RPKI adoption and use. More testing and subsequent guidance are necessary to assist major ISPs and enterprise networks to develop tactical adoption and operations plans and to initiate deployment to get beyond first-mover barriers in the industry.
The base specifications for full BGP path validation are nearly complete [26]. Initial commercial and research prototypes are under development [27] [28]. Because BGP-PV requires cryptographic processing to be added to routers, there are questions in the community about the performance impact that might have on existing equipment. Further performance analysis and strategic planning is necessary for router vendors to ensure that future products have the capabilities (processing, storage) necessary to support full BGP-PV.
NIST and DHS have been actively collaborating with the Internet industry to address the BGP security problem. NIST activities to date include: threat and vulnerability analysis, test and evaluation of non-cryptographic robustness mechanisms, development of near-term BGP security guidance, modeling and analysis of BGP-PV design alternatives, development of open source reference implementations of BGP-OV and BGP-PV, development of SIDR testing tools and development of global SIDR measurement and monitoring techniques [18]. DHS activities to date include design and standardization of the RPKI infrastructure, development of open source RPKI management suite, standardization of BGP-OV and BGP-PV protocol extensions, and the development of open source SIDR management tools [28].
While NIST and DHS have led the design, development, and standardization of the SIDR suite of technologies, fostering wide-scale deployment in the public Internet will require future efforts to focus on technology transfer activities and practical barriers to adoption. Ongoing and planned activities to foster wide-scale deployment include:
Each class of activity will be conducted on a relatively short time frame with significant contributions possible in a 1-2 year time frame.
[1] |
C. Timberg, "Net of Insecurity: The Long Life of a Quick 'Fix'," The Washington Post, 31 May 2015. [Online]. |
[2] |
BGPMon, "BGP Stream - free resource for receiving alerts about hijacks, leaks, and outages in the Border Gateway Protocol.," OpenDNS. [Online]. |
[3] |
D. Goodin, "Russian-controlled telecom hijacks financial services’ Internet traffic," Arstechnica 27 April 2017. [Online]. |
[4] |
D. Madory, "Iran Leaks Censorship via BGP Hijacks," Oracle+Dyn, January 2017. [Online]. |
[5] |
A. Toonk, "Large scale BGP hijack out of India," BGPMON, November 2015.[Online]. |
[6] |
J. Stewart, "BGP Hijacking for Cryptocurrency Profit," SecureWorks, 7 August 2014. [Online]. |
[7] |
K. Zetter, "Someone’s Been Siphoning Data Through a Huge Security Hole in the Internet," Wired, 5 December 2013. [Online]. |
[8] |
N. Anderson, "How China swallowed 15% of ‘Net traffic for 18 minutes," Arstechnica, 17 November 2010. [Online]. |
[9] |
U.S.-CHINA ECONOMIC AND SECURITY REVIEW COMMISSION, "US-China Economic and Security Review Commission – 2010 Report to Congress.," [Online]. |
[10] |
K. Zetter, "Revealed: The Internet’s Biggest Security Hole.," Wired, 26 August 2008. [Online]. |
[11] |
RIPE NCC, "YouTube Hijacking: A RIPE NCC RIS case study.," RIPE Network Coordination Centre, 17 March 2008. [Online]. |
[12] |
S. Murphy, "RFC4272: BGP Security Vulnerabilities Analysis," Internet Engineering Task Force (IETF), January 2006. [Online]. |
[13] |
D. Montgomery and S. Murphy, "Toward Secure Routing Infrastructures," IEEE Security & Privacy, September 2006. [Online]. |
[14] |
K. Butler, T. R. Farley, P. McDaniel and J. Rexford, "A Survey of BGP Security Issues and Solutions," January 2010. [Online]. |
[15] |
G. Huston, M. Rossi and G. Armitage, "Securing BGP — A Literature Survey," IEEE Communications Society, Many 2010. [Online]. |
[16] |
The Office of the President, "The National Strategy to Secure Cyberspace," Feb 2003. [Online]. |
[17] |
Department of Homeland Security, "Secure Protocols for the Routing Infrastructure," DHS Science and Technology, Cyber Security Division, [Online]. |
[18] |
NIST Information Technology Laboratory, "Internet Infrastructure Protection: Robust Inter-Domain Routing," [Online]. |
[19] |
IETF, "IETF Secure Inter-Domain Working Group," Internet Engineering Task Force, [Online]. |
[20] |
M. Lepinski and S. Kent, "RFC6480: An Infrastructure to Support Secure Internet Routing," February 2012. [Online]. |
[21] |
P. Mohapatra, J. Scudder, D. Ward, R. Bush and R. Austein, "RFC6811: BGP Prefix Validation," Internet Engineering Task Force, January 2013. [Online]. |
[22] |
M. Lepinski and S. Turner, "An Overview of BGPsec," Internet Engineering Task Force (IETF), [Online]. |
[23] |
BGPMon, "BGPMon - BGP monitoring and alerting service.," OpenDNS, [Online]. |
[24] |
Wikipedia, "Resource Public Key Infrastructure," [Online]. |
[25] |
NIST Information Technology Laboratory, "NIST RPKI Deployment Monitor and Test System," June 2016. [Online]. |
[26] |
M. Lipinski and K. Sriram, "BGPSec Protocol Specification," Internet Engineering Task Force, April 2017. [Online]. |
[27] |
M. Adalier, K. Sriram, O. Borchert, K. Lee and D. Montgomery, "High Performance BGP Security: Algorithms and Architectures," North American Network Operators Group (NANOG 69), February 2017. [Online]. |
[28] |
Parsons Inc., "Ensuring and Accelerating Routing Security (EARS)," [Online]. |
[29] |
D. Montgomery and S. Murphy, " Practical BGP Origin Validation using RPKI: Vendor Support, Signing and Validation Services, and Operational Experience," North American Network Operators Group (NANOG 67), June 2016. [Online]. |
[30] |
National Cybersecurity Center of Excellence, "Secure Inter-Domain Routing," May 2017. [Online]. |
[31] |
National Institute of Standards and Technology, "Secure Inter-Domain Networking. Part 1: Routing," NIST Special Publication 800-189, To Appear. |
[32] |
K. Sriram, D. Montgomery, D. McPherson, E. Osterwell and B. Dickson, "RFC7908: Problem Definition and Classification of BGP Route Leaks," Internet Engineering Task Force, June 2016. [Online]. |