Technical Details

The fundamental design premise of the Internet is that it comprises the ubiquitous interconnection of many independent networks, owned and autonomously operated by distinct administrative domains (network operators, enterprises, hosted service providers).   The Border Gateway Protocol (BGP) was developed in the late 1980s to exchange routing information and compute routes between the networks that make up the Internet.   Over time, BGP has evolved into the fundamental “glue” that interconnects the commercial Internet. 

Today BGP supports a distributed control system spanning the globe, operating on millions of routers, interconnecting ~60,000 distinct administrative domains (known as Autonomous Systems (ASs)), and providing routing information to ~700,000 destination networks.   BGP was designed to address the prevailing business models of Internet Service Provider (ISP) interconnection by providing the means to support policy-based routing, selective information hiding, and inter-domain traffic engineering.   Today, ISPs employ extremely complex BGP policies and mechanisms to orchestrate information flow across the Internet.

BGP concerns

As the Internet has evolved, significant concerns have arisen about the security and robustness of the global BGP routing system.  These concerns fall into three broad categories:

• Scale - The growth of the Internet has created serious scaling concerns for the global dynamics of BGP as a distributed control system.   The volume of BGP control traffic, the speed of system convergence, and stability of routes are issues with the current size of the Internet.  Internet growth projected for the near future (e.g., mobile networks, Internet of Things, virtualized networking and computing, support for newer Internet Protocols (IPv6)) raises concerns about the ability to continue to scale up current BGP technologies. 
• Complexity – As features are added to BGP to support the implementation of complicated business and engineering policies and the overall scale of the system grows, our ability to understand, control, and optimize the behavior of the BGP system as a whole decrease.
  • Route Leaks,   the propagation of routing information beyond its intended policy scope, are one example of a serious robustness problem that arises from the complexity of the BGP routing system.
• Security – BGP was originally designed in an era in which Internet security was not a significant concern.   As a result, the current BGP system is largely based on a model of mutual global trust and the legacy BGP protocol generally lacks any explicit mechanisms to protect itself from malicious attacks and damaging accidental misconfigurations.   While security concerns about BGP protocol have been recognized for many years, it is only recently that the general Internet community has come to fully understand the potential to:
  • Detour data traffic to eavesdrop, enable attacks on end-to-end security mechanisms, cause delays and/or disruption of traffic.  Detoured traffic eventually makes it to the intended destination, but not over the intended path.
  • Misdeliver data traffic to malicious endpoints.
  • Hijack address space through unauthorized BGP announcements to use as a launching pad for spam, cyber attacks, etc.
  • Deny service by “black-holing” entire networks so that others cannot reach them.
  • Cause routing instability by injecting spurious BGP messages into the system that affect global BGP stability/control algorithms.

Example BGP Incidents

The vulnerabilities of the BGP system are real and commonly observed in limited scale events [2]. It is fortunate that to date there haven’t been more focused and malicious attempts to exploit them.   Well documented events of increasing significance over the last decade have awakened the community to the real threat potential:

• 2017 – The hijack of a large number of routes to US and global financial institutions by an ISP thought to have ties to the Russian government [3].
• 2017 and 2016 – The use of BGP hijacking by Iranian state-owned telecom (TIC) to enforce censorship.  The hijacked routes spilled over into Russia and some Asian countries.  Apple iTunes service was also targeted and impacted [4].
• 2015 – Large scale BGP hijacks by Bharti Airtel (in India) and acceptance and propagation of the hijacked routes by major global ISPs, resulting in widespread disruption affecting thousands of networks globally for over 10 hours [5].
• 2014 – An elaborate scheme that operated for months to redirect traffic within the Bitcoin crypto-currency infrastructure so as to steal financial payments [6].
• 2013 – Ongoing intentional BGP attacks that detour traffic destined for ~1,500 address blocks through routers in Belarus and Iceland [7].  Destinations subjected to this attack included banks, telephony providers, Government agencies, and foreign ministries.
• 2010 – Incorrect announcement of 50,000 address blocks (15% of the entire Internet) by China Telecom causes traffic to be misrouted through China.   Falsely announced routes: 1) included networks in 170 countries, many US companies, and Government agencies and 2) the routes were widely accepted and used throughout the Internet, raising significant concern [8] [9].
• 2008 – Researchers at DEFCON (a leading hacking convention) demonstrate stealthy BGP misrouting of commercial Internet traffic for purposes of eavesdropping [10].
• 2008 – Pakistan Telecom purposely hijacks routes to deny service to YouTube in Pakistan [11].

Example BGP route hijack attack scenario.

The most recent observed events confirm what has long been known in the research community: as originally designed and commercially deployed, the global BGP routing system has significant vulnerabilities.  If carefully exploited by malicious parties, BGP attacks are very difficult to detect, diagnose and mitigate, suggesting that many more exploits might be occurring that go unreported to the general community.  While the scale and duration of most attacks experienced to date have been limited, their impact on the global routing system indicates that broader, sustained attacks by a determined adversary might have catastrophic effects on the global Internet.

Technical Approach

The systemic vulnerabilities of the global BGP routing system have been the subject of concern for at least the last decade [12] [13].   Significant effort has been devoted within the research community to design and evaluate numerous approaches to improving the security and robustness of the BGP routing system [14] [15].

In 2003, the National Strategy to Secure Cyberspace [16] identified the need to secure the BGP routing system as a USG priority.  In response, the DHS Science and Technology Directorate and the NIST Information Technology Laboratory initiated collaborative efforts [17] [18] to work with the

Internet industry to design, standardize and foster deployment of security extensions for BGP.   Working within the Internet Engineering Task Force (IETF) Secure Inter-Domain Routing (SIDR) working group [19], DHS and NIST have collaborated with key industry players (e.g., Google, Cisco, Juniper, BBN Technologies, Verizon, Deutsche Telecom, Time Warner Cable, Neustar, Parsons and others) to develop technical specifications for protocol extensions and supporting infrastructures to add security protections to BGP.   The overall approach, known as Secure Inter-Domain Routing (SIDR), has three main components:

• Resource Public Key Infrastructure (RPKI) – A global Resource Public Key Infrastructure [20] to enable third parties to cryptographically validate claims of ownership of Internet address blocks and AS numbers, and to permit such resource holders to declare routing relationships.   Route Origin Authorizations (ROAs) are RPKI signed objects that declare which ISPs (ASs) are authorized to announce a given block of IP addresses in BGP.  The RPKI is also used to store the router keying material necessary for full path validation (see below).
• BGP Origin Validation (BGP-OV) – Protocol extensions and tools to allow BGP routers to use RPKI ROA information to detect and filter unauthorized BGP route announcements [21].  The techniques for BGP origin validation are designed so as to not modify the basic BGP protocol and not require routers to perform cryptographic operations.   Origin validation will deter simple route hijack attacks and misconfigurations such as those seen in the China Telecom, Bharti Airtel and Pakistan Telecom incidents above.
• BGP PATH Validation (BGP-PV)– BGP protocol extensions to further leverage the RPKI to enable BGP routers to cryptographically verify the sequence of networks (AS PATH) that comprise a BGP route [22].  The techniques for full PATH validation do require changes to the BGP protocol and would require routers to perform additional cryptographic operations to create and validate digitally signed PATHS.  Full BGP PATH validation will deter more sophisticated and stealthy route detour attacks such as those discovered in 2013 and demonstrated at DEFCON in 2008.

The combination of RPKI, BGP-OV, and BGP-PV provide a complete solution to the routing vulnerabilities identified above and are based upon a common and verifiable global trust infrastructure.   While there are other research and commercial approaches to some aspects of this problem (e.g., detecting hijacks [23]), no other approach provides a viable basis for a global mitigation strategy.

Current Status – RPKI and Origin Validation

Substantial progress has been made in the IETF, Regional Internet Registry (RIR) and vendor communities to design and develop BGP security solutions.   Today, the components necessary to address the origin validation problem are commercially available.  All five global RIRs have operational RPKI infrastructures [24] and services in place and major router vendors have implemented mechanisms to support BGP-OV based upon RPKI data. Initial adoption of RPKI to create authorization data has been slow but steady (~7% of global BGP announcements are currently covered by ROAs [25]). RPKI adoption in Europe (~30% of its announced address space is currently covered by ROAs) and Latin America (~13% of its announced address space is currently covered by ROAs) is proceeding much faster than in North America (~3% of its announced address space is currently covered by ROAs). 

The adoption and use of RPKI data by network operators to actively filter spurious routes is harder to measure, but in general, is known to be lagging.  Questions remain to be answered about the robustness and manageability of emerging RPKI and BGP-OV products and services.   Other key barriers may not be strictly technical, as many ISPs and large enterprise users have questions about the economic, legal and policy issues that surround RPKI adoption and use.  More testing and subsequent guidance are necessary to assist major ISPs and enterprise networks to develop tactical adoption and operations plans and to initiate deployment to get beyond first-mover barriers in the industry.

Current Status – PATH Validation

The base specifications for full BGP path validation are nearly complete [26].  Initial commercial and research prototypes are under development [27] [28].   Because BGP-PV requires cryptographic processing to be added to routers, there are questions in the community about the performance impact that might have on existing equipment. Further performance analysis and strategic planning is necessary for router vendors to ensure that future products have the capabilities (processing, storage) necessary to support full BGP-PV. 

NIST Roles / Activities

NIST and DHS have been actively collaborating with the Internet industry to address the BGP security problem.  NIST activities to date include: threat and vulnerability analysis, test and evaluation of non-cryptographic robustness mechanisms, development of near-term BGP security guidance, modeling and analysis of BGP-PV design alternatives, development of open source reference implementations of BGP-OV and BGP-PV, development of SIDR testing tools and development of global SIDR measurement and monitoring techniques [18]. DHS activities to date include design and standardization of the RPKI infrastructure, development of open source RPKI management suite, standardization of BGP-OV and BGP-PV protocol extensions, and the development of open source SIDR management tools [28].

NIST Follow-on Activities

While NIST and DHS have led the design, development, and standardization of the SIDR suite of technologies, fostering wide-scale deployment in the public Internet will require future efforts to focus on technology transfer activities and practical barriers to adoption.  Ongoing and planned activities to foster wide-scale deployment include:    

• Near-Term – Continue to work with North American Network Operators Group (NANOG) to foster awareness of SIDR technologies [29].  Develop a National Cybersecurity Center of Excellence (NCCoE) project to examine the detailed deployment issues for SIDR technologies [30].  Develop detailed deployment guidance and plans for USG adoption for RPKI and BGP-OV technologies [31].  Collaborate with the NSF to sponsor an analysis of the legal, policy and economic barriers to BGP-OV adoption.
• Mid Term – Finalize standards for BGP-PV and address performance issues associated with its adoption [27].  Work with industry to develop plans to incorporate BGP-PV vendor platforms and network operating environments.
• Long-Term – Identify other threats to the robustness of the global routing system and potential mitigation techniques.   Issues to include: BGP policy enforcement mechanisms (e.g., "route leaks"), new BGP mechanisms to facilitate DDoS mitigation, etc.  Initial research into the policy enforcement issues has begun under NIST leadership within the IETF [32].

Each class of activity will be conducted on a relatively short time frame with significant contributions possible in a 1-2 year time frame.

References