A Dangerous Network: The Border Gateway Protocol has been the primary routing technology for the internet for at least three decades. Like other fundamental internet protocols developed in the 1980s, BGP was not originally designed with security in mind – and it shows.
After numerous incidents related to traffic routing among different autonomous systems, the White House has decided to address the security issues of the Border Gateway Protocol. The US administration has tasked the White House Office of the National Cyber Director with developing a roadmap to enhance the security of routing procedures managed through BGP.
The venerable BGP is one of the most fundamental protocols that emerged alongside the modern internet, according to a White House press release. This standardized technology provides a practical way for over 70,000 independent networks or autonomous systems to collaborate and exchange data packets effectively. Cloud providers, internet service providers, universities, utilities, and even government agencies rely on BGP to connect the internet we know today.
However, traditional BGP practices do not mandate specific security measures to protect these critical routing procedures among ASes. Internet traffic can be, and has been, deliberately and maliciously diverted, providing cybercriminals or espionage agencies with a powerful tool to expose or steal personal information, disrupt critical transactions or infrastructure operations, and more.
Traffic for BGP routing has been hijacked and abused several times in recent years, which is why the White House now considers the protocol one of its top tech security priorities. The roadmap prepared by the Office of the National Cyber Director is designed to provide a “blueprint” for implementing robust security practices for BGP, including the adoption of the Resource Public Key Infrastructure.
The White House describes RPKI as a mature, ready-to-implement approach for mitigating BGP security vulnerabilities. RPKI includes Route Origin Validation (ROV) and Route Origin Authorization (ROA), which work in tandem to verify the authority of a remote network announcing a traffic path and to check the authenticity of messages.
According to the ONCD’s roadmap, Europe currently leads the US in RPKI adoption, with 70 percent of BGP routes using ROA and ROV to secure routing traffic. The White House expects that by the end of the year, over 60 percent of all US federal agencies, or “the Federal government’s advertised IP space,” will be covered by Registration Service Agreements and will establish ROAs for federal networks.
The ONCD is also establishing a new partnership between public and private stakeholders to develop an additional framework for network operators to assess routing security effectively. The ultimate goal is to ensure that all entities operating within internet infrastructure adopt RPKI security measures comprehensively.