CybersecurityBolstering the security of inter-domain routing

Published 1 June 2017

Since the creation of the internet, the Border Gateway Protocol (BGP) has been the default routing protocol to route traffic among organizations (Internet Service Providers [ISPs] and Autonomous Systems [ASes])). While the BGP protocol performs adequately in identifying viable paths that reflect local routing policies and preferences to destinations, the lack of built-in security allows the protocol to be exploited. To improve the security of inter-domain routing traffic exchange, NIST has begun development of a Special Publication (SP 800-189 – in preparation) that provides security recommendations for the use of Inter-domain protocols and routing technologies.

Since the creation of the internet, the Border Gateway Protocol (BGP) has been the default routing protocol to route traffic among organizations (Internet Service Providers [ISPs] and Autonomous Systems [ASes])). While the BGP protocol performs adequately in identifying viable paths that reflect local routing policies and preferences to destinations, the lack of built-in security allows the protocol to be exploited. As a result, attacks against internet routing functions are a significant and systemic threat to internet based information systems.

The consequences of these attacks can: (1) deny access to internet services; (2) detour internet traffic to permit eavesdropping and to facilitate on-path attacks on endpoints (sites); (3) misdeliver internet network traffic to malicious endpoints; (4) undermine IP address-based reputation and filtering systems; and (5) cause routing instability in the internet.

NIST says thatto improve the security of inter-domain routing traffic exchange, NIST has begun development of a Special Publication (SP 800-189 – in preparation) that provides security recommendations for the use of Inter-domain protocols and routing technologies. These recommendations aim to protect the integrity of internet traffic exchange. Implementing BGP Route Origin Validation (ROV) based upon the Resource Public Key Infrastructure (RPKI) can mitigate accidental and malicious attacks associated with route hijacking. The NCCoE understands that organizations and individuals have internet performance expectations, requirements, and the need to protect against malicious cyberattacks. It is expected that eventual wide-scale deployment of RPKI-based ROV will significantly enhance the overall security and robustness of the internet.

This project will result in a NIST Cybersecurity Practice Guide—a publicly available description of the solution and practical steps needed to implement practices that effectively demonstrate the security and functionality of all components of ROV.

The NCCoE recently released a draft project description Secure Inter-Domain Routing: Route Hijacks.

The public comment period is open now and will close on 29 June 2017. Please submit your feedback.