White House Road Map Provides Guidance on BGP Internet Routing Security

Last week, the White House Office of the National Cyber Director (ONCD) unveiled a Road Map to Enhancing Internet Routing Security to provide guidance on how to address a security vulnerability related to the Border Gateway Protocol (BGP), which is a key part of how data flows across the internet.

BGP consists of rules on the best routes for information to be transmitted on the internet across private, public, corporate, and government networks. BGP operates using peers, which perform route discovery, route storage, and path selection. Entities that use BGP include cloud providers, internet service providers, universities, energy companies, and large enterprises.

When internet traffic gets improperly diverted, either intentionally or inadvertently, that could lead to theft, extortion, state-level espionage, and failure of critical infrastructure, the ONCD said.

“Securing BGP is essential to safeguarding the integrity of our digital infrastructure,” Cybersecurity and Infrastructure Security Agency Director Jen Easterly said in a statement. “Through strong partnerships—both with industry and with government agencies—we can enhance the resilience of our internet routing, ensuring a secure and reliable internet for our nation.”

BGP predates the public internet, explains Will Townsend, vice president and principal analyst at Moor Insights & Strategy.

“As you might imagine, a lot has changed with respect to routing and connectivity, and bad actors continue to find new ways to exploit gaps,” Townsend tells Network Computing via email. “BGP was never designed with integrated security provisions and instead relies on implicit trust between networks.” 

As the internet has grown, bad actors have falsified BGP information, causing outages and leading to data being transmitted to the wrong destination, which is route hijacking, the White House report said.

BGP Security Framework Proposed

The road map calls for network operators to adopt Resource Public Key Infrastructure (RPKI), a framework that the Internet Engineering Task Force introduced in February 2012 on the allocation hierarchy of IP address space and autonomous system numbers. RPKI also includes a distributed repository system for how to store and disseminate data objects in the RPKI.

The road map cites three challenges to RPKI adoption: a lack of a deep understanding of Internet-routing security risks and readily available technologies to fight them, competing engineering priorities and misaligned incentives among network operators, and administrative barriers as organizations try to contract with a regional Internet registry (RIR).

To adopt RPKI and guard against BGP hijacking, network operators will need a layered security approach, according to Townsend. He says that Open Shortest Path First (OSPF) is a more efficient protocol to counteract the shortcomings of BGP. OSPF is a link-state routing protocol in which routers or systems use a link-state database to calculate the shortest path spanning tree. The information gets organized into a routing table according to their destination IP addresses.

The government predicts that registration service agreements (RSAs) will cover more than 60% of the federal government’s IP space by the end of 2024. This will lead to route origin authorizations (ROA) for federal networks.

In its report, the Biden administration called on the Office of Management and Budget to develop guidance on how to implement ROAs quickly and align them with agency risk assessments.

The report also recommended that the National Institute for Standards and Technology (NIST) lead government efforts to research, standardize, and enable commercialization of BGP security and systems that can shore up BGP weak spots.

“NIST has a long history of working collaboratively with industry to design, measure, and standardize technologies that make internet protocols more resilient and secure,” NIST Director Laurie E. Locascio said in a statement. “This road map establishes a clear plan of action to expedite the adoption of current, commercially viable BGP security technologies while highlighting the need for further research and development of additional solutions.”

New Working Group on Internet Routing Security

In addition, the Biden administration will create a public-private working group to develop ways to implement the road map. The Internet Routing Security Working Group, under the Critical Infrastructure Partnership Advisory Council, will create a framework to assess risk and the application of routing security controls. The framework will outline how organizations should implement ROAs.

The road map report says the working group should create risk criteria and prioritize framework development. It should also develop a network service provider playbook for customers based on “diverse industry perspectives.”

In addition, the working group should deliver updates to the federal government on additional BGP security standards, research priorities, and international efforts to boost BGP security.

How to Implement the Road Map

The document outlines 18 steps to implement the road map, including risk-based planning and ROA publication. ROA is a digitally signed certificate in which a network announces a block of internet space, like an IP address.

The government’s recommended steps include the following:

Risk-based planning: When organizations conduct cybersecurity risk assessments, they should address the security and resilience of internet routing, the report stated. This process includes taking inventory of all internet number resource holdings and identifying how autonomous systems connect to BGP routing information or IP data traffic.

ROA publication: Organizations should use an RIR to create and publish ROAs, the White House said.

Monitoring: Network operators should monitor their ROA data, threats, and outages, as well as evaluate the quality of their internet routing services.

To protect against BGP hacking and secure the internet routing ecosystem, Townsend advises that network operators consult trusted tech partners and spot vulnerabilities early using network visibility tools. He also recommends a zero-trust strategy for network management in which “nothing is implicitly trusted.”