It’s always a good idea to know who you’re talking to
A proposal for securing BGP – the protocol that lays out the traffic pathways of the internet – has a another backer: NIST, aka America’s National Institute for Standards and Technology.
The US government agency has issued a discussion paper outlining the use of Route Origin Validation ( ROV) to protect the notoriously all-too-trusting Border Gateway Protocol ( BGP) from route hijacking .
BGP, in a nutshell, allows the patchwork of large networks that make up the global internet announce to each other how to thread everyone’s connections through mazes of machines crisscrossing the planet until they reach their intended destinations.
The ancient protocol was written with the “good chaps theory” as one of its fundamental assumptions – since network operators knew each other in 1989, “good chaps” would never sabotage each others’ networks, mistakes were genuine gaffes, and you could phone someone who blundered and rerouted packets to the wrong machines.
It’s a cinch to hijack and intercept traffic to a stranger’s network, by announcing your network as the best route to reach them and then consuming the packets for yourself. Amazon Web Services was attacked in such a way this earlier this year, for example.
A 2013 proposed standard, RFC 6810, suggested using public-private cryptographic key pairs – specifically, Resource Public Key Infrastructure (RPKI) – to validate whether or not networks are allowed to make their BGP route announcements.
The NIST’s National Cybersecurity Center of Excellence, with a group of vendors, has forged that draft RPKI technology into what it this week called “proof-of-concept demonstrations” of BGP route origin verification, and is seeking comment on the designs by October 15.
The agency’s announcement of the consultation read: “This NIST Cybersecurity Practice Guide — Draft SP 1800-14, Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation — demonstrates how networks can protect BGP routes from vulnerability to route hijacks by using available security protocols, products, and tools to perform BGP ROV to reduce route hijacking threats.
“Our standards-based example solution uses commercially available products and can be used in whole or in part. It can also be used as a reference to help an organization design its own, custom solution.”
Cisco, Juniper Networks, Palo Alto Networks, AT&T, CenturyLink, Comcast, and the George Washington University in the US helped NIST prepare the paperwork.
It said ROV can cut the number of route hijacks, ensure traffic reaches its destination, help network operators decide what to do if another network isn’t using ROV, and trigger alerts when someone is advertising invalid routes.
BGP ROV certainly needs a boost: in June, research discussed in this APNIC blog post said adoption of the security measures was “bleak.” Researcher Andreas Reuter found just 40 or so network domains – specifically, autonomous systems – using route validation. ®
Sponsored: Following Bottomline’s journey to the Hybrid Cloud