The Internet operates on a fragile system of trust where everyone relies on everyone else to provide correct information about other machines. NIST is developing recommendations on how to secure BGP—the default protocol for routing on the Internet—to maintain that trust.
The National Institute of Standards and Technology’s National Cybersecurity Center of Excellence released a discussion paper outlining how Route Origin Validation can shield the Border Gateway Protocol from route hijacking, where adversaries advertise a malicious route to send traffic to illegitimate servers and routers. ROV is a technique that can verify the authenticity of each pit stop between the sender of information and the receiver.
The Border Gateway Protocol is the default routing protocol used by routers to communicate with other routers about the best way to reach Internet domains. Organizations publish information about the fastest—most efficient—route to take to reach their network, and routers use BGP to find this information. If something goes wrong along that route, the router can publish alternate information so that traffic flow is not disrupted.
BGP was written under the assumption that no one would lie about the routes, so there’s no process for verifying the published announcements. If someone publishes incorrect route information, routers move traffic along that route. Users don’t know they are being sent to the wrong server, or that their information passed through hostile networks (or countries) that can eavesdrop on their activities.
“When the exchange of route information is inaccurate (either done maliciously or accidentally), traffic will either take inefficient paths through the internet, arrive at malicious sites that masquerade legitimate destinations, or never arrive to its intended destination,” NIST’s NCCoE said. Earlier this year, users trying to reach their cryptocurrency wallets on MyEtherWallet.com wound up on a spoofed site on a Russian server after incorrect routing information was published. BGP route hijacking is relatively easy for attackers, which is why security experts have been working on ways to secure the BGP protocol.
The NIST Cybersecurity Practice Guide demonstrates “proof-of-concept demonstrations” of how BGP Route Origin Validation (ROV) can be implemented with Resource Public Key Infrastructure (RPKI) to address and resolve erroneous network routes from being exchanged. RPKI was proposed in 2013 as RFC 6810 to use public-private cryptographic key pairs to validate whether or not networks are allowed to make their BGP route announcements.
Developed in cooperation with AT&T, CenturyLink, Cisco, Comcast, Juniper, Palo Alto Networks, and George Washington University, Draft SP 1800-14 outlines how ROV can cut the number of route hijacks, ensure traffic reaches its destination, help network operators decide what to do if another network isn't using ROV, and trigger alerts when someone is advertising invalid routes. While the need for securing BGP is well understood, adoption of security measures has lagged–with just 37 autonomous systems using route validation as of June this year.
“Our standards-based example solution uses commercially available products and can be used in whole or in part. It can also be used as a reference to help an organization design its own, custom solution," NIST wrote.
The paper, Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation is open for public comment until Oct. 15.