The White House on Tuesday outlined a plan for addressing internet routing security issues, particularly vulnerabilities associated with the Border Gateway Protocol (BGP).
BGP is the protocol used for exchanging routing information between autonomous systems (AS) on the internet. However, this critical component of the web was not created with security in mind and several potentially important vulnerabilities have come to light in the past years. They can enable threat actors to divert internet traffic, allowing them to cause disruption to critical infrastructure, obtain sensitive information, or conduct espionage.
And the risks associated with BGP are not only theoretical. In the real world, BGP issues have caused disruptions and threat actors have been known to abuse BGP, including in profit-driven campaigns.
The US government wants to help prevent such incidents and the White House Office of the National Cyber Director (ONCD) has now released a roadmap to enhance internet routing security, which focuses on improving BGP security, particularly through the adoption of Resource Public Key Infrastructure (RPKI).
The cybersecurity industry has long proposed RPKI as a solution for securing BGP routing and significant progress has been made over the past years.
RPKI has two main components: Route Origin Authorizations (ROA) and Route Origin Validation (ROV). A ROA is a signed certificate authorizing an AS to announce a specific IP block. ROV helps an AS avoid selecting invalid BGP announcements.
One important aspect when using RPKI is that an AS implementing ROA is meaningful only if other ASs implement ROV, which is why securing internet routing requires the participation of all stakeholders.
According to data cited by ONCD, the majority of BGP route originations on the global internet are ROV-valid and the percentage of traffic covered by ROAs has reached more than 70% globally.
Advertisement. Scroll to continue reading.
However, the United States is lagging in terms of ROA and ROV implementation, particularly due to some large networks, including ones of commercial providers and the government.
“If the low rate of ROA creation and adoption among these few but large network operators that hold a dominant share of North American address space were rectified, BGP security and resilience in the region would substantially improve,” the ONCD noted.
The proposed roadmap describes baseline actions for all network operators, some additional actions for network service providers, actions for the government in collaboration with the IT sector, as well as some policy actions that can be taken by the federal government.
The White House’s BGP security roadmap comes a few months after the FCC announced a proposal for broadband providers to create and implement plans to mitigate BGP security flaws.
Related: RIPE Account Hacking Leads to Major Internet Outage at Orange Spain
Related: BGP Flaw Can Be Exploited for Prolonged Internet Outages