After years of grappling with security issues surrounding the Border Gateway Protocol (BGP), the Biden administration recently unveiled a comprehensive plan aimed at enhancing the security of BGP routing.
The White House Office of the National Cyber Director (ONCD) took the spotlight on Tuesday by unveiling a roadmap that lays out various technical actions intended to address vulnerabilities within the BGP protocol. BGP, a foundational internet protocol that facilitates the exchange of routing and reachability information between autonomous systems (ASes), has been in existence since 1994. Despite its importance in managing network traffic, BGP was not originally designed with security in mind, resulting in a slew of security challenges, vulnerabilities, and implementation errors over the years that have led to widespread disruption and downtime globally.
One of the most pressing threats associated with BGP is BGP hijacking, where malicious actors redirect internet traffic from its intended destination to malevolent destinations. By announcing false routes for specific IP prefixes, threat actors can manipulate routing tables for BGP routers, causing ASes to inadvertently reroute a substantial portion of network traffic to nefarious domains.
A notable instance of BGP hijacking surfaced in 2018 when threat actors exploited a vulnerability to hijack AWS DNS traffic in a cryptocurrency-focused scheme. This incident resulted in users attempting to access MyEtherWallet being redirected to a malicious domain, resulting in the theft of approximately $150,000 in cryptocurrency. Not all BGP routing issues are intentional; in another incident in 2018, a BGP misconfiguration at MainOne, an internet provider in Nigeria, inadvertently rerouted Google traffic through China and Russia, disrupting Google services for over an hour.
According to the ONCD’s roadmap, route hijacks pose significant risks such as exposure of personal information, theft, extortion, state-level espionage, disruption of security-critical transactions, and interference with critical infrastructure operations. While most BGP incidents are accidental, the potential threat posed by malicious actors has elevated the issue to a national security priority.
The ONCD roadmap highlights a series of recommendations and fundamental actions, with a pivotal focus on adopting Resource Public Key Infrastructure (RPKI) to enhance routing authentication. RPKI functions similarly to Web PKI, wherein digital certificates are used to authenticate HTTPS domains. Through the issuance of Route Origin Authorizations (ROAs), networks are empowered to announce specific blocks of IP prefixes, while the Route Origin Validation (ROV) mechanism enables BGP routers to validate the legitimacy of such announcements and filter out invalid routing information.
Introduced by the Internet Engineering Task Force in 2012, the RPKI framework has garnered support from major tech corporations and internet service providers like Google, AWS, and Cloudflare. Despite an uptick in RPKI-validated routes in recent years, the ONCD noted a significant disparity in RPKI adoption between North America and Europe, with the latter boasting approximately 70% of all traffic with ROAs checked through ROV.
The roadmap acknowledges several obstacles to RPKI adoption in the U.S., including a larger pool of internet address resources compared to other regions, a lack of awareness among decision-makers regarding BGP security and RPKI, as well as limited funding and misaligned incentives for network operators.
To spur adoption, the ONCD has outlined baseline actions for all network operators, encompassing the formulation and maintenance of a cybersecurity risk management plan with short- and long-term BGP security measures, the creation and publication of ROAs in public RPKI repositories hosted by regional internet registries, and the monitoring of ROA data status alongside potential BGP security threats, outages, and disruptions.
Additionally, network service providers are encouraged to implement ROV filtering for their organizations and smaller client networks, furnish tools and guidance to aid customers in creating ROAs, and disclose their routing security practices publicly.
In response to the ONCD roadmap, Cloudflare commended the initiative and expressed optimism that the federal government’s efforts will boost RPKI adoption. Cloudflare underscored the importance of implementing the outlined actions to advance routing security, stressing the need for continued progress in this realm.
The unveiling of the ONCD roadmap marks a significant stride towards fortifying BGP routing security in the face of mounting challenges and threats. As stakeholders across the internet landscape embrace these recommendations and take proactive measures, the resilience and security of BGP routing stand to improve, safeguarding critical network infrastructure and data exchanges against malicious attacks and inadvertent disruptions.