_Porntep_Lueangon_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop "White House Reveals Plan to Address BGP Issues")
The recent unveiling of the White House’s plan to tackle internet routing security issues, specifically focusing on vulnerabilities within the Border Gateway Protocol (BGP), has garnered attention and support from various sectors. The Roadmap to Enhancing Internet Routing Security, released by the White House Office of the National Cyber Director (ONCD) as part of the broader National Cybersecurity Strategy Implementation Plan, aims to fortify the fundamental infrastructure of the Internet against potential threats and intrusions.
The Border Gateway Protocol (BGP), which serves as the backbone for routing information on the Internet, has been a prime target for malicious actors looking to divert traffic, disrupt critical services, intercept sensitive data, or conduct espionage. One of the main vulnerabilities of BGP lies in its lack of mechanisms to authenticate the legitimacy of route announcements and network paths, allowing for the manipulation of traffic flow through compromised networks. Over the years, several vulnerabilities within BGP have been exposed, highlighting the urgency for enhanced security measures.
Instances of BGP mishaps are not uncommon, as demonstrated by past incidents such as Microsoft’s accidental publication of erroneous route information leading to service disruptions in 2023, and a small internet service provider inadvertently becoming the preferred route to reach Cloudflare in 2019. More troubling incidents include China Telecom rerouting a significant portion of global traffic through its servers in 2010, and threat actors hijacking DNS traffic from Amazon Web Services to steal cryptocurrency from MyEtherWallet users in 2018.
In response to these threats, the ONCD has advocated for the adoption of Resource Public Key Infrastructure (RPKI) as a means to bolster BGP security. The proposed roadmap delineates essential actions for network operators, service providers, and governmental entities, including the development of cybersecurity risk management plans and the implementation of RPKI components within their networks.
The initiative to improve BGP security has also garnered support from the Federal Communications Commission (FCC), which recently proposed measures for broadband providers to address BGP vulnerabilities and enhance their security protocols. RPKI’s two core components, Route Origin Authorizations, and Route Origin Validation, play a crucial role in preventing unauthorized traffic rerouting. By certifying network announcements and validating route origins, RPKI helps filter out invalid BGP announcements and ensures the integrity of network paths.
While progress has been made in RPKI adoption globally, there remains room for improvement, especially among large networks in the United States. Data from NIST’s RPKI Monitor has revealed that only 39% of IP prefixes originated by US networks currently possess valid Route Origin Authorizations, indicating a need for wider deployment of RPKI. The ONCD aims to increase federal government participation in RPKI adoption, with a target of 60% of advertised IP space covered by Registration Service Agreements by the year’s end.
To expedite RPKI adoption and strengthen BGP security further, policy changes are recommended, such as mandating government contractors and service providers to implement RPKI. Grant programs could also incentivize recipients to integrate routing security measures into their projects. Cloudflare has urged network operators to sign Route Origin Authorization records and perform Route Origin Validation to enhance their networks’ security. Non-network operators can verify their Internet service provider’s BGP security status through isbgpsafeyet.com.
In conclusion, the concerted efforts by the White House, ONCD, FCC, and industry stakeholders to address BGP vulnerabilities and enhance internet routing security signify a crucial step towards safeguarding the integrity and reliability of the digital infrastructure. By promoting the widespread adoption of RPKI and implementing stringent security measures, stakeholders aim to create a more resilient and secure cyberspace for all users.