The White House Office of the National Cyber Director (ONCD) has released a strategic plan aimed at addressing critical security vulnerabilities in the Internet’s fundamental routing protocol, Border Gateway Protocol (BGP).
BGP is well-known for configuration mistakes that can lead to significant, albeit temporary, disruptions across the Internet. It is also frequently exploited in attacks that intentionally reroute data traffic.
“The basic design of BGP does not meet the security and resilience needs of the current internet environment,” states the published roadmap fact sheet.
“The risk of extensive interference with internet infrastructure, whether unintentional or intentional, poses a concern for national security,” the document continues.
This has been known for decades. The TLDR of the Roadmap to Enhancing Internet Routing Security is that the ONCD wants federal agencies and network operators to expedite the adoption of a public key cryptography scheme, Resource Public Key Infrastructure (RPKI).
The roadmap follows a May recommendation from the US Federal Communications Commission (FCC) that nine large US ISPs be required to file reports detailing their progress in enhancing BGP security.
Clearly, the technical pace is quickening. But why has it taken so long to address BGP’s failings, and will the latest initiative do the trick?
In 1989 — the same year British computer scientist Tim Berners-Lee gave the world HTML, hyperlinking, and the web — two IBM engineers concocted BGP during their lunch break on the back of napkins (thus earning it the nickname the “two napkin protocol”).
Initially, security was not considered a significant concern, which is why there has been a continuous effort to integrate it into both the web and BGP over time.
Over the years, the security of BGP has evolved from being an afterthought to a major issue that remains largely unknown to the general Internet-using population.
BGP is essential for the Internet’s functionality, enabling data packets to navigate through the vast network of interconnected systems to reach their intended targets.
This process is intricate, necessitating the ability to handle multiple paths to a destination (to manage issues like traffic congestion) and employing algorithms that allow routers to select the most efficient route at any given time.
When BGP functions correctly, it goes unnoticed. However, when it fails, the results can be swiftly catastrophic, typically due to errors rather than malintent.
For instance, in January 2023, Microsoft inadvertently disrupted its own services due to a BGP misconfiguration.
Similarly, in June 2019, a minor ISP in Pennsylvania accidentally began “advertising” BGP routes that purportedly offered optimal connectivity to Amazon and Cloudflare services. This led to a massive traffic overload, with the small ISP becoming a major traffic choke point.
The situation persisted with routers overloading the network path until the error was recognized. Ironically, this mishap was facilitated by a routing optimizer tool that was supposed to prevent such issues.
The underlying issue with BGP was its lack of capability to confirm if networks are authorized to announce specific address blocks. Newer methods such as RPKI-enabled Route Origin Authorization (ROA) and Route Origin Validation (ROV) have been developed to tackle this problem. These methods implement a verification process to ensure a network is permitted to advertise a route prior to accepting traffic, which significantly reduces the chances of route hijacking through malicious advertisements. Although these technologies have their own shortcomings, they are generally accepted as a positive initial approach. However, typical of Internet governance bodies, actions can be slow to implement, even with directives from higher authorities like the White House.
The Office of the National Cyber Director indicated an expectation that by year’s end, 60% of the IP space advertised by the US Federal government will be protected under the Registration Service Agreements necessary for implementing Route Origin Authorizations.
Despite these advances, there are various hurdles identified in the roadmap that could impede the long-term overhaul of BGP. One major concern is that the disadvantages of its insecurities often do not directly impact service providers, who see little financial incentive to invest in such upgrades. Additionally, some providers might need to replace or upgrade their routers to support ROV.
In response, the National Cyber Director’s office suggests that ISPs should conduct audits to assess the technical impact of implementing ROA and ROV on their systems, and include BGP security within their overall cybersecurity risk evaluations.
The extensive guidelines cover various aspects, including how Internet Service Providers (ISPs) should formulate contracts concerning IP transit and related infrastructure. The overarching message stresses the importance of ISPs monitoring their Border Gateway Protocol (BGP) setups for both quality and security threats, shifting the responsibility from external parties.
All individuals in the ISP sector should meticulously review the recommendations on Route Origin Authorization (ROA) and Route Origin Validation (ROV) as outlined in the roadmap. For major ISPs, adopting these practices is considered crucial.
An interview with Kieren McCarthy, a seasoned internet expert and former journalist, conducted by Network World revealed his positive outlook on the Office of National Cyber Director’s (ONCD) efforts to promote broader adoption. Nevertheless, he expressed concerns about the U.S. government’s independent initiatives, including the formation of a new, yet-to-be-disclosed working group.
“The internet remains a global network, and the US government should put its money where its mouth is and support the international multi-stakeholder model for development solutions to internet problems,” he added.
He noted that the roadmap was complementary to existing groups such as the Mutually Agreed Norms for Routing Security (MANRS), a global initiative with the same aim of securing routing threats.
“I wonder why they felt the need to develop their own approach?” said McCarthy. “That gripe aside, the White House roadmap is a good thing.”
Since its creation in 2021, the ONCD has acquired a reputation for forcefulness. Earlier this year, a separate report recommended that developers reduce the likelihood of cyberattacks by abandoning vulnerable programming languages such as C and C++.