BGP Route Origin Validation (ROV): Important Step Towards Securing Internet’s Routing Infrastructure

This post is also available in: עברית (Hebrew)

The internet is essential to the exchange of all manner of information. It is not a single network, but rather is a complex grid of independent interconnected networks. The design of the internet is based on a trust relationship between these networks and relies on a protocol known as the Border Gateway Protocol (BGP) to route traffic among the various networks worldwide.

Work that started last October on securing the protocol that binds the Internet together is finally yielding results. The National Cybersecurity Center of Excellence (NCCoE) at the US National Institute for Standards and Technology (NIST) published the first draft of a security standard that will secure the BGP.

BGP is the protocol that Internet Service Providers (ISPs) and enterprises use to exchange route information between them. Unfortunately, BGP was not designed with security in mind. Traffic typically traverses multiple networks to get from its source to its destination.

Networks trust the BGP information they receive from their neighbors, and the lack of security makes BGP vulnerable to route hijacks. A route hijack attack can deny access to Internet services, misdeliver traffic to malicious endpoints and cause routing instability.

A technique known as BGP Route Origin Validation (ROV) is designed to protect against route hijacking, in which the assailants advertise a malicious route, sending traffic to illegitimate servers, routers, or both.

The NCCoE has developed proof-of-concept demonstrations of BGP ROV implementation designed to improve the security of the Internet’s routing infrastructure. This NIST Cybersecurity Practice Guide demonstrates how networks can protect BGP routes from vulnerability to route hijacks by using available security protocols, products, and tools to perform BGP ROV to reduce route hijacking threats, according to csrc.nist.gov.

from: https://i-hls.com/archives/85500

Date Published: August 2018
Comments Due: October 15, 2018
Email Comments to: sidr-nccoe@nist.gov

Author(s)

William Haag (NIST), Douglas Montgomery (NIST), Allen Tan (MITRE), William Barker (Dakota Consulting)

Announcement

It is difficult to overstate the importance of the internet to modern business and society in general. The internet is not a single network, but rather a complex grid of independent interconnected networks that relies on a protocol known as Border Gateway Protocol (BGP) to route traffic to its intended destination.

Unfortunately, BGP was not designed with security in mind and a route hijack attack can deny access to internet services, misdeliver traffic to malicious endpoints, and cause routing instability. A technique known as BGP route origin validation (ROV) is designed to protect against route hijacking.

The NCCoE, together with several technology vendors, has developed proof-of-concept demonstrations of BGP ROV implementation designed to improve the security of the internet’s routing infrastructure.

This cybersecurity practice guide contains step-by-step example solutions using commercially available technologies. By implementing the example solutions, organizations can better secure the safe delivery of internet traffic to its intended destination, reduce the number of outages due to BGP route hijacks, and make more informed decisions regarding routes that may be compromised.

Abstract

The Border Gateway Protocol (BGP) is the default routing protocol to route traffic among internet domains. While BGP performs adequately in identifying viable paths that reflect local routing policies and preferences to destinations, the lack of built-in security allows the protocol to be exploited by route hijacking. Route hijacking occurs when an entity accidentally or maliciously alters an intended route. Such attacks can (1) deny access to internet services, (2) detour internet traffic to permit eavesdropping and to facilitate on-path attacks on end points (sites), (3) misdeliver internet network traffic to malicious end points, (4) undermine internet protocol (IP) address-based reputation and filtering systems, and (5) cause routing instability in the internet. This document describes a security platform that demonstrates how to improve the security of inter-domain routing traffic exchange. The platform provides route origin validation (ROV) by using the Resource Public Key Infrastructure (RPKI) in a manner that mitigates some misconfigurations and malicious attacks associated with route hijacking. The example solutions and architectures presented here are based upon standards-based, open-source, and commercially available products.

Keywords

AS; autonomous systems; BGP; Border Gateway Protocol; DDoS; denial-of-service (DoS) attacks; internet service provider; ISP; Regional Internet Registry; Resource Public Key Infrastructure; RIR; ROA; route hijack; route origin authorization; route origin validation; routing domain; ROV; RPKI

The NCCoE recently released a draft of the NIST Special Publication (SP) 1800-14 Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation and is requesting your feedback. The project’s public comment period will close on October 15, 2018.

For ease of use, the guide is available in volumes:

SP 1800-14A: Executive Summary (PDF)
SP 1800-14B: Approach, Architecture, and Security Characteristics (PDF)
SP 1800-14C: How-To Guides (PDF)

Or download the complete guide (PDF). [a local copy is HERE]

If you have questions or suggestions, please email us at sidr-nccoe@nist.gov