White House unveils plan to improve BGP security

After years of security issues and growing concerns about Border Gateway Protocol, the Biden Administration announced a plan to improve BGP routing.

The White House Office of the National Cyber Director (ONCD) on Tuesday announced a roadmap to improve BGP security through a series of technical actions designed to reduce vulnerabilities in the protocol. BGP is a core internet protocol that manages network traffic by exchanging routing and reachability information between autonomous systems (ASes).

BGP was initially published 1994 and has become a staple of the internet since that time. However, the communication protocol was not developed with internet security in mind, and over the years BGP has been plagued by security issues, vulnerabilities and implementation errors that have caused significant disruption and downtime across the globe.

One primary threat is BGP hijacking, in which threat actors reroute internet traffic from intended destinations to malicious ones. Attacks can simply have an AS that announces a false route for a set of IP prefixes, and if the announcement isn't monitored or filtered properly, it can lead to corrupted routing tables for BGP routers. As a result, a significant amount of network traffic could be automatically rerouted by ASes to malicious domains.

A notable example of BGP hijacking occurred in 2018, when threat actors hijacked AWS DNS traffic in a cryptocurrency-focused scheme. The attackers rerouted users of MyEtherWallet from the company's website to a malicious domain and stole approximately $150,000 in cryptocurrency. BGP routing issues can also be caused by accident; for example, in 2018 Google services were disrupted for more than an hour after a BGP misconfiguration at MainOne, an internet provider in Nigeria, rerouted Google traffic through China and Russia.

"Route hijacks can expose personal information; enable theft, extortion and state-level espionage; disrupt security-critical transactions; and disrupt critical infrastructure operations," the ONCD roadmap said. "While most BGP incidents are accidental, the concern over malicious actors has elevated this issue to a national security priority."

The ONCD roadmap outlines several recommendations and baseline actions, starting with the adoption of resource public key infrastructure (RPKI) to bolster authentication for routing. RPKI is similar to web PKI, where digital certificates are produced and used to authenticate HTTPS domains. With RPKI, Route Origin Authorizations (ROAs) are certificates that authorize a network to announce a specific block of IP prefixes, while the Route Origin Validation (ROV) process allows BGP routers to check the ROAs and filter out routing announcements that are invalid.

The RPKI framework was first introduced by the Internet Engineering Task Force in 2012 and has been supported by major technology companies and internet providers, including Google, AWS and Cloudflare. While RPKI-validated routes have increased in recent years, the ONCD roadmap noted that adoption of the framework in North America is significantly lower than in Europe, where approximately 70% of all traffic has ROAs and is checked through ROV.

The roadmap acknowledged several challenges to RPKI adoption in the U.S., including more internet address resources than other countries and regions, a lack of understanding among decisions makers about BGP security and the RPKI framework, and limited funding and "misaligned incentives" for network operators.

To help increase adoption, the ONCD outlined baseline actions for all network operators, which includes the development and maintenance of a cybersecurity risk management plan that includes short- and long-term BGP security measures; creating and publishing ROAs for public RPKI repositories hosted by their regional internet registry; and monitoring the status of their ROA data as well as potential BGP security threats, outages and disruptions.

For network service providers, the ONCD recommended they deploy ROV filtering for their own organizations as well as smaller client networks; provide tools and guidance to help customers create ROAs; and publicly disclose their routing security practices.

In a blog post, Cloudflare lauded the ONCD roadmap and hoped the federal government's effort would increase adoption of the RPKI framework.

"The new roadmap is an important step in outlining actions that can be taken today to improve routing security," Cloudflare said. "But as the roadmap itself recognizes, there's more work to be done both in making sure that the steps are implemented, and that we continue to push routing security forward."

Rob Wright is a longtime reporter and senior news director for TechTarget Editorial's security team. He drives breaking infosec news and trends coverage. Have a tip? Email him.