Isn't it about time we secured BGP?



Border Gateway Protocol or ‘BGP’ as it is more often referred to as, has been a staple of internet routing since the heady days of 1989 when TCP was finally getting into its stride, and the internet as we know it, was in its infancy.

BGP enables routers to determine the most efficient paths for data to travel across networks to ensure scalability and efficiency. The protocol allows network backbone providers to announce routes across networks and is the primary routing protocol used to exchange routing information between different autonomous systems on the internet. The trouble is that like many things to do with the internet it was never really designed to be secure and this leads to all kinds of problems as we shall see.

BGP has been abused multiple times, since Al Gore claims to have invented the Internet. Joking aside - it was actually Vint Cerf and Bob Khan who are credited with the accomplishment, but BGP has suffered some pretty high-profile attacks that have caused outages, or even more alarmingly, to route traffic through a specific country – one known for its prolific cyber espionage practices.

In 2008, a Pakistani ISP wanted to block access to YouTube within Pakistan but accidentally announced a BGP route that led to all of YouTube’s global traffic being redirected through Pakistan. This caused a worldwide outage of YouTube for several hours, although YouTube has probably never been faster in Pakistan before or since.

Then in 2010, China Telecom “accidentally” advertised incorrect BGP routes that caused a significant amount of global internet traffic, including that of U.S. government and military sites, to be routed through China. Naturally, neither the US government nor the Department of Defense was very happy about that little so called “error”, especially considering at the time, not all government network traffic was being encrypted.

More recently in 2018 cybercriminals hijacked BGP routes for Amazon’s Route 53 DNS service to redirect traffic intended for MyEtherWallet, a popular cryptocurrency wallet service, to a malicious server owned by the perpetrators. The attackers then stole users' cryptocurrency by tricking them into entering their credentials on the fake site.

The White House naturally has been considering options to replace or upgrade BGP with an improved authentication scheme to remove opportunities for abuse and cybercrime, including any cyber espionage that nation states may be considering. Its proposed solution is the Resource Public Key Infrastructure (RPKI) - a security framework designed to enhance the security of BGP by providing a way to cryptographically verify the ownership of IP address blocks and the authorization of networks to announce specific routes.

To that end, the White House has released a guidance document for ways of improving upon BGP in a proposed roadmap to enhance internet routing security. This includes the adoption of new technologies including RPKI. As a government press release stated today, “these recommendations are of particular importance to the networks used by critical infrastructure owners and operators, state and local governments, and any organization dependent on internet access for purposes that the entity considers to be of high value.”

The press release went on to say that “by the end of the year, it is expected that over 60% of the Federal government’s advertised IP space will be covered by Registration Service Agreements (RSA), paving the way to establish Route Origin Authorizations (ROA) for Federal networks.”

The White House is obviously taking the risks of major BGP attacks very seriously and is looking to protect against these apparent threats immediately.

“Internet security is too important to ignore which is why the Federal government is leading by example by pushing for a rapid increase in adoption of BGP security measures by our agencies,” said White House National Cyber Director Harry Coker, Jr. “ONCD, along with our public and private sector partners, are guiding a risk-informed path forward towards our communal objective. We aim for this roadmap to mitigate a longstanding vulnerability and lead to a more secure internet that is vital to our national security and the economic prosperity of all Americans.”

The full roadmap can be read or downloaded in PDF here.


Subscribe to our periodic posts via email to periodic new posts so you don't miss them.

Original stories and articles may be republished without charge provided that attribution is provided to the source and author. Articles written for, and published first elsewhere, are subject to the republishing terms and conditions of the host site.