Last week, the White House Office of the National Cyber Director (ONCD) released the Roadmap to Enhancing Internet Routing Security, which aims to address vulnerabilities in the Border Gateway Protocol (BGP)
What is the Border Gateway Protocol (BGP)?
Let’s say that you’re in Germany and you want to connect to destcert.com. The Internet is made up of many independent networks that are in a constant state of flux. To get to destcert.com, you need to traverse these various networks, ideally in an efficient manner. The Border Gateway Protocol (BGP) is a key component of how this is accomplished, working to share routing information between these independent networks, helping to deliver traffic along the best path to the destination.
To get a little more technical, the Internet is made up of tens of thousands of autonomous systems (ASes), which are interconnected networks that are operated independently. These can include:
- Mobile wireless networks
- Residential broadband networks
- Content distribution networks
- Cloud service networks
- Residential broadband networks
- Critical infrastructure networks
Each of these autonomous systems (ASes) use the Border Gateway Protocol (BGP) to share routing information dynamically with other autonomous systems that they connect to. Border routers within each AS typically use BGP to connect with routers in another AS. BGP announces destination addresses that the routers can reach directly, as well as destinations that can be reached by traversing neighboring networks. It also allows routers to receive announcements from neighboring networks of possible paths toward remote destinations. Routers use BGP to seek out the best path to a given destination.
BGP announcements include destination address prefixes, as well as attributes that specify each destination in the route that traffic needs to travel along to reach its destination. However, BGP is an old protocol and its design is lacking in resiliency and security.
What threats does the Border Gateway Protocol (BGP) face?
Common threats to BGP include:
- Route leaks – Involve networks announcing routes that violate business practices, which can lead to significant routing outages.
- Prefix hijacks – Involve networks sending out unauthorized or fraudulent announcements, which can result in traffic being delivered to the wrong address.
- Path hijacks – Involve networks modifying BGP attributes like the autonomous system path, which directs traffic across unintended routes.
Advanced attacks can use BGP to compromise other systems, including public key infrastructure (PKI), Domain Name System (DNS), and other protocols we rely on for security. Ultimately, the vulnerabilities in BGP can play a role in malware distribution, theft, the compromise of sensitive data, and other attacks.
These are serious issues because BGP plays such an important role in the core functioning of the Internet. Next week, we will discuss some of the potential solutions to the vulnerabilities in BGP.