Last week, we discussed some of the security issues in the Border Gateway Protocol (BGP). This week, we’re going to look at how to fix them. As a quick recap, the Border Gateway Protocol is a protocol that border routers use to announce destination addresses that can be reached directly, destinations that can be reached via neighboring networks, and for receiving announcements from neighboring networks regarding potential paths to a given destination. This helps us to navigate through the many networks that make up the Internet. Through BGP, routers can find the best path to a destination.
However, BGP is an old protocol that was designed without a high degree of security and resiliency, which opens up the door for:
- Route leaks – Networks leaking routes in a way that violates business practices.
- Prefix hijacks – Networks sending out fraudulent announcements, resulting in traffic being delivered to the incorrect destination.
- Path hijacks – Networks modifying BGP attributes to direct traffic via unintended routes.
These threats can ultimately lead to a range of severe security compromises.
How can we secure the Border Gateway Protocol (BGP)?
The White House Office of the National Cyber Director (ONCD) has released a roadmap with plans on how we can mitigate some of the security issues stemming from the Border Gateway Protocol (BGP). A major component of securing BGP involves having network operators implement the Resource Public Key Infrastructure (RPKI).
The RPKI is basically just a public key infrastructure (PKI) for the Autonomous System Numbers that are used to route traffic across the Internet. It is similar to how the PKI allows us to authenticate the identity of entities on the Internet so that we can securely send them encrypted information. Just like the PKI, RPKI also uses X.509 certificates for verification.
One of the central issues of BGP is that attackers can announce prefixes that they do not control, which can lead to traffic being routed incorrectly. When the RPKI is implemented, an autonomous system (AS—these are the separate networks that make up the Internet) can protect the IP prefixes that it owns by digitally signing Route Origin Authorization (ROA) records. Other parties can check these digital signatures to verify whether the AS is the true owner of the IP prefixes. If the verification fails, they know not to trust them, because they may be malicious. The process of verifying ROA records is known as Route Origin Validation (ROV).
The RPKI is far from new, but it has never seen the widespread adoption that would be needed to mitigate the security issues inherent in BGP. Hopefully, this latest push from the White House can result in wider implementation, leading to a safer Internet for everyone.