White House calls attention to 'hard problem' of securing internet traffic routing
Network operators should consider using the readily available options for protecting a crucial but vulnerable technology that routes internet traffic, the White House’s cybersecurity office said Tuesday, noting that some concerns stretch back 25 years.
The new guidance on securing the Border Gateway Protocol (BGP) says the technology “does not provide adequate security and resilience features for the risks we currently face,” echoing assessments by cybersecurity experts, tech companies and other federal agencies.
Networks use BGP to communicate routing information — such as the internet addresses that are currently accepting traffic — with other networks. A mobile wireless network, for example, would use BGP when exchanging internet traffic with a cloud resource or a residential broadband network.
Without adjustments, BGP is exposed to exploits that “enable cryptocurrency theft and malware distribution” as well as operations that “compromise privacy or censor individual communications,” ONCD said.
The ONCD’s roadmap calls for network operators to adopt Resource Public Key Infrastructure (RPKI) if they have not already. RPKI involves digital certificates managed by the world’s five Regional Internet Registries, which control resources such as IP addresses.
Using RPKI allows network operators to adopt “widely and commercially available” technologies known as Route Origin Validation (ROV) and Route Origin Authorization (ROA), which essentially work together to help networks verify which internet addresses are reachable.
The office called securing BGP a “hard problem,” and the 19-page guidance issued Tuesday spends several pages explaining how the protocol works. Federal networks themselves have not fully implemented ROAs, the ONCD said, noting that the government is trying to make progress on it. By the end of the year “over 60% of the Federal government’s advertised IP space” will have the necessary features to put ROAs in place, the agency said.
ONCD said it will lead a new Internet Routing Security Working Group that will include the federal Cybersecurity and Infrastructure Security Agency (CISA) as well as industry partners.
Hijacking BGP allows attackers to reroute internet users to malicious sites, where they are potentially exposed to theft of cryptocurrency or data. Other abuses of BGP can facilitate the junk traffic of distributed denial-of-service (DDoS) incidents or disrupt telecommunications services.
Joe Warminsky
is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.