The United States has geared up to secure and reform the Border Gateway Protocol (BGP), a system criticised for its weak security framework and long-standing weaknesses. The White House published a report titled ‘Roadmap to Enhancing Internet Routing Security’ highlighting the risks of BGP and suggesting pointers to bolster internet security.
BGP serves as the internet’s navigational compass, directing online traffic across a complex network called Autonomous Systems (ASes). Despite its crucial role, BGP was never designed with security in mind, and thus, the networks are left susceptible to several security threats.
The report highlights various key capabilities that the BGP lacks, such as:
- Validating the authority of remote networks.
- Verifying the integrity and authenticity of communication exchanged between networks.
- Ensuring the authenticity of data flowing from remote networks.
- Detecting routing announcements that violate business policies.
“There is growing evidence of sophisticated attacks that purposefully manipulate BGP to subvert other foundational protocols, such as the Domain Name System (DNS), web public key infrastructure, and end-to-end security protocols,” says the guideline. “These malicious attacks exploited known BGP vulnerabilities to enable cryptocurrency theft and malware distribution, and compromise or censor individual communications.”
These gaps have led to high-profile BGP router hijacking incidents over the years, including a 2008 event where Pakistan inadvertently disrupted YouTube traffic and more recent exploits by Russia during its 2022 invasion of Ukraine to limit access to Twitter, reports The Register.
The report warns that such route hijacks pose significant risks, potentially exposing personal data, facilitating cyber theft, extortion, state-level espionage, and even disrupting critical infrastructure.
While many BGP incidents are accidental, the potential for malicious exploitation has elevated BGP security to a matter of national security.
The urgency of this issue was further highlighted in June when the United States Department of Justice (DoJ) and the Department of Defense (DoD) communicated their concerns to the Federal Communications Commission (FCC). They underscored the risks posed by BGP flaws, pointing to instances where China Telecom Americas (CTA) manipulated traffic routing to divert American internet traffic to China between 2010 and 2019.
To mitigate these risks, an existing cryptographic authentication scheme known as Resource Public Key Infrastructure (RPKI) includes mechanisms like Route Origin Validation (ROV) and Route Origin Authorisation (ROA).
However, RPKI adoption has been inconsistent across continents, with Europe leading the race at 70% adoption.
The White House guidelines aim to accelerate the adoption of RKPI across the public and private sectors in the United States. Additionally, the FCC is already developing and implementing risk management to counter BGP flaws.
In the News: Microsoft launches new Workspaces PowerToy