NIST has published an update on its work on the new Secure Internet Domain Routing (SIDR) standards designed to provide the internet the security that is currently lacking from the Border Gateway Protocol (BGP).
BGP was designed in 1989 as a short-term fix for the earlier Exterior Gateway Protocol that could no longer handle the rapidly increasing size of the internet, and was in imminent danger of meltdown. The problem is that BGP was designed without any security, despite it being fundamental to the operation of the internet.
BGP controls the route that data takes from source to destination. It does this by keeping tabs on the availability of local stepping stones along that route. The availability of those stepping stones is maintained in regularly updated routing tables held locally. The problem is that there is no security applied to those tables — in effect, the entire map of the internet is built on trust; and trust is in short supply in today’s internet. Whole swathes of traffic can be hijacked.
“BGP forms the technical glue holding the internet together,” explains NIST in Tuesday’s post; “but historically, its lack of security mechanisms makes it an easy target for hacking.”
The trust model underpinning BGP is easily abused, and has frequently been abused. Generally speaking, most abuse is thought to have be accidental — but there have been enough suspicious incidents to demonstrate that the theoretic concern over BGP’s security is not unfounded. Since the routing tables are locally stipulated and internationally distributed, a telecommunications company in one country is able to change the data routing for the entire world.
“As a result,” warns NIST in a separate publication (SIDR, Part 1: Route Hijacks– PDF), “attacks against internet routing functions are a significant and systemic threat to internet based information systems. The consequences of these attacks can: (1) deny access to internet services; (2) detour internet traffic to permit eavesdropping and to facilitate on-path attacks on endpoints (sites); (3) misdeliver internet network traffic to malicious endpoints; (4) undermine IP address-based reputation and filtering systems; and (5) cause routing instability in the internet.”
One of the best known examples of route hijacking occurred in February 2008 when a Pakistani ISP tried to block YouTube after the government deemed a video depiction of Muhammad to be offensive. Its attempts to hijack YouTube deliveries to Pakistan effectively hijacked the world’s YouTube making it virtually inaccessible anywhere. While the intent was intended, the result probably wasn’t — but other examples appear to be more clearly malicious.
In April of this year, 36 large network blocks were hijacked by the Russian government-controlled Rostelecom company. Researchers concluded that the BGP tables had been altered manually, probably at or by Rostelecom. What made it suspicious was the high concentration of technology and financial services companies that were included: such as MasterCard, Visa, HSBC and Symantec.
Because of the changes made to the BGP routing tables, traffic flowing into the affected networks was rerouted through Rostelecom’s routers. “I would classify this as quite suspicious,” said Dyn’s Doug Madory at the time. “Typically accidental leaks appear more voluminous and indiscriminate. This would appear to be targeted to financial institutions.”
Other examples include a scheme that ran for months in 2014 redirecting traffic within the Bitcoin infrastructure and resulting in the theft of $83,000 in Bitcoins; and a 2013 attack that detoured bank, telephony, and government data through routers in Belarus and Iceland.
While known BGP abuses have been relatively small in scope and limited in duration — and sometimes accidental — the vulnerabilities are real. “The fact that they haven’t been dramatically exploited yet shouldn’t make you feel better,” warns NIST’s Doug Montgomery. “Think of how much of our critical infrastructure relies on internet technology — transportation, communication, financial systems, et cetera. Someday, someone will have the motivation.”
NIST has been working with the DHS and IETF to develop a new set of BGP standards that will eliminate the problems. “The set of standards, known as Secure Inter-Domain Routing (SIDR), have been published by the Internet Engineering Task Force (IETF) and represent the first comprehensive effort to defend the internet’s routing system from attack,” wrote NIST yesterday.
There are three separate components that comprise SIDR: Resource Public Key Infrastructure (RPKI); BGP Origin Validation (BGP-OV); and BGP PATH Validation (BGP-PV). RPKI allows third-parties to cryptographically validate claims to ownership of internet address blocks and internet autonomous systems. Origin Validation provides protocol extensions and tools to allow BGP routers to use RPKI data to detect and filter unauthorized BGP route announcements. PATH Validation provides further protocol extensions that allow BGP routers to cryptographically verify the sequence of networks (the autonomous systems path) that comprise a BGP route.
The Origin Validation will deter simple route hijack attacks and misconfigurations (accidents), while PATH Validation will deter more sophisticated and stealthy route detour attacks. Together, says NIST, they provide a complete solution to the routing vulnerabilities identified in the original BGP.
Specifications for the three components are now complete. The third component — PATH Validation, also known as BGPsec — was published by IETF as RFC 8205 in September. Uptake, however, is a different matter. The first of the components (RPKI) is defined in RFC 6480 published in February 2012. By 2016, although all five Regional Internet Registries (RIRs — AFRINIC, ARIN, APNIC, LACNIC and RIPE NCC) were RPKI able, adoption of route origin authorizations had been slow and patchy. ~7% of global BGP announcements were then covered by ROAs. RPKI adoption in Europe (~30% of its announced address space covered by ROAs) and Latin America (~13% of its announced address space covered by ROAs) was proceeding much faster than in North America (~3% of its announced address space was then covered by ROAs).
With the specification for the final SIDR component in place, NIST will now redirect its efforts. “With their publication,” says the NIST announcement, “NIST’s efforts will shift to helping the industry with adoption, including developing technical deployment guidance as well as working on improving the performance and scalability of implementations. As part of this technology transition effort, NIST’s National Cybersecurity Center of Excellence (NCCoE) recently announced plans for a new project focused on Secure Inter-Domain Routing.”
With SIDR, the 1989 temporary internet fix known as BGP is finally gaining security. Whether it can be globally implemented before a serious and well-resourced BGP attack disrupts the entire internet remains to be seen. As Montgomery said, “Someday, someone will have the motivation.”