The US government has outlined plans to address key security vulnerabilities associated with the border gateway protocol (BGP) as part of a new report.
In essence, BGP is the central set of rules that dictate the routes through which data is transmitted on the internet.
BGP is a routing protocol that allows autonomous systems (ASes), the fundamental nodes that make up the internet, to dynamically exchange routing information, selecting the optimal path for data to reach its destination.
The protocol has been in use since the early 1990s, but almost 30 years since its introduction, the system’s integrity is no longer up to scratch in today’s threat landscape, according to the report from the White House Office of the National Cyber Director.
“As initially designed and commonly operating today, BGP does not provide adequate security and resilience features for the risks we currently face. Concerns about fundamental vulnerabilities have been expressed for more than 25 years,” the report states.
The Roadmap to Enhancing Internet Routing Security highlighted a series capabilities the BGP lacks which make it a security risk. The first of these is the lack of the ability to validate the authority of remote networks to originate announcements to specific destinations.
BGP is unable to verify the integrity and authenticity of messages exchanged between neighboring networks, the report notes, nor can it ensure the authenticity of information from remote networks.
Finally, BGP cannot detect routing announcements that violate business policies between neighboring networks.
Attackers are taking advantage of weaknesses in legacy BGP
The report notes that as the internet ballooned in scale and complexity, the absence of these capabilities led to misconfigurations resulting in a variety of vulnerabilities in internet routing, which have been subsequently exploited by threat actors.
“Attackers began to falsify BGP information to cause data to be delivered to the wrong destinations, to divert paths across the Internet to pass through unintended networks, or to cause outages in Internet connectivity.”
These incidents are known as route hijacks, which can be used maliciously by attackers to access and exfiltrate sensitive information, disrupt ‘security-critical transactions’, or disrupt critical infrastructure operations.
The report added there is growing evidence of threat actors purposefully manipulating BGP to subvert other foundational protocols the web relies on, such as the domain name system (DNS), web public key infrastructure, and end-to-end security protocols.
For example, in 2022, CISA warned foreign adversaries were using BGP hijacking to their advantage, such as Russia using the technique in the lead up to its invasion of Ukraine.
This activity consisted of using BGP hijacking to limit traffic on Twitter (now X) when the invasion began, as well as disrupting Ukraine's computer emergency response team.
US lags behind rest of world in implementing RPKI framework to shore up BGP security
Fixing this vulnerability will not be simple, however, as it represents a “single, globally-deployed protocol that must remain continuously interoperable across tens of thousands of independent networks,” the White House report notes.
This means improving internet security will need to be a collaborative effort between a wide range of network operators, including internet service providers (ISPs), mobile network operators, cloud service providers, content distribution networks, critical infrastructure networks, and enterprise networks.
A number of initial approaches to increasing the adoption of more secure internet routing techniques are laid out in the report.
The first – and arguably most important – of these security mechanisms is implementing cryptographic authentication initiatives like the resource public key infrastructure (RPKI) framework.
This framework includes two major security mechanisms which the White House Cyber Director wants to see become more widely and commercially available, including route origin validation (ROV), and route origin authorization (ROA).
“ROAs are the data objects created by holders of the address blocks declaring which networks are authorized to originate specific address prefixes from those blocks in BGP” the report explains.
ROV is the process by which invalid routes are filtered by ISPs and can help reduce common routing errors, identify false routing information, and prevent routing hijacks.
The US in particular has some way to go before these two security layers become the default when routing web traffic, however, as the report notes other regions like the EU already have far wider adoption of ROVs and ROAs.
In the US, only 39% of prefixes are currently protected by ROAs and are ‘ROV-valid’ compared to roughly 70% in the EU. This is down to the sheer scale and age of the American registry for internet numbers (ARIN), which manages the distribution of IP addresses and autonomous system numbers (ASNs) in the region.
“The North American region is notably different than other regions; it is the oldest and the largest region for Internet address resources. ARIN manages approximately twice the amount of IP version 4 (IPv4) address resources compared to its Asian Pacific or European counterparts. North America has approximately 144,000 ROAs—more than three times as many as the next largest region, Europe, which has approximately 45,000 ROAs,” the report explained.
A fact sheet published alongside the the roadmap on 3 September concluded that although there is not a single solution to address every vulnerability in the internet routing protocol, RPKI adoption is a mature solution that can immediately reduce these weaknesses.
