The White House Office of the National Cyber Director (ONCD) has published its roadmap for fixing increasingly troublesome security weaknesses in the Internet’s core routing protocol, Border Gateway Protocol (BGP).
BGP is infamously prone to configuration errors that can have consequences serious enough to temporarily disrupt parts of the Internet. It’s also the target of attacks that, among other things, maliciously divert traffic.
“BGP’s original design properties do not adequately address the threat to and resilience requirements of today’s internet ecosystem,” notes the roadmap fact sheet.
“The potential for widespread disruption of internet infrastructure, whether carried out accidentally or maliciously, is a national security concern,” it adds.
This has been known for decades. The TLDR of the Roadmap to Enhancing Internet Routing Security is that the ONCD wants federal agencies and network operators to hurry up and implement a public key cryptography scheme, Resource Public Key Infrastructure (RPKI).
The roadmap follows a May recommendation from the US Federal Communications Commission (FCC) that nine large US ISPs be required to file reports detailing their progress towards better securing BGP.
Clearly, the technical pace is quickening. But why has it taken so long to address BGP’s failings, and will the latest initiative do the trick?
Back of a napkin
In 1989 — the same year British computer scientist Tim Berners-Lee wrote himself into posterity by inventing HTML, hyperlinking and the web — two IBM engineers devised BGP in their lunch break on the back of napkins (hence its later “two napkin protocol” nickname).
Unfortunately, nobody back then thought that security was a big deal, which explains why engineers have been trying to retrofit it onto the web and BGP ever since.
In that time, BGP security has gone from oversight to one of the biggest problems that barely anyone who uses the Internet knows exists.
BGP is the protocol without which the Internet would not be possible. It allows packets to find a path through a large mesh of other interconnected networks and reach the correct destination.
Doing this is complex and requires both multi-path routing (i.e. different ways to reach a destination to account for problems such as congestion) and the use of algorithms that let routers choose the best path at a given moment in time.
A traffic stampede
When BGP works, nobody notices it. When it doesn’t, things can go south very rapidly. Often, this is caused by mistakes rather than conspiracy.
For example, Microsoft caused problems for its own services with a BGP misconfiguration in January 2023.
Or take the June 2019 incident in which a small ISP in Pennsylvania inadvertently started “advertising” BGP routes which appeared to be a good way to reach Amazon and Cloudflare. A traffic stampede ensued, turning that tiny company into a routing bottleneck.
The routers kept pushing packets through the straw until someone realized what had happened. Ironically, the problem was caused by routing optimizer software that should have helped.
The underlying problem was that BGP had no way to verify which networks are allowed to advertise which address blocks. More recent mechanisms based on RPKI called Route Origin Authorization (ROA) and Route Origin Validation (ROV) are attempts to address this. These enforce an authentication check that a network has the right to advertise a route before receiving packets. This also makes it much harder to maliciously advertise routing paths to hijack traffic. Both techniques have limitations but are a widely agreed good starting point. But, as ever in Internet committees, things takes a long time to happen, even with mandates from the White House.
What the ONCD ordered
The ONCD said that by the end of the year, it expects that 60% of the US Federal government’s advertised IP space will be covered by the Registration Service Agreements (RSA) necessary to establish Route Origin Authorizations.
Despite this, the roadmap identifies various blocks slowing down a BGP overhaul long term. One is that the adverse effects of its insecurity are often not felt directly by service providers for whom investment offers no direct financial return. Nor does it help that some providers will also need to replace or upgrade routers to be compatible with ROV.
Pushing back, the ONCD recommends that ISPs audit the technical effects ROA and ROV implementation might have on their organization and include the issue of BGP security as part of cybersecurity risk assessments.
The full recommendations run to multiple points, which also go into detail as to how ISPs should draw up contracts for IP transit, cloud and infrastructure. The bigger message is clear: service providers should monitor the quality and threat profile of their BGP setup rather than leaving other people to clean up the mess.
Anyone working in the ISP space will need to read the roadmap’s ROA and ROV recommendations carefully. For larger ISPs, certainly, these mitigations are now part of best practice.
Going it alone?
Network World spoke to experienced Internet expert and former journalist Kieren McCarthy, who was positive about the ONCD banging heads together to get broader adoption. However, he had some reservations.
“What is a little worrying is that the US government appears to going on its own, even setting up a new working group whose members it hasn’t announced,” said McCarthy.
“The internet remains a global network, and the US government should put its money where its mouth is and support the international multi-stakeholder model for development solutions to internet problems,” he added.
He noted that the roadmap was complementary to existing groups such as the Mutually Agreed Norms for Routing Security (MANRS), a global initiative with the same aim of securing routing threats.
“I wonder why they felt the need to develop their own approach?” said McCarthy. “That gripe aside, the White House roadmap is a good thing.”
Since its creation in 2021, the ONCD has acquired a reputation for forcefulness. Earlier this year, a separate report recommended that developers reduce the likelihood of cyberattacks by abandoning vulnerable programming languages such as C and C++.
Source:: Network World