A Broadband Internet Technical Advisory Group Technical Working Group Report.
Please direct comments on the substance of the report to comments@bitag.org.
Executive Summary
The Internet is critical to the global economy, and Internet security incidents regularly make headlines. Though much attention has been paid to the security of applications, data, and users, this report focuses on the security of the system by which the Internet routes our traffic around the world.
The Internet consists of the set of networks that utilize the same standard Internet protocols to interconnect and exchange data. These networks belong to Internet service providers, content and application providers, government agencies, universities, businesses, and others. The Internet’s globally-distributed nature requires the cooperation of the tens of thousands of entities collectively responsible for the planning, maintenance, and operation of its routing infrastructure.
Because no single network is directly connected to everything on the Internet, each network exchanges routing information with its neighbors to indicate which destinations it can reach–either because it is connected to those destinations directly, or because it can reach them via another neighbor. With this information, each of those networks’ routers constructs its own map (called a “routing table”) of the Internet, which it uses to direct traffic. The protocol used to communicate routing information is called “Border Gateway Protocol,” or BGP[1]. BGP was first standardized in June 1990 and, like many parts of the early Internet, functionality was prioritized over security. Though many other Internet protocols have seen subsequent security improvements, integrating encryption and authentication, BGP is more complex so changes require many incremental, iterative development and deployment efforts. Because this routing infrastructure forms the most basic underpinning of the Internet, attacks against it can subvert or deny access to the applications and services that rely on the Internet. Both malicious attacks and simple operational errors can, and often do, result in such disruption.
Routing security incidents have severe consequences: large-scale service outages, compromises of data security and privacy, and subversion of other critical Internet infrastructure like domain name service and cryptographic key management. Yet it can be difficult to recognize incorrect routing information: it propagates far from its point of origin and from any context that could be used to evaluate its veracity.
When BGP was introduced, the Internet consisted of fewer than 2,000 networks[2]. Trust, identity, and verification of routing information were relatively simple, and the Internet’s practitioners were generally both well informed and willing to collaborate toward the success of their shared endeavor. Today, the Internet consists of more than 71,000 interconnected networks with disparate business models, scale, locality, and governing law[3] [4]. Today’s risks are vastly different than those at the time BGP was designed, due to the subsequent increase in the Internet’s complexity and scale, and the rise of cybercrime, government cyber-conflict and other threats.
For these reasons, the Internet community continues to improve the security of the global routing system to protect the applications and services that rely on it. From the IETF (Internet Engineering Task Force) and network operator forums, to MANRS (Mutually Agreed Norms for Routing Security)[5], network operators have found many venues in which to collaboratively address this need.
In this report, we review the current state of Internet routing technology, discuss its weaknesses, and present a few illustrative real-world examples of the resulting connectivity disruptions and criminal activity. We review existing technologies that can mitigate some of these problems and introduce emerging technologies that may provide more comprehensive solutions in the future.
Broadly speaking, we discuss misrouting which is intentional or unintentional, and misrouting which is characterized by a false origin or an unauthorized path. We also touch on the related topic of forged IP packets.
These categories are often conflated in popular accounts, and variously termed “hijacks,” “route leaks,” or “address spoofing.” Among the remedies we discuss are route monitoring, route filtering using publicly available routing policy data, and source-address validation.
None of these techniques address the full spectrum of BGP vulnerabilities and threats[6], and indeed a comprehensive solution to routing weaknesses may continue to elude us. For example, RPKI ROV can protect some aspects, but leaves residual vulnerabilities. Other techniques to address those weaknesses are still under development, their effectiveness has not been fully tested or proven, and may themselves introduce new vulnerabilities or complexity. Furthermore, the adoption of even those practices that do exist is incomplete, and many networks thus lack even protections that are currently available. Nonetheless, the current techniques are largely complementary and the Internet engineering and operations community continues to develop and refine routing security practices.
- Section 1 provides background on Internet addressing and routing including BGP.
- Section 2 describes problems in routing security and introduces common vocabulary and taxonomy.
- Section 3 reviews routing security incidents, discussing impacts and causes.
- Section 4 presents a variety of solutions that can mitigate these risks.
- Section 5 catalogs concerns that transcend investment or prescriptive approaches.
- Section 6 summarizes the findings of the paper.
- Section 7 provides recommendations to network operators and policy-makers.
- Appendices 8 explore some topics in greater technical detail.
- A Glossary provides concise definitions of terms-of-art used in the document.