The White House Office of the National Cyber Director (ONCD) has released a strategic plan aimed at addressing the critical security vulnerabilities present in the foundational Internet routing protocol, the Border Gateway Protocol (BGP).

BGP is well-known for its susceptibility to configuration mistakes which can lead to significant temporary disruptions across the Internet. There is also a risk of predatory attacks that can result in the malicious rerouting of data.

“The core design aspects of BGP do not sufficiently mitigate the threats to, and necessary robustness of, the current internet environment,” according to the roadmap fact sheet.

“The risk of significant interference with internet infrastructure, whether inadvertent or deliberate, is regarded as a matter of national security,” the document continues.

This has been known for decades. The TLDR of the Roadmap to Enhancing Internet Routing Security is that the ONCD urges federal agencies and network operators to expedite the adoption of a public key cryptography system known as Resource Public Key Infrastructure (RPKI).

The initiative builds on a suggestion from the US Federal Communications Commission (FCC) in May urging nine major US ISPs to submit reports on their efforts towards securing BGP more effectively.

It is evident that the pace of technological advancements is accelerating. But the critical questions stand: Why has resolving the shortcomings in BGP taken so long, and can the current measures effectively address these issues?

In 1989, the same year that British computer scientist Tim Berners-Lee introduced the world to HTML, hyperlinking, and the web, two engineers from IBM sketched out the BGP protocol during their lunch break on napkins, leading to its nickname “two napkin protocol.”

Initially, security was not perceived as crucial, leading to ongoing efforts to implement it within web and BGP frameworks thereafter.

As a result, BGP security evolved from a neglected aspect to a major issue that remains largely unrecognized by the average Internet user.

BGP underpins the functionality of the Internet, orchestrating the routing of data packets across an extensive network of interconnected systems to their intended destinations.

This process is intricate, necessitating adaptive multi-path routing to manage issues like traffic congestion and employing algorithms that enable routers to select the most efficient route dynamically.

When BGP functions correctly, it goes unnoticed. However, when it fails, the impact is immediate and often dramatic, typically due to human error rather than malintent.

For instance, a BGP misconfiguration by Microsoft disrupted its services in January 2023.

In another case, during June 2019, a minor ISP in Pennsylvania accidentally began to broadcast BGP routes suggesting it was an efficient path to Amazon and Cloudflare services. This led to a massive influx of traffic, overwhelming the small company and creating a bottleneck.

This disruption continued until the error was identified and rectified. Ironically, the incident was exacerbated by routing optimizer software, which was intended to enhance network efficiency.

The inherent issue was that BGP was incapable of verifying which networks were allowed to advertise specific address ranges. Newer solutions involving RPKI, such as Route Origin Authorization (ROA) and Route Origin Validation (ROV), have begun to tackle this problem by enforcing a verification check to confirm a network’s entitlement to advertise a route prior to accepting traffic. This protocol also reduces the potential for traffic hijacking through malicious routing advertisements. Despite their limitations, these approaches are generally accepted as a positive initial step. However, progress tends to be slow within Internet governance bodies, even with directives from authoritative entities like the White House.

The ONCD has announced its expectation that by year’s end, 60% of the IP spaces advertised by the US Federal government will be secured by the necessary Registration Service Agreements (RSA) for establishing Route Origin Authorizations.

However, the plan also highlights several impediments that could delay an extensive reform of BGP. A significant barrier is the lack of direct financial incentives for service providers to secure their networks, as the negative impacts of BGP’s vulnerabilities do not usually affect them directly. Additionally, some providers may face the need to replace or upgrade their routers to support ROV.

In response, the ONCD advises ISPs to assess the technical impacts that implementing ROA and ROV might have on their systems and to consider BGP security within their broader cybersecurity risk evaluations.

The comprehensive suggestions are extensive and include detailed guidance on how Internet Service Providers (ISPs) should structure agreements for IP transit, cloud, and infrastructure services. The overarching directive emphasizes that ISPs ought to actively monitor their Border Gateway Protocol (BGP) configurations for quality and security threats instead of passing the responsibility to others.

ISPs, especially those operating on a larger scale, must familiarize themselves with the roadmap’s Resource Origin Authorization (ROA) and Route Origin Validation (ROV) guidelines, which are increasingly recognized as industry standards.

Network World consulted Kieren McCarthy, a savvy internet specialist and ex-journalist, who generally supported the Office of the National Cyber Director’s (ONCD) push for wider compliance but expressed some concerns.

“It’s somewhat troubling that the US government seems to be acting independently, even initiating a new working group without disclosing its members,” McCarthy remarked.

“The internet remains a global network, and the US government should put its money where its mouth is and support the international multi-stakeholder model for development solutions to internet problems,” he added.

He noted that the roadmap was complementary to existing groups such as the Mutually Agreed Norms for Routing Security (MANRS), a global initiative with the same aim of securing routing threats.

“I wonder why they felt the need to develop their own approach?” said McCarthy. “That gripe aside, the White House roadmap is a good thing.”

Since its creation in 2021, the ONCD has acquired a reputation for forcefulness. Earlier this year, a separate report recommended that developers reduce the likelihood of cyberattacks by abandoning vulnerable programming languages such as C and C++.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.