Networking

Fixing BGP’s Security Vulnerabilities Is Essential to Restoring Trust

The Border Gateway Protocol assumes trust, leaving it vulnerable to manipulation by attackers.

Twitter

Alexander Slagg is a freelance writer specializing in technology and education. He is an ongoing contributor to the CDW family of magazines.

Border Gateway Protocol, a data routing framework developed in 1989 on the premise that all routed contents could be trusted, can no longer be trusted. That is the guidance from the White House’s Office of the National Cyber Director (ONCD), which unveiled its Roadmap to Enhancing Internet Routing Security on Sept. 3, detailing a flaw inherent to BGP that renders it unable to protect agencies from accidental errors and intentional attacks.

While BGP’s importance may be obscured among the numerous routing protocols used to direct users to the right online resources, it is crucial to moving traffic across the internet, and its flaws place agencies at risk from state-level attackers.

Click the banner below to begin future proofing your network.

x-networkmodernization-animated-2024-clickhere-desktop1

x-networkmodernization-animated-2024-clickhere-mobile1

How Does BGP Work?

BGP is a fundamental routing protocol that helps connect the approximately 74,000 independent networks that make up the internet, including cloud service providers; internet service providers; universities; energy companies; and federal, state and local governments. The routers of a given network use BGP to announce what IP destinations can be reached by traffic flowing through that network. This communication goes out to neighboring routers, helping to establish the best route for traffic to take to get to a given destination.

“BGP is well suited for this job, as it is highly scalable and can share hundreds of thousands of destinations among the core internet routers,” says Nicholas Balister, federal systems architect at Fortinet Federal.

“BGP is like the GPS system your data uses to get from your computer to the website or application you are trying to access,” says Anthony Belcastro, technical marketing engineer at Cisco. “BGP is a combination of many autonomous systems (like cities) that advertise their subnets (like street addresses) that lead to where an IP address or website or application lives. Should the normal path to a destination go down, BGP will reroute you through another ‘city’ automatically.”

BGP is like the GPS system your data uses to get from your computer to the website or application you are trying to access.”

Anthony Belcastro Technical Product Manager, Cisco

What Is BGP’s Fatal Flaw?

The problem with BGP is that it was not built to meet today’s security needs. As designed, there is no way to verify that the destinations being advertised by a given router are accurate. Trust is assumed, and this inherent trust can be manipulated by attackers in different ways.

The first type of attack is a prefix hijack, where a network advertises IP addresses that it does not actually have, attempting to route traffic under a false pretense.

“This is used generally in combination with other attack vectors, such as sending user domain name server packets to a compromised server,” Belcastro says. “This is a sophisticated attack attempting to route user traffic to a compromised server impersonating a website or application.”

The second type of attack is a path hijack. With this method, a network falsely advertises routes to popular or desirable destinations to enable attackers to either degrade the user experience or collect data on the user.

“Certain countries have been known to use BGP manipulation for cyber surveillance and possible preparation for infrastructure attacks,” Belcastro says.

DISCOVER: Practice is the best way to prepare for an artificial intelligence-driven cyberattack.

The Consequences of BGP’s Verification Problem

Left unaddressed, BGP’s flaws can expose personal information, enabling theft, extortion and state-level espionage. The protocol has the potential to cause widespread disruption of the internet.

“Over time, it has become clear that we need additional mechanisms to help determine which updates are trustworthy,” says Tom Scholl, vice president and distinguished engineer at Amazon Web Services. “The emerging questions are about what mechanisms are needed to allow operators to discriminate among what routing updates they should accept.”

Operators should be asking how they trust information exchanged within BGP, how to prevent someone from purposely announcing a prefix that doesn't belong to them, and how to stop someone from announcing a set of networks via a path that would be considered undesirable or clearly a mistake.

LEARN MORE: Operationalizing cyber defense is as important as zero trust.

Resource Public Key Infrastructure Is a BGP Fix

Despite the fundamental role that BGP plays in supporting internet traffic, the issue has festered for years. This is because of the global, systemic nature of the problem and because it requires cooperation from a large number of stakeholders including ISPs, mobile network operators, cloud service providers, content distribution networks, critical infrastructure networks and enterprise networks of all types.

To that end, the ONCD roadmap prescribes widespread adoption of Resource Public Key Infrastructure as a practical solution.

“RPKI allows organizations to sign Route Origin Authorization records, which contain prefixes associated with their organization using a unique cryptographic key, much like getting a public certificate for your organization’s website, except for BGP advertisements,” Balister says. “These records can then be used by routers across the globe to perform Route Origin Verification against their external BGP peers (eBGP), to ensure only your organization’s advertised prefix is valid.”

“ROV provides individual networks with the ability to ingest ROAs and incorporate them into the BGP decision-making process that their routers perform,” Scholl says. “If a router observed an internet prefix where the originated autonomous system number did not match what the applicable ROA authorized, it would determine that the prefix is invalid and not install it into its routing table. This would result in the network rejecting the incorrect (hijacked or otherwise) routing announcement.”

In addition to directing the Office of Management and Budget to guide agencies in adopting RPKI and implementing ROAs, ONCD suggests that federal government contract service providers and that critical infrastructure development grant recipients be required to adopt similar routing security measures.

Best Practices for Adopting RPKI

While ONCD guidance on adopting RPKI to address BGP flaws is new, security engineers have been chipping away at this problem for some time. The National Institute of Standards and Technology’s RPKI Monitor indicated in April that more than 50 percent of the internet was covered by ROAs.

Agencies new to RPKI have a wealth of previous experience to learn from as they adopt this new security technology.

“Networks should select a good RPKI validator, such as the open source tools rpki-client or routinator, and build the appropriate routing policies to enforce the correct controls in their network,” Scholl says.

“From a technical standpoint, older devices may not be capable of [route origin validation] functionality,” Belcastro says. “There are also additional overheads on router performance, as it’s now tasked with additional processing. Operationally, staff need to be trained and procedures updated.”

“There may also be connectivity risks associated with deployment of RPKI, since not every prefix on the internet has an ROA yet,” Balister says. “To help lower the chance of connectivity issues, see if the organization’s routers support enabling ROV without blocking the prefixes. This allows a BGP operator to see how the RPKI changes will impact the environment before deployment.”

UP NEXT: Agencies can prepare their networks for IPv6.

sasirin pamai/Getty Images