The Border Gateway Protocol (BGP) is flawed and needs to be fixed. Fixing this protocol would minimize data theft, extortion, state-level espionage, as well as disruption of security-critical transactions. This is the conclusion of a new roadmap document, published earlier this week by the White House.
The document is called “A Roadmap for Improving Internet Routing Security” and discusses BGP issues and potential solutions.
Border Gateway Protocol (BGP) is the primary routing protocol used to exchange routing information between different autonomous systems (AS) on the Internet. In other words, it is the glue that holds the entire Internet together.
Spying and data theft
It enables routers to determine the most efficient paths for data to travel across the vast expanse of interconnected networks that make up the Internet. BGP is crucial to maintaining a stable and scalable Internet, as it allows networks to share reachability information and make routing decisions based on a variety of policies.
But the protocol was designed in 1989 and security was more of an afterthought. As a result, BGP has been abused several times over the years in some high-profile attacks. For example, in 2008, a Pakistani ISP wanted to block access to YouTube within Pakistan, but accidentally advertised a more specific BGP route that led to global YouTube traffic being rerouted through Pakistan. This caused a worldwide YouTube outage for several hours.
Two years later, China Telecom broadcast incorrect BGP routes that caused a significant amount of global Internet traffic, including that from US military and government sites, to be routed through China for about 18 minutes. China claimed it was an incident, while some researchers in the West thought it was a deliberate attempt at cyber espionage.
In 2018, attackers hijacked BGP routes from Amazon’s Route 53 DNS service to redirect traffic destined for MyEtherWallet, a popular cryptocurrency wallet service, to a malicious server. The attackers then stole users’ cryptocurrency by tricking them into entering their credentials on the fake site.
The solution is an authentication scheme called Resource Public Key Infrastructure (RPKI), a security framework designed to improve the security of the Border Gateway Protocol (BGP) by providing a way to cryptographically verify ownership of IP address blocks and authorization of networks to advertise specific routes.
“To that end, this document serves as a roadmap for increasing the adoption of technologies that address critical vulnerabilities associated with the Border Gateway Protocol (BGP) and drive improvements in the security and resilience of Internet inter-domain routing,” the White House document concludes.
“This roadmap is not a technical guide on how to implement routing, but rather outlines available best practices and guidance, details USG actions to promote BGP security, and makes recommendations for improving routing security across the Internet ecosystem.”
Through The Registry
