The Border Gateway Protocol (BGP) is flawed and needs to be fixed. Fixing the protocol would minimize data theft, extortion, state-level spying, and the disruption of security-critical transactions, according to a new roadmap document published earlier this week by the White House.
The document is called “Roadmap to Enhance Internet Routing Security” and discusses the problems and possible solutions of BGP.
The Border Gateway Protocol (BGP) is the primary routing protocol used to exchange routing information between different autonomous systems (AS) on the Internet. In other words, it is the glue that holds the entire Internet together.
Espionage and data theft
It allows routers to determine the most efficient paths for data to travel across the vast expanse of interconnected networks that make up the Internet. BGP is crucial to maintaining a stable and scalable Internet by allowing networks to share reachability information and make routing decisions based on various policies.
However, the protocol was designed in 1989, and security was more of an afterthought. As a result, BGP has been abused in several high-profile attacks over the years. For example, in 2008, a Pakistani ISP intended to block access to YouTube within Pakistan, but accidentally announced a more specific BGP route that resulted in YouTube’s global traffic being routed through Pakistan. This caused YouTube to go offline globally for several hours.
Two years later, China Telecom advertised incorrect BGP routes, causing a significant portion of global Internet traffic, including U.S. government and military sites, to be routed through China for about 18 minutes. China claimed it was an isolated incident, while some researchers in the West believed it was a deliberate attempt at cyberespionage.
In 2018, attackers hijacked BGP routes for Amazon’s Route 53 DNS service to redirect traffic intended for MyEtherWallet, a popular cryptocurrency wallet service, to a malicious server. The attackers then stole users’ cryptocurrency by tricking them into entering their credentials into the fake site.
The solution is an authentication scheme called Resource Public Key Infrastructure (RPKI). This is a security framework designed to enhance the security of the Border Gateway Protocol (BGP) by providing a way to cryptographically verify the ownership of IP address blocks and the authorization of networks to advertise specific routes.
“Therefore, this document serves as a roadmap to increase the adoption of technologies that address critical vulnerabilities associated with the Border Gateway Protocol (BGP) and to drive improvements in the security and resiliency of Internet interdomain routing,” the White House document concludes.
“This roadmap is not a technical guide on how to implement routing, but rather points out best available guidelines and practices, details US Government (USG) actions to advance BGP security, and makes recommendations to improve routing security across the Internet ecosystem.”
Via The register