Updates 2018 Draft Cybersecurity Practice Guide: Protecting the Integrity of
Draft Cybersecurity Practice Guide: Protecting the Integrity of Internet Routing
September 04, 2018
It is difficult to overstate the importance of the internet to modern business and to society in general. The internet is essential to the exchange of all manner of information, including transactional data, marketing and advertising information, remote access to services, entertainment, and much more. The internet is not a single network, but rather is a complex grid of independent interconnected networks. The design of the internet is based on a trust relationship between these networks and relies on a protocol known as the Border Gateway Protocol (BGP) to route traffic among the various networks worldwide. BGP is the protocol that Internet Service Providers (ISPs) and enterprises use to exchange route information between them. Unfortunately, BGP was not designed with security in mind. Traffic typically traverses multiple networks to get from its source to its destination. Networks trust the BGP information they receive from their neighbors, and the lack of security makes BGP vulnerable to route hijacks. A route hijack attack can deny access to Internet services, misdeliver traffic to malicious endpoints and cause routing instability. A technique known as BGP Route Origin Validation (ROV) is designed to protect against route hijacking.
The National Cybersecurity Center of Excellence (NCCoE) has developed proof-of-concept demonstrations of BGP ROV implementation designed to improve the security of the internet's routing infrastructure. This NIST Cybersecurity Practice Guide—Draft SP 1800-14, Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation—demonstrates how networks can protect BGP routes from vulnerability to route hijacks by using available security protocols, products, and tools to perform BGP ROV to reduce route hijacking threats. The example implementation described in this guide aims to protect the integrity and improve the resiliency of Internet traffic exchange by verifying the source of the route. Our standards-based example solution uses commercially available products and can be used in whole or in part. It can also be used as a reference to help an organization design its own, custom solution.
Comments are due October 15, 2018 and may be submitted to sidr-nccoe@nist.gov.
Created September 05, 2018, Updated October 24, 2018