Date Published: December 2018
Comments Due:
Email Questions to:
Author(s)
Kotikalapudi Sriram (NIST), Douglas Montgomery (NIST)
Announcement
In recent years, numerous routing control plane anomalies such as Border Gateway Protocol (BGP), prefix hijacking, and route leaks have resulted in Denial of Service (DoS), unwanted data traffic detours, and performance degradation. Large-scale Distributed Denial of Service (DDoS) attacks on servers using spoofed Internet Protocol (IP) addresses and reflection-amplification in the data plane have caused significant disruption of services and resulting damages.
This document provides technical guidance and recommendations for technologies that improve the security and robustness of interdomain traffic exchange. Technologies recommended in this document for securing the interdomain routing control traffic include Resource Public Key Infrastructure (RPKI), BGP origin validation (BGP-OV), and prefix filtering. Additionally, technologies recommended for mitigating DoS and DDoS attacks include prevention of IP address spoofing using source address validation with Access Control Lists (ACLs) and unicast Reverse Path Forwarding (uRPF). Other technologies, such as Remotely Triggered Black Hole (RTBH) filtering, Flow Specification (Flowspec), and Response Rate Limiting (RRL), are also recommended as part of the overall security mechanisms.
The document is intended to guide information security officers and managers of federal enterprise networks. The guidance also applies to the network services of hosting providers (e.g., cloud-based applications and service hosting) and Internet Service Providers (ISPs) when they are used to support federal IT systems. The guidance will also be useful for enterprise and transit network operators and equipment vendors in general.
This document gives technical guidelines and recommendations for secure interdomain traffic exchange. The primary audience include information security specialists and network managers. These guidelines apply to routing and Internet transit service infrastructure related to federal networks, especially in Internet border routers. The guidelines will also be useful for network operators and equipment vendors in general. There have been numerous incidents in recent years involving routing control plane anomalies, such as prefix hijacking and route leaks, resulting in Denial of Service (DoS), unwanted data traffic detours and performance degradation. Large-scale DoS and Distributed DoS (DDoS) attacks on servers using spoofed Internet Protocol (IP) addresses and reflection-amplification in the data plane have also been frequent, resulting in significant disruption of services and revenue losses.
This initial guidance on Secure Interdomain Traffic Exchange (SITE) includes securing the Interdomain routing control traffic, preventing IP address spoofing, and certain aspects of DoS/DDoS detection and mitigation. The Border Gateway Protocol (BGP) is used for sharing and propagating routing control (i.e., reachability) messages between domains or Autonomous Systems. The Internet Engineering Task Force (IETF) and networking community at large have been actively working on mechanisms for BGP security.
Technologies recommended in this document for securing the Interdomain routing control traffic include Resource Public Key Infrastructure (RPKI), BGP origin validation (BGP-OV), and prefix filtering. Additionally, technologies recommended for mitigating DoS/DDoS attacks focus on prevention of IP address spoofing using Source Address Validation (SAV) with Access Control Lists (ACLs) and unicast Reverse Path Forwarding (uRPF). Other technologies (including some application plane methods) such as Remotely Triggered Black Hole (RTBH) filtering, Flow Specification (Flowspec), and Response Rate Limiting (RRL) are also recommended as part of the overall security mechanisms.
This document gives technical guidelines and recommendations for secure interdomain traffic exchange. The primary audience include information security specialists and network managers. These guidelines apply to routing and Internet transit service infrastructure related to federal networks,...
See full abstract
This document gives technical guidelines and recommendations for secure interdomain traffic exchange. The primary audience include information security specialists and network managers. These guidelines apply to routing and Internet transit service infrastructure related to federal networks, especially in Internet border routers. The guidelines will also be useful for network operators and equipment vendors in general. There have been numerous incidents in recent years involving routing control plane anomalies, such as prefix hijacking and route leaks, resulting in Denial of Service (DoS), unwanted data traffic detours and performance degradation. Large-scale DoS and Distributed DoS (DDoS) attacks on servers using spoofed Internet Protocol (IP) addresses and reflection-amplification in the data plane have also been frequent, resulting in significant disruption of services and revenue losses.
This initial guidance on Secure Interdomain Traffic Exchange (SITE) includes securing the Interdomain routing control traffic, preventing IP address spoofing, and certain aspects of DoS/DDoS detection and mitigation. The Border Gateway Protocol (BGP) is used for sharing and propagating routing control (i.e., reachability) messages between domains or Autonomous Systems. The Internet Engineering Task Force (IETF) and networking community at large have been actively working on mechanisms for BGP security.
Technologies recommended in this document for securing the Interdomain routing control traffic include Resource Public Key Infrastructure (RPKI), BGP origin validation (BGP-OV), and prefix filtering. Additionally, technologies recommended for mitigating DoS/DDoS attacks focus on prevention of IP address spoofing using Source Address Validation (SAV) with Access Control Lists (ACLs) and unicast Reverse Path Forwarding (uRPF). Other technologies (including some application plane methods) such as Remotely Triggered Black Hole (RTBH) filtering, Flow Specification (Flowspec), and Response Rate Limiting (RRL) are also recommended as part of the overall security mechanisms.
Hide full abstract
Keywords
Routing security and robustness; Internet infrastructure security; Border Gateway Protocol (BGP) security; prefix hijacks, IP address spoofing; Distributed DoS (DDoS) attacks; Resource Public Key Infrastructure (RPKI); BGP origin validation (BGP-OV); prefix filtering; BGP path validation (BGP-PV); BGPsec; route leaks; Source Address Validation (SAV); unicast Reverse Path Forwarding (uRPF); Remotely Triggered Black Hole (RTBH) filtering; Flow Specification (Flowspec)
Control Families
None selected
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
