Electronic messages traveling across the Internet are under constant threat from data thieves, but new security standards can reduce the risk of intercepted or stolen messages.
These standards address a security weakness that has been a part of the Internet since its earliest days.
The set of standards, known as Secure Inter-Domain Routing (SIDR), have been published by the Internet Engineering Task Force (IETF) and represent a comprehensive effort to defend the Internet’s routing system from attack.
The effort has been led by a collaboration between the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) Science and Technology Directorate, working closely with the Internet industry. The new specifications provide the first standardized approach for global defense against sophisticated attacks on the Internet’s routing system.
The overall strategy creates a defense mechanism for the Border Gateway Protocol (BGP), the system that routers — the devices that direct information toward its destination — use to determine the path data takes as it travels across the collection of networks that comprise the Internet. BGP forms the technical glue holding the Internet together, but historically, its lack of security mechanisms makes it an easy target for hacking.
“BGP is a global scale system, where routing data for hundreds of thousands of destinations is exchanged between tens of thousands of networks. The informal trust mechanisms we’ve relied on in the past can’t be scaled up to protect a system of that size,” said Doug Montgomery, a NIST computer scientist and manager of the NIST project. “BGP as currently deployed has no built-in security mechanisms, so it is common to see examples of ‘route hijacks’ and ‘path detours’ by malicious parties meant to capture, eavesdrop upon or deny legitimate Internet data exchanges.”
BGP was created in the late 1980s to allow routers to exchange information and calculate the best path among millions of possibilities for data to travel across the Internet. BGP enables the modern commercial Internet, but it evolved at a time when security was not a significant concern, and Internet operators have been coping with security problems as a result.
Known BGP attacks since 2008 have resulted in stolen financial payments and network disruption, but so far, these have been relatively small-scale. In many ways, Montgomery said, we are simply lucky that there haven’t been more focused and malicious attacks that take advantage of BGP’s vulnerabilities.
“The fact that they haven’t been dramatically exploited yet shouldn’t make you feel better,” Montgomery said. “Think of how much of our critical infrastructure relies on Internet technology — transportation, communication, financial systems, et cetera. Someday, someone will have the motivation.”
The overall defensive effort will use cryptographic methods to ensure routing data travels along an authorized path between networks. There are three essential components of the IETF SIDR effort: The first, Resource Public Key Infrastructure (RPKI), provides a way for a holder of a block of Internet addresses — typically a company or cloud service provider—to stipulate which networks can announce a direct connection to their address block; the second, BGP Origin Validation, allows routers to use RPKI information to filter out unauthorized BGP route announcements, eliminating the ability of malicious parties to easily hijack routes to specific destinations.
The third component, BGP Path Validation (also known as “BGPsec”), is what is described in the suite of draft standards (RFCs 8205 through 8210) the IETF just published.
Its innovation is to use digital signatures by each router to ensure the entire path across the internet crosses only authorized networks. Employing this idea of “path validation” together with origin validation could deter stealthy attacks intended to reroute data without the recipient realizing it.
The new specifications for BGP Path Validation, along with the other components of the complete solution are available at the IETF Secure Inter-Domain Routing Working Group’s website.
With their publication, Montgomery said, NIST’s efforts will shift to helping the industry with adoption, including developing technical deployment guidance as well as working on improving the performance and scalability of implementations.