Robust Inter-Domain Routing

Current Project Plans

Recent growth in the number [2] and sophistication [3] [4] of attacks on the Internet’s Border Gateway Protocol (BGP) infrastructure has resulted in the National Cybersecurity Strategy [7] identifying the goal of improving the security and resilience of the Internet’s global routing infrastructure as a top priority and assigning NIST the task of accelerating the development, standardization and commercialization of technologies and guidance necessary to achieve that goal [5].

There has been much recent progress in the design, standardization, and commercialization of new BGP security mechanisms.  IETF specifications for BGP Route Origin Validation (ROV) have been largely completed, a global Resource Public Key Infrastructure (RPKI) service has been deployed by the 5 Regional Internet Registries and today approximately 53% of the over 1 million routes announced in BGP are protected by cryptographically verifiable Route Origin Authorizations (ROAs) [6].

BGP ROV and the RPKI allow one to detect and filter simple route hijacks and accidental misconfigurations that also result in unauthorized BGP originations.  ROV was the first new BGP security technology developed by the IETF, but it’s simple mechanisms (specifically designed to limit the processing burden on routers) are not robust enough to stop sophisticated attackers who seek to forge other aspects of BGP announcements for the purpose of hijacking or re-routing traffic.

Internet routing security is a complex problem requiring multiple complementary solutions (e.g., ROA, ROV, ASPA, BGPsec, BAR-SAV, etc.).  These solutions leverage a common infrastructure called the Resource Public Key Infrastructure (RPKI) for registration of cryptographically signed attestation objects. NIST has made significant contributions (as technology inventors and lead authors of IETF RFCs and drafts) to these solutions.

NIST’s current research and standardization efforts focus on other serious threats to the security and resilience of the internet’s routing infrastructure: large scale failures caused by route-leaks and distributed denial of services attacks.  In FY 2025, NIST plans to work in collaboration with industry partners to advance IETF specifications for new components of the emerging suite of BGP security technologies.  These techniques (ASPA, SPL and ASRA) are described below.

Signed Prefix List (SPL) and SPL Route Origin Validation

The NIST BGP security team members have recently begun collaborating with Fastly on the Signed Prefix List (SPL) based Route Origin Validation (SPL-ROV) [7].  SPL is an extension to RPKI that enables an AS to publish a digitally signed list of the all the prefixes it originates or may originate.  This is like a ROA, only it is signed by the AS holder, rather than the prefix holder.  SPL extends ROV with a second data source that mitigates AS forgery and reduces the attack surface for forged-origin hijacking attacks (Figure 1).  Thus SPL-based ROV (SPL-ROV) will complement ROA-based ROV (ROA-ROV) and further extend BGP security.   

Figure 1: Reduction of forged-origin hijacking attack surface due to SPL-ROV.

Deliverables from this task will include:

• NIST will update recently submitted Internet Draft based on IETF working group (WG) feedback and advance it to the IETF SIDROPS WG last call by 3Q25.

Projected Impact:

• Signed prefix lists will enhance the ability of ISPs to provide another, complementary form of route origin authentication information.  Once implemented, SPL capabilities will increase coverage of ROA data on the Internet.

Autonomous System Relationship Authorization (ASRA)

NIST BGP security team members are in discussions in the IETF with industry partners (Juniper Networks, Akamai, Huawei, University of Connecticut) to propose a new RPKI-based attestation object called Autonomous System Relationship Authorization (ASRA) which will complement ASPA [8] by expanding its AS path manipulation detection capability. Currently, there is a significant gap in the ASPA design in that it fails to detect AS path manipulation using a faked-link (i.e., a faked BGP connection) and advertising BGP updates with forged-origin or forged-path-segment to customer autonomous systems (ASes) (see Figure 2).  ASRA seeks to accomplish this by allowing ASes to register their list of customers and lateral peers.  The details of the algorithm that combines ASPA and ASRA are being worked out with NIST leading the effort. This methodology will be proposed to the IETF in form of a new Internet Draft and the work will be pursued through FY 2025.

           Figure 2: An ASPA vulnerability of allowing a forged peering (false link) to go undetected is mitigated by ASRA.

Deliverables from this task will include:

• Submission of a new Internet Draft describing the ASRA object and the associated path verification algorithm and advance it to the IETF SIDROPS WG last call stage by 4Q25.

Projected Impact:

• Progression of ASRA specifications will close an existing security gap in the feasible path validation algorithms of ASPA.
• NIST will continue to further strengthen its position as one of the most active contributors and leaders in the IETF to advance Internet routing security technology and standards.

Completing Route Leak and DDoS Mitigation Standards

While technologies to address forged routing announcements have been standardized and are at varying stages of commercialization and deployment, there are other systemic vulnerabilities in the global BGP routing system that often trigger cascading failures of significant scale [9] [10].   NIST led the effort in the IETF to define the problem posed by “route leaks” [11] and to focus the community on developing standardized solutions.  We are currently pursuing two distinct solutions for detecting and mitigating route leaks.  The first solution involves a simple signaling mechanism within a single network to detect a subset of potential route-leak scenarios [12].  A second more complete solution proposes to extend the RPKI to include digitally signed autonomous system provider authorization (ASPA) objects [13] that document the peering relationship between inter-connected networks and provides a validation algorithm [14] to allow any network to attempt to verify that a BGP announcement it receives does not violate the common peering arrangements between networks and their neighboring ISPs (Figure 3).

Figure 3 ASPA-based Route Leak Mitigation

Another systemic vulnerability of the Internet routing infrastructure is the lack of viable mechanisms to enable routers to detect packets in the data plane with “spoofed” source addresses.   Address spoofing is a common technique for malicious actors to try to circumvent some security mechanisms or to bounce traffic off high performance Internet servers toward a target victim at such a rate that the target system collapses under the load [15].  These attacks are known as “reflection attacks,” and while there has been guidance [16] to filter packets with spoofed source addresses for over 20 years, we have lacked robust algorithms to compute the sets of filters necessary given the complexity of modern Internet routing topologies.

Figure 4:  BAR-SAV - New Approach to DDoS Mitigation

To address this issue NIST led the design and standardized a viable algorithm to compute such filters [17].  With the emergence of the proposed RPKI extensions to address the route leak problem, NIST developed a new source address validation algorithm (BAR-SAV) that is more robust than our first scheme over a wider variety of network deployment scenarios [18].

Deliverables from this task will include:

The IETF specifications related to the BAR-SAV and ASPA topics are multi-year NIST lead efforts in the IETF.   Both specifications are reasonably mature and near ready to progress towards final RFC status.  Remaining NIST efforts for FY25 include:

• Process comments received in working group last call (WGLC) of the ASPA verification specification and submit for publication.
• When ASPA standards are finalized, NIST will update our open-source  reference implementations [19] of the ASPA specifications and extend our test tools and synthetic data sets to address the latest changes in the standards.
• The BAR-SAV specification is mature and could be sent to WGLC as soon as the ASPA specification upon which it depends is submitted for publication.   When this is possible NIST will handle progression and comment resolution associated with WGLC.

Projected Impact:

• ASPA and BAR-SAV standards once commercialized in BGP routers and supporting routing infrastructure software will provide focused solutions to route-leak and DDoS vulnerabilities that threaten the Internet today.

Revising NIST Security Guidance on Inter-Domain Routing

In 2019 NIST published its first comprehensive security guidance on Internet routing.  NIST SP-800-189 Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation.  The National Cybersecurity Strategy Implementation plan and an emerging executive order on cyber security task NIST to update this guidance to address current commercially viable BGP security solutions and to address emerging standards to include ASPA and BAR-SAV.  Updating of the NIST special publication 800-189 is ongoing work.

Deliverables from this task will include:

• An initial draft of a revised SP-800-189 will be published for public comment in Q2FY25.

Projected impact:

• Revised NIST guidance on Inter-Domain routing will serve as a technical basis to support emerging USG RPKI deployment plans.

Accelerating US Adoption of BGP Security Mechanisms

There are significant efforts underway in the FCC [20], CISA [21], and the ONCD [22] to develop plans to drive adoption of emerging BGP security technologies in the US, and in particular, in USG networks where adoption to date is seriously lagging.  NIST is recognized as the USG’s technical expert in these issues and is collaborating with these organizations, and GSA, OMB, and ARIN to provide data and analysis to guide USG adoption plans and to provide technical guidance to support their implementation.   

In FY24 tasks in this area included providing measurement data, analyses, and subject matter expertise to FCC and OMB teams and software updates to the NIST Internet Routing Data Analysis Framework (see below) to provide specific data and analyses requested by these other USG agencies.  These partner agencies have requested continued SME support in FY25 as their plans transition to implementation.  The FCC, ONCD and have requested NIST to add new features and forms of analysis to the NIST RPKI Monitor to support their current implementation plans.

Deliverables from this task will include:

• Continued SME support of FCC and ONCD efforts and implementation plans.
• Software enhancements to the NIST RPKI Monitor (see below).

Projected impact:

• Contributing to technically sound implementation plans and deployment procedures will expedite adoption of routing security technologies in the US.

Internet Routing Data Analysis Framework

The NIST RPKI Monitor [23] and its underlying Internet Routing Data Analysis Framework, provides a test and measurement infrastructure designed to monitor the dynamics of the global RPKI and the impact of RPKI-based BGP security mechanisms on Internet routing. Its purpose is to provide measurement data and analyses to the research, standardization, and operations communities necessary to improve the trust and confidence in the underlying technologies. Our NIST RPKI Monitor is widely used and cited in the industry as an authoritative source for data and analysis of the completeness and correctness of global RPKI data and its potential impact on global routing.

In FY24, in response to FCC and ONCD requests, NIST enhanced the NIST RPKI Monitor to provide custom views of subsets of global and regional metrics.   Specific new analyses were developed to examine specific perceived barriers to adoption by large ISPs.

In FY25 NIST will enhance the RPKI monitor to include analyses of ASPA RPKI objects and ASPA path validation.  In addition, project staff will implement the generalized ability for users the ability to define subset “views” of the global data based upon user defined sets of addresses or origin networks and allow users to subscribe to event notifications for changes in the resources in their defined view.

Figure 5: NIST RPKI Monitor

Deliverables from this task will include:

• Continued new feature enhancements to the RPKI Monitor as requested by USG and industry partners.

Projected impact:

• The NIST RPKI Monitor is widely relied on by USG and the Internet industry to provide accurate characterizations of the state of global deployment of emerging BGP security technologies.   Trusted measurements from NIST tool provide the technical basis for informed plans and implementation procedures.

References

[1]           S. L. Murphy, “BGP Security Vulnerabilities Analysis,” Internet Engineering Task Force, Request for Comments RFC 4272, Jan. 2006. doi: 10.17487/RFC4272. Available: https://datatracker.ietf.org/doc/rfc4272. [Accessed: May 10, 2024]

[2]           “BGP Security in 2021,” MANRS, Feb. 21, 2022. Available: https://www.manrs.org/2022/02/bgp-security-in-2021/. [Accessed: Jul. 08, 2022]

[3]           H. Birge-Lee, Y. Sun, A. Edmundson, J. Rexford, and P. Mittal, “Bamboozling Certificate Authorities with {BGP},” presented at the 27th {USENIX} Security Symposium ({USENIX} Security 18), 2018, pp. 833–849. Available: https://www.usenix.org/conference/usenixsecurity18/presentation/birge-l…. [Accessed: Feb. 21, 2019]

[4]           “KlaySwap - Another BGP Hijack Targeting Crypto Wallets,” MANRS, Feb. 17, 2022. Available: https://www.manrs.org/2022/02/klayswap-another-bgp-hijack-targeting-cry…. [Accessed: Jul. 08, 2022]

[5]           “National Cybersecurity Strategy Implementation Plan,” Executive Office of the President, Jul. 2023. Available: https://www.whitehouse.gov/wp-content/uploads/2023/07/National-Cybersec…. [Accessed: Sep. 11, 2023]

[6]           “NIST RPKI Monitor.” Available: https://rpki-monitor.antd.nist.gov/. [Accessed: Jul. 08, 2022]

[7]           K. Sriram, J. Snijders, and D. Montgomery, “Signed Prefix List (SPL) Based Route Origin Verification and Operational Considerations,” Internet Engineering Task Force, Internet Draft draft-ietf-sidrops-spl-verification-00, Jun. 2024. Available: https://datatracker.ietf.org/doc/draft-ietf-sidrops-spl-verification. [Accessed: Sep. 23, 2024]

[8]           A. Azimov, E. Bogomazov, R. Bush, K. Patel, J. Snijders, and K. Sriram, “BGP AS_PATH Verification Based on Autonomous System Provider Authorization (ASPA) Objects,” Internet Engineering Task Force, Internet Draft draft-ietf-sidrops-aspa-verification-18, Jul. 2024. Available: https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-verification. [Accessed: Sep. 23, 2024]

[9]           D. Goodin, “Google goes down after major BGP mishap routes traffic through China,” Ars Technica, Nov. 13, 2018. Available: https://arstechnica.com/information-technology/2018/11/major-bgp-mishap…. [Accessed: Apr. 25, 2022]

[10]        Y. Huang, “Internet Outrage Caused by Verizon Shows How Fragile the Internet Routing Is,” Medium, Jul. 02, 2019. Available: https://medium.com/hackernoon/internet-outrage-caused-by-verizon-shows-…. [Accessed: Jan. 07, 2021]

[11]        K. Sriram, D. Montgomery, D. McPherson, E. Osterweil, and B. Dickson, “Problem Definition and Classification of BGP Route Leaks,” RFC Editor, RFC7908, Jun. 2016. doi: 10.17487/RFC7908. Available: https://www.rfc-editor.org/info/rfc7908. [Accessed: Jan. 16, 2018]

[12]        A. Azimov, E. Bogomazov, R. Bush, K. Patel, and K. Sriram, “Route Leak Prevention and Detection Using Roles in UPDATE and OPEN Messages,” Internet Engineering Task Force, Request for Comments RFC 9234, May 2022. doi: 10.17487/RFC9234. Available: https://datatracker.ietf.org/doc/rfc9234. [Accessed: May 09, 2022]

[13]        A. Azimov, E. Bogomazov, R. Bush, K. Patel, J. Snijders, and K. Sriram, “BGP AS_PATH Verification Based on Autonomous System Provider Authorization (ASPA) Objects,” Internet Engineering Task Force, Internet Draft draft-ietf-sidrops-aspa-verification-16, Aug. 2023. Available: https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-verification. [Accessed: Sep. 11, 2023]

[14]        A. Azimov, E. Bogomazov, R. Bush, K. Patel, and J. Snijders, “Verification of AS_PATH Using the Resource Certificate Public Key Infrastructure and Autonomous System Provider Authorization,” Internet Engineering Task Force, Internet Draft draft-azimov-sidrops-aspa-verification-01, Oct. 2018. Available: https://datatracker.ietf.org/doc/draft-azimov-sidrops-aspa-verification. [Accessed: Jul. 08, 2022]

[15]        C. Cimpanu, “Google says it mitigated a 2.54 Tbps DDoS attack in 2017, largest known to date,” ZDNet. Available: https://www.zdnet.com/article/google-says-it-mitigated-a-2-54-tbps-ddos…. [Accessed: Oct. 19, 2020]

[16]        D. Senie and P. Ferguson, “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing,” Internet Engineering Task Force, Request for Comments RFC 2827, May 2000. doi: 10.17487/RFC2827. Available: https://datatracker.ietf.org/doc/rfc2827. [Accessed: Jul. 08, 2022]

[17]        K. Sriram, D. Montgomery, and J. Haas, “Enhanced Feasible-Path Unicast Reverse Path Forwarding,” Internet Engineering Task Force, Request for Comments RFC 8704, Feb. 2020. doi: 10.17487/RFC8704. Available: https://datatracker.ietf.org/doc/rfc8704. [Accessed: Nov. 09, 2021]

[18]        K. Sriram, I. Lubashev, and D. Montgomery, “Source Address Validation Using BGP UPDATEs, ASPA, and ROA (BAR-SAV),” Internet Engineering Task Force, Internet Draft draft-ietf-sidrops-bar-sav-00, Feb. 2023. Available: https://datatracker.ietf.org/doc/draft-ietf-sidrops-bar-sav. [Accessed: Mar. 07, 2023]

[19]        “BGP Secure Routing Extension (BGP‑SRx) Software Suite,” NIST, Aug. 2016, Available: https://www.nist.gov/services-resources/software/bgp-secure-routing-ext…. [Accessed: Jul. 08, 2022]

[20]        “FCC Launches Inquiry into Internet Routing Vulnerabilities,” Federal Communications Commission, Feb. 28, 2022. Available: https://www.fcc.gov/document/fcc-launches-inquiry-internet-routing-vuln…. [Accessed: Mar. 07, 2022]

[21]        “CISA’s Jen Easterly, FCC’s Jessica Rosenworcel on Need to Advance Border Gateway Protocol Security,” Aug. 03, 2023. Available: https://executivegov.com/2023/08/cisas-jen-easterly-fccs-jessica-rosenw…. [Accessed: Aug. 04, 2023]

[22]        “Roadmap to Enhancing Internet Routing Security,” Office of the National Cyber Director, Sep. 2024. Available: https://bidenwhitehouse.archives.gov/wp-content/uploads/2024/09/Roadmap…. [Accessed: Sep. 16, 2024]

[23]        “NIST RPKI Deployment Monitor.” Aug. 15, 2016. Available: https://www.nist.gov/services-resources/software/nist-rpki-deployment-m…. [Accessed: Sep. 13, 2023]

Robust Inter Domain Routing

Collaborators (67) = APNIC, ARIN, AT&T, Akamai, Akamai Technologies, Antara Teknik LLC, Arrcus, BBN Technologies, Boston University, CableLabs, Charter Communications, Cisco, Cloudflare, Columbia University, Comcast, DE CIX, FCC, Fastley, Fastly, Federal Communications Commission, George Washington University, Georgia Tech University, GoDaddy, Google, Hebrew University of Jerusalem, Huawei, IIJ, ISOC, Internet Initiative Japan, Internet Initiative Japan (IIJ), Internet Neutral Exchange Association (INEX), Internet Society, Internet2, Juniper, Juniper Networks, Kentik, Lumen, MIT, NCTA, NIST, NLnet Labs, NTT, National Science Foundation, Netscout, New College of Florida, None, ONCD, OpenBGPD Org., Parsons, Princeton University, Qrator Labs, RIPE NCC, Research institute CODE, SkyUK, Tsinghua University, Universitaet der Bundeswehr Muenchen, University of Chicago, University of Connecticut, University of Kentucky, University of Twente, Verisign, W3C/MIT, Workonline Communications, Yandex, ZDNS, Zhongguancun Laboratory, sn3rd