Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PROJECTS/PROGRAMS

Robust Inter-Domain Routing

Summary

We live in a network-centric society that increasingly relies on the Internet’s routing infrastructure to facilitate human communication, connect users to online services, interconnect distinct components of modern cloud computing systems, and enable devices to interact in the Internet of Things (IoT).

As originally designed, the Internet’s routing infrastructure has systemic vulnerabilities that expose many critical systems to theft of service, loss of privacy, and wide-scale outages. NIST is working with industry to design, standardize, and foster deployment of technologies to improve the security and resilience of Internet Routing

Description

Robust Inter-Domain Routing project info graphic

Today’s global Internet is comprised of roughly 800,000 distinct destinations interconnected by 60,000 enterprise and Internet Service Provider (ISP) networks. The Border Gateway Protocol (BGP) is the “glue” that enables the modern Internet, by exchanging reachability information about each destination among interconnected ISPs. Each autonomous network uses BGP data, along with its own business policies, to compute the paths which user data will follow.

As currently deployed, BGP lacks the ability to authenticate these global information exchanges and doesn’t provide means to detect and mitigate large-scale policy violations. The result is ever-increasing occurrences of “BGP Hijacks” in which malicious parties falsely claim reachability to destinations to steal their traffic, or forge information about their paths to detour traffic along routes that facilitate other attacks on the communicating systems and the information they exchange.

BGP Hijacks steal and divert Internet traffic to attackers.

In addition to malicious hijacks, common configuration errors often result in large-scale “BGP leaks” in which routing information is exchanged in violation of contracted business policies and engineered network capacity designs. These leaks often result in wide-scale outages that affect entire national-scale communication infrastructures for hours.

Graph of BGP hijack and leak frequency — ISOC Analysis of frequency of BGP hijack and leak incidents in 2021.
Credit: Internet Society and BGPstream

NIST, in collaboration with the Department of Homeland Security Science and Technology Directorate (DHS S&T), is working closely with the internet industry to design, standardize and foster deployment of extensions to BGP to address these security and robustness issues.

NIST staff are leading contributors to the development of Internet Engineering Task Force (IETF) specifications for BGP protocol extensions to mitigate malicious attacks and route leaks. NIST developed reference implementations, test systems, measurement tools, performance analyses and deployment guidance are serving as a catalyst for the emerging global deployment of these critical technologies.

Major Accomplishments

See the list of Associated Products for a complete listing of our technical contributions.

ONCD Roadmap to Enhancing Internet Routing Security

2024 - Project staff provided subject matter expertise and custom measurements/analytics to support the development of the ONCD Roadmap to Enhance Internet Routing Security and the FCC NPRM on Internet Routing Security. Both efforts highlight NIST contributions to IETF standards, test and measurement tools, and deployment guidance and their impact in advancing BGP security and resilience.
2023 - Project team progressed co-authored IETF specifications for BGP route-leak mitigation (BGP AS_PATH Verification Based on Autonomous System Provider Authorization (ASPA) Objects) and IP address spoofing mitigation (Source Address Validation Using BGP UPDATEs, ASPA, and ROA (BAR-SAV)).
Detection and Mitigation of Route Leaks in the Border Gateway Protocol

2022 - Project team designed and submitted new IETF draft specifications to improve source address verification (anti spoofing) techniques by leveraging existing and emerging RPKI data sets.
2022 - Project staff continued to advance techniques to detect and mitigate BGP routing failures caused by route leaks. New standards for local detection and mitigation procedures were published as well as software test frameworks and data sets for emerging global route leak solutions were released.
2021 - Project team awarded Department of Commerce Gold Medal "For developing innovative technologies that resolved critical Internet vulnerabilities and dramatically improved Internet robustness."
2021 - Project staff contributed analysis and design improvements to IETF emerging specifications for BGP route leak mitigation techniques and released reference implementations and test tools for the Autonomous System Provider Authorization (ASPA) approach.

2021 - Release of a new version of the NIST RPKI Monitor developed to add more analysis features for understanding the completeness, correctness, and stability of the global RPKI-ROV infrastructure.
2020 – Project staff published comprehensive guidance for enterprises and ISPs addressing BGP Security and DDoS Mitigation techniques (NIST SP.800-189).
2020 - Project staff lead the design and standardization of techniques to enhance the utility of Reverse Path Filtering as a means to mitigate internet DDoS threats (RFC 8704).
2018 – Project staff developed and employed scalable test tools to examine the scalability and robustness of emerging commercial implementations and production services for RPKI-based origin validation in support the NCCoE SIDR Project.
High Performance BGP Security: Algorithms and Architectures

2018 – Project staff led IETF design and standardization of BGP route leak mitigation techniques and BGP-enabled DDoS mitigation techniques.
2017 – Project staff led IETF efforts to finalize BGPsec standard specifications and update NIST reference implementations to the final version of the specification.
2017 – Project staff and collaborators publish research on high-performance cryptography and optimization techniques to dramatically improve the performance of BGPsec implementations.
2017 - Project staff release online system to test and measure global deployment of RPKI routing security infrastructure.

NIST RPKI Measurement & Analysis System.
2016 – Project staff conducted on behalf of industry partners extensive performance / scaling analysis of emerging BGPsec prototype implementations.
2016 – Project staff lead industry outreach workshops with the North American Network Operators Group to examine the station of products and services for BGP origin validation based upon RPKI.
Spring 2016 – Project staff led the development of IETF specifications for Route Leak problem definition.
2010 through 2015 – Project staff led the modeling and analysis activities in support of emerging IETF protocol designs for BGP security extensions.
Threats & Vulnerabilities in Internet Inter-domain Routing and Significant Attacks.

2006 through 2010 – Project conduct modeling and analysis of the problem space for BGP security, including modeling of large-scale attack scenarios and comparative analysis of BGP anomaly detection algorithms and other approaches that do not require changes to the existing routing system.