Image
Get Started
The Internet is a network of networks. In order for your network to connect to the C-SCRIP website, it must exchange data with adjoining networks in order to determine the best route. The Border Gateway Protocol (BGP) is the way in which networks announce that they are a destination or that they are a route to a destination on the Internet. Neither the destination nor the route is authenticated. Both can be false, and a network sending traffic has no basis for knowing from BGP announcements if they are valid. False announcements (a.k.a. hijacks) can cause significant harms including loss of service and espionage.
The American Registry of Internet Numbers (ARIN) is a nonprofit, member-based organization that administers IP addresses and autonomous system numbers (ASNs) in support of the operation and growth of the Internet. ARIN offers a routing security service known as Resource Public Key Infrastructure: Route Origin Authorization (ROA) / Route Origin Validation (ROV) that validates an Internet destination. RPKI:ROA/ROV has two interdependent components. A ROA is a cryptographically verifiable statement that a network is authorized to originate a prefix (that a network is authorized to announce that those destinations can be found on that network). ROV is the method of validating BGP announcements against the ROA data (determining whether a BGP announcement is valid or invalid).
Implementing RPKI:ROA/ROV takes a short period of time to set up and helps protect against significant network disruption. The importance of addressing BGP vulnerabilities through solutions like RPKI:ROA/ROV has been recognized in the National Cybersecurity Strategy.
Rulemaking on Border Gateway Protocol Risk Mitigation
The FCC has issued a Notice of Proposed Rulemaking to increase the security of the information routed across the internet and promote national security by requiring broadband providers to report on their progress in addressing vulnerabilities in the Border Gateway Protocol.
Service providers would be required to develop BGP Routing Security Risk Management Plans that describe their plans for and progress in implementing security measures that utilize the Resource Public Key Infrastructure (RPKI). Nine of the largest service providers would be required to file specific additional data on a quarterly basis. The FCC also seeks comment on issues related to implementing RPKI-based security measures.
Comments are due on or before July 17, 2024 and reply comments are due on or before August 1, 2024.
More Border Gateway Protocol Resource
This document is intended to improve the security and stability of the global Internet by allowing networks to verify the validity of BGP routing information and strengthen the security and stability of traffic flowing across the global Internet. Volume C within the document includes how-to guides.
This two-page guide discusses how to protect your resources and enhance your routing security using ARIN’s Resource Public Key Infrastructure (RPKI) services.
This profile is an actionable and adaptable guide, aligned with the Cybersecurity Framework (CSF), that enables Internet Service Providers (ISPs), enterprise networks, cloud service providers and organizations — large and small — to proactively identify risks and mitigate threats to enhance routing infrastructure security.
The guide, authored by the Mutually Agreed Norms for Routing Security (MANRS), is targeted at stub networks and small providers, and captures the best current operational practices deployed by network operators around the world.
RouteViews provides detailed public views of Internet routing data. It was originally conceived in 1995 as a tool for Internet operators to obtain real-time Border Gateway Protocol (BGP) information about the global routing system from the perspectives of several different backbones and locations around the Internet.
NANOG is an organization that is dedicated to the ongoing advancement of an open, secure, and robust Internet, by inspiring, educating, and empowering its community of network professionals to meet the ever-changing demands of a global network. NANOG holds three major meetings a year, fostering a community of network professionals who collaborate, share knowledge, and discuss operational challenges related to Internet infrastructure and networking.
This publication on Resilient Interdomain Traffic Exchange (RITE) includes initial guidance on securing the interdomain routing control traffic, preventing IP address spoofing, and certain aspects of DoS/DDoS detection and mitigation. Many of the recommendations in this publication focus on the Border Gateway Protocol (BGP).
This project team at NIST has been working closely with the internet industry to design, standardize and foster deployment of extensions to BGP to address these security and robustness issues. Their website contains reference implementations, test systems, measurement tools, performance analyses and deployment guidance.
This 2013 report recommends a framework for industry regarding incremental adoption of secure routing procedures and protocols based on existing work in industry and research. The framework will be proposed in a way suitable for opt-in by Internet Service Providers (ISPs) in order to create incentives for a wider scale, incremental ISP deployment of secure BGP protocols and practices in a market-driven, cost-effective manner.
This workshop highlighted the critical importance of addressing risks associated with BGP in light of the risk of consumer harm posed by unsecured Internet routing and explored effective security practices to mitigate these vulnerabilities.