This post is also available in: עברית (Hebrew)
The internet is essential to the exchange of all manner of information. It is not a single network, but rather is a complex grid of independent interconnected networks. The design of the internet is based on a trust relationship between these networks and relies on a protocol known as the Border Gateway Protocol (BGP) to route traffic among the various networks worldwide.
Work that started last October on securing the protocol that binds the Internet together is finally yielding results. The National Cybersecurity Center of Excellence (NCCoE) at the US National Institute for Standards and Technology (NIST) published the first draft of a security standard that will secure the BGP.
BGP is the protocol that Internet Service Providers (ISPs) and enterprises use to exchange route information between them. Unfortunately, BGP was not designed with security in mind. Traffic typically traverses multiple networks to get from its source to its destination.
Networks trust the BGP information they receive from their neighbors, and the lack of security makes BGP vulnerable to route hijacks. A route hijack attack can deny access to Internet services, misdeliver traffic to malicious endpoints and cause routing instability.
A technique known as BGP Route Origin Validation (ROV) is designed to protect against route hijacking, in which the assailants advertise a malicious route, sending traffic to illegitimate servers, routers, or both.
The NCCoE has developed proof-of-concept demonstrations of BGP ROV implementation designed to improve the security of the Internet’s routing infrastructure. This NIST Cybersecurity Practice Guide demonstrates how networks can protect BGP routes from vulnerability to route hijacks by using available security protocols, products, and tools to perform BGP ROV to reduce route hijacking threats, according to csrc.nist.gov.