On 31 July, the United States Federal Communications Commission held a Border Gateway Protocol Security Workshop that highlighted the importance of addressing BGP vulnerabilities and securing Internet routing.
In opening remarks, Jessica Rosenworcel, FCC Chairwoman, and Jen Easterly, head of the Cybersecurity and Infrastructure Security Agency (CISA), noted that BGP is central to the Internet’s global routing system and we must work together to develop and implement industry standards and best practices to reduce route hijacks and leaks. As Easterly acknowledged, the US federal government is lagging behind the private sector and is working to improve, adding routing security to documents like the CSRIC VIII Report On Best Practices To Improve Supply Chain Security Of Infrastructure And Network Management Systems (.docx file). Easterly specifically recognized that more and more networks are signing up for MANRS. It is encouraging that many large telecom organizations are leading the way and building a business case, which will help other, smaller networks improve their routing security in the future.
Doug Montgomery from the National Institute of Standards and Technology (NIST) introduced BGP and explained several vulnerabilities, like its lack of built-in authentication mechanisms to tell who is authorized to announce routes. Brian Scott, Office of the National Cyber Director, Executive Office of the President, focused on the US National Cybersecurity Strategy, which calls for rebalancing the responsibility for defending cyberspace and realigning incentives so that governments and businesses can invest in long-term resilience. Jeanette McMillian from the Office of the Director of National Intelligence (ODNI) said that the supply chain relies on confidentiality, integrity, availability, and security, and noted that BGP would not survive that checklist as it stands today. Ben Goldsmith from the National Security Division of the Department of Justice focused on national security threats like espionage, sabotage, and interference, noting the vast amounts of sensitive information that traverse US communications networks.
A panel of industry participants including Tony Tauber from Comcast, Nimrod Levy from AT&T, Elizabeth Gray-Nunez from Verizon, Kathryn Condello from Lumen, and Tamber Ray from the Rural Broadband Association discussed, amongst other things:
- Developing open-source tools, measurement studies, and standards to guide routing security deployments
- Extending infrastructure to publish more ROAs and implement RPKI in ways that manage risk to the business and the Internet
- Working with customers to ensure their data is up-to-date and not damaging to the wider Internet ecosystem
- Building public-private partnerships and collaboration to reduce routing incidents without disrupting platforms
- Providing choice and flexibility for smaller networks to deploy best practices in technically and financially feasible ways
- Educating downstream customers on the importance of routing security to their networks and supply chains
- Acknowledging that RPKI is complicated, but gaining traction and worth the investment
Steve Wallace from Internet2 shared insight from the Routing Integrity Initiative that aims to reduce friction in research and education communities to using advanced networking and other technologies. Cloud providers Anees Shaikh from Google, Fredrik Korsbäch from AWS, and Tom Strickz from CloudFlare discussed their ‘wish lists’ for routing security, including:
- Simplifying RPKI ROA management
- Enabling legacy IP space to be registered in RPKI easier
- Common filtering standards
- Encouraging remaining tier-1/transit networks to filter on all links
- Public/managed filtering infrastructure
- Lowering legal and process hurdles
- Expanding coverage and visibility from route monitoring and incident reporting services
- Accelerating development and deployment of the next set of protections like ASPA and BGPSec
We were pleased to hear so many of the speakers mention MANRS and how this community is setting a new norm for routing security. MANRS emphasizes the importance of continuously improving routing security, providing specific actions via four programs for Network Operators, Internet Exchange Points, CDN and Cloud Providers, and Equipment Vendors.
Improving routing security is an ongoing effort and not a one-time task. Learn more about MANRS and join the community today.