The US Makes a Big Step Toward Better Routing Security
[This is a guest post by Ryan Polk, Director, Internet Policy, at the Internet Society. It was originally published at https://www.internetsociety.org/blog/2024/05/the-us-makes-a-big-step-toward-better-routing-security/.]
Governments should set the standard for improving routing security. This is crucial because many government services are considered critical infrastructure, and they have a significant role in establishing best practices for running safe and secure networks. Until recently, the US Federal Government faced challenges in this area. As the child of two dedicated civil servants, it was particularly disappointing for me to see that the US Government was falling so far behind in such an important area.
That’s why I am so excited by the news the United States Department of Commerce released that the National Telecommunications and Information Administration (NTIA) and several other Commerce agencies and bureaus began implementing Resource Public Key Infrastructure (RPKI) on their networks. This means that adversaries cannot more easily impersonate or hijack the routes sending data on US government networks.
Why Routing Security is Critical
Using RPKI to create Route Origin Authorizations (ROAs) is a vital action for network operators to take to improve routing security online. ROAs are cryptographically signed objects that state which network is authorized to originate a particular IP address prefix or set of prefixes. In short, ROAs provide a verified example of what routes on the Internet should look like, enabling network operators to filter out accidentally misconfigured or intentionally malicious routes—limiting the spread and impacts of routing incidents. Enabling the global validation of routing information is a key action of the Mutually Agreed Norms for Routing Security (MANRS).
Non-governmental networks in the United States have continued to rapidly improve their implementation of RPKI, increasing by nearly three and a half times since 2019. However, the US government has lagged much further behind. Until this week, only around 1% of routes from US government-run networks could be verified using RPKI.
By implementing RPKI, NTIA and the other components of the US Department of Commerce are not only securing their routing infrastructure but are also paving the way for other US government departments and agencies to move forward in this important effort. The US government controls hundreds of networks on the Internet, and it is vital that the government take steps to implement routing security best practices on these networks.
How the US and Other Governments Can Influence Wider Routing Security Adoption
In addition, with an eye towards improving private networks in the US, the US government should also make strong routing security a procurement requirement for network services. The US government can lead by example by both implementing strong routing security practices on its own networks, but also demanding that contracted private network providers also follow those practices.
We appreciate the Commerce Department’s recognition of the important work that the Internet Society, Global Cyber Alliance, and MANRS have done in the area of routing security. Securing the global routing system is not only vital but requires a group effort.
I am ecstatic that NTIA and the other agencies and bureaus in the US Department of Commerce took this crucial step toward helping secure the routing infrastructure of both the Federal Government and the wider Internet.
Leave a Comment