What do AWS, Radware, Nintendo, Google, and Facebook all have in common (other than being some of the smartest actors in internet commerce)? Over the past 18 months, they have all been impacted by outages traceable to the Border Gateway Protocol (BGP). The BGP was designed in 1994, literally on a napkin, to route data throughout the internet. As you may know, the internet was designed at DARPA for the proliferation of cat videos. In spite of this feline design intent, the internet has morphed into a vast commercial and financial infrastructure. Yet the BGP, a trust-based protocol, has not been secured commensurate with its commercial importance.
The BGP was designed as a trust-based protocol; it assumed that the entities using it would behave themselves. As we have learned, to our chagrin, the initial trust-based mindset of the early internet has been replaced by an approach more akin to zero-trust, justifiably so. Yet BGP, without which none of us would be able to traverse the Web, remains susceptible to attacks such as “BGP hijacking”. This attack has been used by malefactors to route traffic through components of the internet that they control for commercial and governmental espionage.
A glaring example of this hack came to light in June, 2019 when it was revealed that 70,000 internet routes comprising 368 million IP addresses were mistakenly routed through China Telecom, a government-owned service provider. Every one of these millions of IP addresses was vulnerable to a man-in-the-middle attack as China Telecom was capable of “listening” to all that traffic passing through its infrastructure. Cat videos and their senders were oblivious; European governments not so much. They saw this as a problem, one that rocketed to the top of internet security boffins’ agenda after this, and other similar BGP “leaks” gained mindshare. Like secure DNS, secure BGP was an idea whose time had come. Yet retrofitting security to an aging, open protocol is profoundly challenging.
In 2014 a consortium of content delivery networks (CDNs) formed a group called Mutually Agreed Norms for Routing Security (MANRS). Currently, nearly 600 CDNs are represented in MANRS. Probably the most comprehensive mitigation strategy to come out of this effort is “RPKI origin validation”. This uses the Resource Public Key Infrastructure as a basis of trust. The RPKI is, to quote ICANN working documents dated September 2020, a “hierarchical framework of interlocking X.509 public key certificates anchored at the Regional Internet Registries (RIRs). Its objective is to validate that the ISPs originating Internet routes are authorized to do so by the holder of the corresponding Internet Protocol (IP) address blocks.”
While the RPKI has been around since 2011, recent examples of BGP leakage have driven a wave of new interest in RPKI origin validation. Now, RPKI origin validation is not perfect. There are sufficient weaknesses in its implementation to drive the American Registry for Internet Numbers (ARIN) to require indemnification from relying parties when using the RPKI to validate published routes. It is, however, the best bet at present for combating BGP hijacking. The uptake of RPKI origin validation is being driven by some of the best and brightest names in Cloud computing. It can, in spite of its complexity, prevent simple route spoofing attacks. As with any digital signature, a route published with an RPKI signature can be validated as to the source. Thus someone needing to route sensitive data can validate that routes offered up do indeed come from trusted entities and not from malicious actors. Until we get a better solution, RPKI route validation is the best security tool on offer. Keep your eyes on MANRS and ICAAN for news as they work to bring security to this foundational internet infrastructure.