Posts: 1,282   +362
Staff
A Dangerous Network: The Border Gateway Protocol has been the primary routing technology for the internet for at least three decades. Like other fundamental internet protocols developed in the 1980s, BGP was not originally designed with security in mind – and it shows.

After numerous incidents related to traffic routing among different autonomous systems, the White House has decided to address the security issues of the Border Gateway Protocol. The US administration has tasked the White House Office of the National Cyber Director with developing a roadmap to enhance the security of routing procedures managed through BGP.

The venerable BGP is one of the most fundamental protocols that emerged alongside the modern internet, according to a White House press release. This standardized technology provides a practical way for over 70,000 independent networks or autonomous systems to collaborate and exchange data packets effectively. Cloud providers, internet service providers, universities, utilities, and even government agencies rely on BGP to connect the internet we know today.

However, traditional BGP practices do not mandate specific security measures to protect these critical routing procedures among ASes. Internet traffic can be, and has been, deliberately and maliciously diverted, providing cybercriminals or espionage agencies with a powerful tool to expose or steal personal information, disrupt critical transactions or infrastructure operations, and more.

Traffic for BGP routing has been hijacked and abused several times in recent years, which is why the White House now considers the protocol one of its top tech security priorities. The roadmap prepared by the Office of the National Cyber Director is designed to provide a "blueprint" for implementing robust security practices for BGP, including the adoption of the Resource Public Key Infrastructure.

The White House describes RPKI as a mature, ready-to-implement approach for mitigating BGP security vulnerabilities. RPKI includes Route Origin Validation (ROV) and Route Origin Authorization (ROA), which work in tandem to verify the authority of a remote network announcing a traffic path and to check the authenticity of messages.

According to the ONCD's roadmap, Europe currently leads the US in RPKI adoption, with 70 percent of BGP routes using ROA and ROV to secure routing traffic. The White House expects that by the end of the year, over 60 percent of all US federal agencies, or "the Federal government's advertised IP space," will be covered by Registration Service Agreements and will establish ROAs for federal networks.

The ONCD is also establishing a new partnership between public and private stakeholders to develop an additional framework for network operators to assess routing security effectively. The ultimate goal is to ensure that all entities operating within internet infrastructure adopt RPKI security measures comprehensively.

Permalink to story:

White House declares BGP security issues a national priority – BGP handles routing for the entire internet

 
White House Office of the National Cyber Director
smells like a teen spirit
haha, keep the good work guys
America need more directors
right?
 
This topic is very concerning, any type of traffic validation at the exterior gateway level is unwize, consider attempting to secure traffic that is subject to timeouts, if the distance is great and the speed is reduced due to validation the traffic will not be possible. There is no way to test validation on exterior gateway protocols until they are in the wild, no sub-environment can be created to effectively test the technology it basically has to be released to see what will happen. This means just about every country would need to support it and the shift would have to take place sequentially and be able to default back if critical transactions could not be completed. My connection to PSN servers is already trash because of bad networking ideas, please US government consult a variety of experts before trying this, likely break the internet. Insecure protocols such as BGP are a small problem, this is a giant solution. Small problems are best fixed with small solutions.
 
"...BGP was not originally designed with security in mind – and it shows." I guess they did not expect to have Cyber-crime in the future or perhaps Cyber-criminals to become smarter?
 
ThomasTECH said:
This topic is very concerning, any type of traffic validation at the exterior gateway level is unwize, consider attempting to secure traffic that is subject to timeouts, if the distance is great and the speed is reduced due to validation the traffic will not be possible. There is no way to test validation on exterior gateway protocols until they are in the wild, no sub-environment can be created to effectively test the technology it basically has to be released to see what will happen. This means just about every country would need to support it and the shift would have to take place sequentially and be able to default back if critical transactions could not be completed. My connection to PSN servers is already trash because of bad networking ideas, please US government consult a variety of experts before trying this, likely break the internet. Insecure protocols such as BGP are a small problem, this is a giant solution. Small problems are best fixed with small solutions.
Click to expand...

Your point is well founded but sometimes security is much more important than timeliness, ie the President sending a message to the leader of another country and it gets sidetracked to a 3rd country and missiles are let loose because of it. The time of hardwired communications for that kind of stuff is long gone so security is of primary concern. Suppose a gov't agency is sending info to a local police department and it gets sidetracked to a 3rd party who releases it to the public and we find out that so and so was arrested for child abuse. Who's responsible for releasing that private info? SOME things just need to end up exactly where you think they should be going without any unsecure stops along the way.
 
NumberNine said:
I think the White House misunderstood the people yelling at them about securing the borders.
Click to expand...
But listening to the people is so often a quick way to going back to waiting tables.
So remember, it's a good thing that nobody listened to the yelling about the borders:

https://www.cbsnews.com/news/border-crossings-us-mexico-border-june-2024/


Border Patrol agents recorded the fewest monthly migrant apprehensions since 2021 on southern border

Migrant apprehensions in Texas decreased by nearly one-third in June, the first month of a new order by President Joe Biden that widely limited asylum claims.
www.texastribune.org www.texastribune.org

No way, it should have taken Biden 3 years for his EO. But it did.
Of course, it took Trump 4 years and didn't do a thing. Even though he said he would.
And it took Obama 8 years to not pull the switch.

As a real American. I appreciate Biden's effort that actually had an impact.
And would have felt that way no matter who was in charge.
 
Last edited:
  • Like
Reactions: axiomatic13
Freddie159 said:
Your point is well founded but sometimes security is much more important than timeliness, ie the President sending a message to the leader of another country and it gets sidetracked to a 3rd country and missiles are let loose because of it. The time of hardwired communications for that kind of stuff is long gone so security is of primary concern. Suppose a gov't agency is sending info to a local police department and it gets sidetracked to a 3rd party who releases it to the public and we find out that so and so was arrested for child abuse. Who's responsible for releasing that private info? SOME things just need to end up exactly where you think they should be going without any unsecure stops along the way.
Click to expand...
Totally agree on your points here, it should be possible to achieve the desired goal of point to point communication securely without messing with the standard that is the backbone of the internet. Hackers are much smarter than governments and even most industry professionals about security if BGP is updated with secure protocols there will likely be another vulnerability down the line anyway. It's a maybe fix with huge risk and transition costs. I think a better reason then point to point secure communication is required for this project.
 
You must log in or register to reply here.

Similar threads

MSI's latest concept is a massive PC you can chat with directly – no monitor needed
Replies
2
Views
29
Acer's new Nitro gaming monitors push refresh rates to a blistering 600Hz
Replies
6
Views
37
Home routing and encryption technologies are making lawful interception harder, Europol warns
Replies
16
Views
2K