Two US government agencies have united forces to coordinate the creation of a new set of standards aimed at securing the process of routing of information between major Internet entities, such as Internet Service Providers, hosting providers, cloud providers, educational, research, and national networks.
The solution they developed is actually a collection of standards known collectively as Secure Inter-Domain Routing (SIDR).
SIDR standards will secure Internet routing
SIDR is the first comprehensive effort of its kind aimed at improving the security of BGP (Border Gateway Protocol), an Internet networking protocol used to route information between large Internet networks.
The protocol works by each router advertising to its neighboring networks what IP blocks are available on its network. When data needs to travel from one network to another, the sending router selects the best neighboring router to send the data based on an internal score that describes each adjacent router's reliability. The protocol is a little bit more complex and we can't describe it here in full. You can read more about BGP here.
BGP's biggest problem is security, or its lack of. Developed in the late 1980s, security was not a major threat vector at a time before the Internet we know today, so it wasn't taken into consideration when building the original protocol.
BGP hijacks are the Internet's biggest security hole
Attackers of different sizes and with various intentions have abused the BGP protocol in attacks named BGP hijacks. These happen when an Internet entity (network) advertises to nearby networks that certain IP blocks are on its network when they aren't.
This allows the malicious network to receive traffic intended for other networks. For example, a rogue ISP could hijack traffic destined for Google's servers.
BGP hijacks are currently considered the Internet's biggest security hole and have been at the base of several major security incidents. [1, 2, 3, 4, 5]
Joint NIST & DHS effort to secure BGP
The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) Science and Technology Directorate have started working on addressing the problem of BGP hijacks a few years back.
While work on SIDR has been going on behind the scenes for years, recently, the people involved started publishing standards on the Internet Engineering Task Force (IETF) portal.
The third component, BGP Path Validation (also known as “BGPsec”), is what is described in the suite of draft standards (RFCs 8205 through 8210) the IETF has just published. Its innovation is to use digital signatures by each router to ensure that the entire path across the internet crosses only authorized networks. Employing this idea of “path validation” together with origin validation could deter stealthy attacks intended to reroute data without the recipient realizing it.
RPKI is a product of the IETF's SIDR Working Group, not NIST or DHS, but they are part of the final SIDR standard.
Most of the NIST and DHS proposed solutions have already gone through the first stage of the IETF standardizing process, which is "Internet Draft." Most are the stage of proposed RFC (Request For Comment), the last step before becoming an official Internet Standard.
You can read more about the SIDR on the project's homepage, in this project intro, and you can check out the IETF SIDR project page. NIST and DHS have separate project pages describing their efforts on SIDR.
Comments
Occasional - 6 years ago
No practical experience in this area, but sounds like revision is way overdue.
"Developed in the late 1980s, security was not a major threat vector at a time before the Internet we know today..."
Wasn't until 1988-9 that first large scale, sophisticated, inter-network hack was discovered and broken (as documented in Clifford Stoll's 'The Cuckoo's Egg'). In the nearly 30 years since, cyber crime technology has developed at least as much as have aircraft from the WWI biplanes to the F-22 Raptor. Yes, revision is overdue.