White House Unveils Road Map to Fix BGP

The White House outlined a plan for addressing Internet routing security issues, including vulnerabilities associated with the Border Gateway Protocol (BGP). The Roadmap to Enhancing Internet Routing Security from the White House Office of the National Cyber Director (ONCD) is part of the broader National Cybersecurity Strategy Implementation Plan to secure the foundation of the Internet.

BGP — the protocol used for exchanging routing information on the Internet — can be hijacked to divert traffic to disrupt critical infrastructure, intercept information, or conduct espionage. Because BGP does not have a way to verify the authenticity of route announcements or network paths, it is possible to publish a new network path and thus move traffic through hostile networks. Several potential vulnerabilities in BGP have also been disclosed over the past few years.

BGP mistakes are common — as when Microsoft accidentally published incorrect route information that made Microsoft Azure and other Microsoft cloud service unavailable for about 90 minutes back in 2023, or when a small Internet service provider accidentally became the preferred route to reach Cloudflare back in 2019. Re-routing can be potentially hostile, as when China Telecom in 2010 routed 15% of the world's traffic through its servers for 18 minutes, or when threat actors hijacked DNS traffic from Amazon Web Services to steal approximately $150,000 in cryptocurrency from MyEtherWallet users in 2018.

Using RPKI to Fix BGP

ONCD encouraged adopting Resource Public Key Infrastructure (RPKI) to improve BGP security. The proposed roadmap described baseline actions for all network operators, network service providers, and government entities. Actions include developing and maintaining a cybersecurity risk management plan and setting up RPKI components on their networks.

The White House is not the only one looking at BGP. The FCC also recently proposed a plan for broadband providers to create and implement plans to mitigate BGP issues.

RPKI's two main components, Route Origin Authorizations and Route Origin Validation, help ensure that traffic does not get rerouted when it should not be. Route Origin Authorization is a signed certificate authorizing a network to announce a specific IP block. Networks also use Route Origin Validation to check Route Origin Authorizations and filter out invalid BGP announcements. For Route Origin Authorization to be effective, there has to be widespread deployment of Route Origin Validation throughout the Internet.

Speed Up RPKI Adoption

The good news is that the majority of BGP route originations globally are already Route Origin Validation-valid, and the percentage of traffic covered by Route Origin Authorization is over 70%, according to statistics cited by the ONCD.

However, there remains more to be done, as some large networks in the United States have not yet implemented RPKI. According to data from NIST's RPKI Monitor, only 39% of IP prefixes originated by US networks have a valid Route Origin Authorization. They include networks of several commercial providers and the US government. The goal of the ONCD is to have 60% of the federal government's advertised IP space be covered by the Registration Service Agreements necessary to establish Route Origin Authorizations by the end of the year.

"If the low rate of ROA creation and adoption among these few but large network operators that hold a dominant share of North American address space were rectified, BGP security and resilience in the region would substantially improve," the ONCD said.

Policy changes such as requiring the government contractors and service providers to use RPKI could help push the needle forward. "[Office of Management and Budget] should require the Federal Government’s contracted service providers to adopt and deploy current commercially-viable Internet routing security technologies," the ONCD wrote in the roadmap. Additionally, grant programs "should require grant recipients to incorporate routing security measures into their projects."

In a blog post, Cloudflare urged network operators to sign Route Origin Authorization records and performing Route Origin Validation on their networks. Non-network operators can check whether their Internet service provider has secured BGP via isbgpsafeyet.com.

"From an implementation standpoint, our hope is that the government's focus on routing security through all the levers outlined in the roadmap will speed up ROA adoption, and encourage wider implementation of ROV and other best practices," Cloudflare's Mike Conlow, Emily Music, and Tom Strickx wrote.