US authorities to secure Internet routing

Contents

Internet service providers in the USA are to be obliged to secure their border gateways cryptographically so that they are less susceptible to false or manipulated data routing. Because the Internet is older in North America, security measures are less widespread there than in Europe. Now the White House is also turning up the heat on US federal authorities. They sit on a fifth of all North American IP addresses, but are lagging private network operators when it comes to securing border gateways.

On Tuesday, the National Cyber Director published a roadmap for upgrading the federal network infrastructure with RPKI (Resource Public Key Infrastructure). The central element is a contract template for federal authorities, with which they can commission the American Registry for Internet Numbers (ARIN) to issue and manage the corresponding cryptographic certificates and enter them in a public directory. ARIN is also to take over the Route Origin Authorizations (ROA) for the official networks.

RPKI is a prerequisite for ROA, which is a prerequisite for third parties to be able to verify the routes (Route Origin Validation, ROV). By the end of the year, 60 percent of the public IP addresses of US federal authorities are to be covered by corresponding contracts with ARIN. This does not mean that ROV will already be supported or implemented by Christmas, but a prerequisite for this would have been created.

BGP and RPKI

The Border Gateway Protocol (BGP, based on RFC 1105) specifies the exchange of information between routers, based on which they can identify the best route for the data packets transmitted between networks – the Autonomous Systems (AS). The border routers record the best paths in routing tables. The Border Gateway Protocol suffers from the fact that it originates from a time when people trusted each other in the network. Anyone can declare any route they want, there are no automatic controls.

In so-called prefix hijacking, an attacker passes off the prefixes of his victims as his own. For example, the attacking network can announce more specific addresses from the victim's network, or claim to offer a shortcut to certain IP address blocks. Routers without RPKI simply have to believe this.

With RPKI (RFC 6840 plus over 40 other RFCs), Route Origin Authorizations (ROA) can be used to determine which IP prefixes an autonomous system is responsible for. If it suddenly announces other IP prefixes, this triggers an alarm. This is primarily intended to prevent the frequent errors that occur when routes are announced. Perhaps the best-known example of this is the redirection of YouTube traffic to Pakistan Telecom.

Network operators should be obliged to take a closer look

If US government networks use ROA to cryptographically securely communicate which IP addresses they are "responsible" for, this is certainly a step in the right direction. Only then can third parties verify this information using ROV. Particularly valuable and high-risk resources should be prioritized for conversion. A playbook with nice screenshots should help.

At the same time, the National Cyber Director is calling on all federal authorities to oblige network operators in new contracts to filter BGP routes using ROV. Subsidies for critical infrastructure should also only flow to projects that secure their routing. In addition, there should continue to be money for relevant research and development projects.

BGPsec dreams of the future

Theoretically, there has also been a weapon against deliberate BGP hijacking since 2017: BGPsec (RFC 8204). It secures the routing information on its way through the network. Instead of simply checking the authenticity of the origin of a route announcement, the aim is to ensure that no manipulation occurs along the path. However, it would only help if, firstly, RPKI was rolled out and, secondly, all network operators switched to BGPsec at the same time so that unsigned information could be ignored. Such a changeover is not in sight because this would require many routers to be replaced and the network operators would have considerable additional work to manage all the BGPsec keys required for each routing hop.

In addition, BGPsec presupposes that the issuers of the cryptographic certificates are trusted. However, if these bodies are under state control, there may not be much to be gained. This is because most manipulations are the result of perpetrators from corrupt countries or even state actors pursuing their own interests. They could also issue certificates that give their attacks the appearance of legitimacy.

• The Roadmap to Enhancing Internet Routing Security

(ds)