White House thinks it's time to fix the insecure glue of the internet: Yup, BGP

The White House on Tuesday indicated it hopes to shore up the weak security of internet routing, specifically the Border Gateway Protocol (BGP).

BGP more or less glues the internet as we know it together. It's used to manage the routes your online traffic takes between the networks, known as autonomous systems or ASes, that together constitute the internet. As noted in the Roadmap to Enhancing Internet Routing Security, published by the White House Office of the National Cyber Director (ONCD) today, BGP wasn't designed with security in mind.

"As initially designed and commonly operating today, BGP does not provide adequate security and resilience features for the risks we currently face," the report [PDF] says. "Concerns about fundamental vulnerabilities have been expressed for more than 25 years."

BGP does not check to see whether a remote network announcing a traffic path change has the authority to do so. Nor does it verify that messages exchanged between networks are authentic, or check whether routing announcements violate business policies between neighboring networks.

The result has been a long history of BGP route hijacking, like the time in 2008 when Pakistan interfered with YouTube traffic, or when Russia exploited BGP flaws in 2022 to limit Twitter traffic as it invaded Ukraine.

"Route hijacks can expose personal information; enable theft, extortion, and state-level espionage; disrupt security-critical transactions; and disrupt critical infrastructure operations," the report says. "While most BGP incidents are accidental, the concern over malicious actors has elevated this issue to a national security priority."

In June, the US Justice Department and the Defense Department wrote [PDF] to the FCC regarding the comms agency's decision to look into secure internet routing. Endorsing the need to address BGP risks, the DoJ and DoD pointed to the way that China Telecom Americas (CTA) advertised erroneous traffic routing in 2010, 2015, 2016, 2017, 2018, and 2019 to send American network traffic to China. CTA had its FCC license revoked in 2021.

• Cigarette break burned out a huge chunk of Africa's internet
• Um, what ever did happen with network automation?
• FCC takes some action against notorious BGP
• Major telco outage leaves millions of Australians disconnected

There is a cryptographic authentication scheme available to mitigate these risks: Resource Public Key Infrastructure (RPKI), which includes Route Origin Validation (ROV) and Route Origin Authorization (ROA). But this safety mechanism isn't foolproof, nor is it universally deployed.

In Europe, according to the White House's roadmap, some 70 percent of BGP routes have published ROAs and are ROV-valid. Elsewhere, adoption is lower. In the US, it's only 39 percent, because the IP space overseen by the American Registry for Internet Numbers (ARIN) is larger and older than that of Europe or Asia, and because the US government itself lags the private sector in RPKI adoption.

The ONCD roadmap aims to accelerate the adoption of RPKI in the US public and private sectors.

“Internet security is too important to ignore which is why the Federal government is leading by example by pushing for a rapid increase in adoption of BGP security measures by our agencies,” said White House National Cyber Director Harry Coker, Jr, in a statement.

FCC boss Jessica Rosenworcel said the roadmap complements the telecom agency's prior rulemaking to require internet service providers to prepare a risk management plan that addresses BGP security and, for large telecom firms, publish public quarterly reports. ®