Vulnerabilities / Threats

10/3/2017
04:36 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Standards Will Shore up Internet Router Security

The BGP Path Validation draft standards were designed to ensure that Internet traffic flows only along digitally signed, authorized paths.

Industry efforts to strengthen the critical Border Gateway Protocol (BGP) system that the Internet's core routers use to direct traffic received a boost this week with the release of new draft standards by the Internet Engineering Task Force (IETF).

The standards center around a security feature called BGP Path Validation and are designed to ensure that Internet traffic is not accidentally or maliciously intercepted and rerouted as it travels from one point to another. Such interception has resulted in network disruption, eavesdropping, and financial theft in recent years and has heightened concerns about the vulnerability of the BGP system to targeted attacks.

The new BGPsec standard describes the use of digital signatures on BGP routers so traffic from one point to another on the Internet only flows along an authorized, digitally signed path, the National Institute of Standards and Technology (NIST) announced Tuesday. "Employing this idea of “path validation” together with origin validation could deter stealthy attacks intended to reroute data without the recipient realizing it," NIST said.

BGP routers direct traffic on the Internet. Each autonomous system (AS) - or network on the Internet - has a BGP router containing routing information for thousands of Internet destinations. The BGP routers exchange the information with each other to ensure that traffic is routed safely from source to destination.

BGP has been in use since at least 1989. It is widely regarded as lacking sufficient protections to prevent malicious attackers from injecting poisoned routing data into the system and rerouting Internet traffic to their networks.  As far back as 2013, Internet service provider Dyn recorded multiple instances of traffic from individual IP blocks being misdirected to unintended destinations via BGP tampering. One of them involved traffic from the networks of major financial institutions, ISPs, and governments being rerouted to an ISP in Belarus. Another involved route hijacks from Iceland.

BGPsec is part of a broader industry initiative known as Secure Inter-Domain Routing (SIDR) to address the vulnerabilities that enable this sort of hijacking. One part of the SIDR effort has focused on BGP origin validation, ensuring that BGP routers are able to filter out unauthorized routing updates and only accept valid connections. The second component, which is what BGPsec addresses, is focused on validating the path that traffic takes as it flows from source to destination.

"BGP Origin Validation standards were completed in 2012-2013 and are implemented in most commercial routers," says Douglas Montgomery, a NIST researcher and manager of the NIST BGP project. All of the Resource Public Key Infrastructure (RPKI) that is required to support BGP origin validation is already in place at all five Internet regional registries, he says.

"The community's current focus is on expanding the adoption of RPKI and BGP-OV as the logical first step towards improving BGP security," Montgomery says. 

The implementation of new BGP path validation standard will take place in three stages.

First, commercial router implementations and RPKI services must become available for path validation. Then enterprises and network operators need to enter their address blocks, autonomous systems, and route origin in the RPKI. Finally, network operators need to use the RPKI information to identify forged BGP announcements and develop local policy to deal with the attempted hijacks, Montgomery said.

"It is hard to predict when BGP-PV will be widely deployed in the Internet," he says. "The design and standardization work in the IETF was conducted with the expectation that significant deployment might require [about] 10 years. "

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: White Privelege Day
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17282
PUBLISHED: 2018-09-20
An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy in value.cpp has a NULL pointer dereference.
CVE-2018-14592
PUBLISHED: 2018-09-20
The CWJoomla CW Article Attachments PRO extension before 2.0.7 and CW Article Attachments FREE extension before 1.0.6 for Joomla! allow SQL Injection within download.php.
CVE-2018-15832
PUBLISHED: 2018-09-20
upc.exe in Ubisoft Uplay Desktop Client versions 63.0.5699.0 allows remote attackers to execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI ha...
CVE-2018-16282
PUBLISHED: 2018-09-20
A command injection vulnerability in the web server functionality of Moxa EDR-810 V4.2 build 18041013 allows remote attackers to execute arbitrary OS commands with root privilege via the caname parameter to the /xml/net_WebCADELETEGetValue URI.
CVE-2018-16752
PUBLISHED: 2018-09-20
LINK-NET LW-N605R devices with firmware 12.20.2.1486 allow Remote Code Execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp. Authentication is needed but the default password of admin for the admin account may be used in some cases.