Vulnerabilities / Threats

10/3/2017
04:36 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Standards Will Shore up Internet Router Security

The BGP Path Validation draft standards were designed to ensure that Internet traffic flows only along digitally signed, authorized paths.

Industry efforts to strengthen the critical Border Gateway Protocol (BGP) system that the Internet's core routers use to direct traffic received a boost this week with the release of new draft standards by the Internet Engineering Task Force (IETF).

The standards center around a security feature called BGP Path Validation and are designed to ensure that Internet traffic is not accidentally or maliciously intercepted and rerouted as it travels from one point to another. Such interception has resulted in network disruption, eavesdropping, and financial theft in recent years and has heightened concerns about the vulnerability of the BGP system to targeted attacks.

The new BGPsec standard describes the use of digital signatures on BGP routers so traffic from one point to another on the Internet only flows along an authorized, digitally signed path, the National Institute of Standards and Technology (NIST) announced Tuesday. "Employing this idea of “path validation” together with origin validation could deter stealthy attacks intended to reroute data without the recipient realizing it," NIST said.

BGP routers direct traffic on the Internet. Each autonomous system (AS) - or network on the Internet - has a BGP router containing routing information for thousands of Internet destinations. The BGP routers exchange the information with each other to ensure that traffic is routed safely from source to destination.

BGP has been in use since at least 1989. It is widely regarded as lacking sufficient protections to prevent malicious attackers from injecting poisoned routing data into the system and rerouting Internet traffic to their networks.  As far back as 2013, Internet service provider Dyn recorded multiple instances of traffic from individual IP blocks being misdirected to unintended destinations via BGP tampering. One of them involved traffic from the networks of major financial institutions, ISPs, and governments being rerouted to an ISP in Belarus. Another involved route hijacks from Iceland.

BGPsec is part of a broader industry initiative known as Secure Inter-Domain Routing (SIDR) to address the vulnerabilities that enable this sort of hijacking. One part of the SIDR effort has focused on BGP origin validation, ensuring that BGP routers are able to filter out unauthorized routing updates and only accept valid connections. The second component, which is what BGPsec addresses, is focused on validating the path that traffic takes as it flows from source to destination.

"BGP Origin Validation standards were completed in 2012-2013 and are implemented in most commercial routers," says Douglas Montgomery, a NIST researcher and manager of the NIST BGP project. All of the Resource Public Key Infrastructure (RPKI) that is required to support BGP origin validation is already in place at all five Internet regional registries, he says.

"The community's current focus is on expanding the adoption of RPKI and BGP-OV as the logical first step towards improving BGP security," Montgomery says. 

The implementation of new BGP path validation standard will take place in three stages.

First, commercial router implementations and RPKI services must become available for path validation. Then enterprises and network operators need to enter their address blocks, autonomous systems, and route origin in the RPKI. Finally, network operators need to use the RPKI information to identify forged BGP announcements and develop local policy to deal with the attempted hijacks, Montgomery said.

"It is hard to predict when BGP-PV will be widely deployed in the Internet," he says. "The design and standardization work in the IETF was conducted with the expectation that significant deployment might require [about] 10 years. "

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18643
PUBLISHED: 2019-04-25
GitLab CE & EE 11.2 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 have Persistent XSS.
CVE-2018-19359
PUBLISHED: 2019-04-25
GitLab Community and Enterprise Edition 8.9 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 has Incorrect Access Control.
CVE-2019-11488
PUBLISHED: 2019-04-25
Incorrect Access Control in the Account Access / Password Reset Link in SimplyBook.me Enterprise before 2019-04-23 allows Unauthorized Attackers to READ/WRITE Customer or Administrator data via a persistent HTTP GET Request Hash Link Replay, as demonstrated by a login-link from the browser history.
CVE-2019-11489
PUBLISHED: 2019-04-25
Incorrect Access Control in the Administrative Management Interface in SimplyBook.me Enterprise before 2019-04-23 allows Authenticated Low-Priv Users to Elevate Privileges to Full Admin Rights via a crafted HTTP PUT Request, as demonstrated by modified JSON data to a /v2/rest/ URI.
CVE-2019-3720
PUBLISHED: 2019-04-25
Dell EMC Open Manage System Administrator (OMSA) versions prior to 9.3.0 contain a Directory Traversal Vulnerability. A remote authenticated malicious user with admin privileges could potentially exploit this vulnerability to gain unauthorized access to the file system by exploiting insufficient san...