Vulnerabilities / Threats

10/3/2017
04:36 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Standards Will Shore up Internet Router Security

The BGP Path Validation draft standards were designed to ensure that Internet traffic flows only along digitally signed, authorized paths.

Industry efforts to strengthen the critical Border Gateway Protocol (BGP) system that the Internet's core routers use to direct traffic received a boost this week with the release of new draft standards by the Internet Engineering Task Force (IETF).

The standards center around a security feature called BGP Path Validation and are designed to ensure that Internet traffic is not accidentally or maliciously intercepted and rerouted as it travels from one point to another. Such interception has resulted in network disruption, eavesdropping, and financial theft in recent years and has heightened concerns about the vulnerability of the BGP system to targeted attacks.

The new BGPsec standard describes the use of digital signatures on BGP routers so traffic from one point to another on the Internet only flows along an authorized, digitally signed path, the National Institute of Standards and Technology (NIST) announced Tuesday. "Employing this idea of “path validation” together with origin validation could deter stealthy attacks intended to reroute data without the recipient realizing it," NIST said.

BGP routers direct traffic on the Internet. Each autonomous system (AS) - or network on the Internet - has a BGP router containing routing information for thousands of Internet destinations. The BGP routers exchange the information with each other to ensure that traffic is routed safely from source to destination.

BGP has been in use since at least 1989. It is widely regarded as lacking sufficient protections to prevent malicious attackers from injecting poisoned routing data into the system and rerouting Internet traffic to their networks.  As far back as 2013, Internet service provider Dyn recorded multiple instances of traffic from individual IP blocks being misdirected to unintended destinations via BGP tampering. One of them involved traffic from the networks of major financial institutions, ISPs, and governments being rerouted to an ISP in Belarus. Another involved route hijacks from Iceland.

BGPsec is part of a broader industry initiative known as Secure Inter-Domain Routing (SIDR) to address the vulnerabilities that enable this sort of hijacking. One part of the SIDR effort has focused on BGP origin validation, ensuring that BGP routers are able to filter out unauthorized routing updates and only accept valid connections. The second component, which is what BGPsec addresses, is focused on validating the path that traffic takes as it flows from source to destination.

"BGP Origin Validation standards were completed in 2012-2013 and are implemented in most commercial routers," says Douglas Montgomery, a NIST researcher and manager of the NIST BGP project. All of the Resource Public Key Infrastructure (RPKI) that is required to support BGP origin validation is already in place at all five Internet regional registries, he says.

"The community's current focus is on expanding the adoption of RPKI and BGP-OV as the logical first step towards improving BGP security," Montgomery says. 

The implementation of new BGP path validation standard will take place in three stages.

First, commercial router implementations and RPKI services must become available for path validation. Then enterprises and network operators need to enter their address blocks, autonomous systems, and route origin in the RPKI. Finally, network operators need to use the RPKI information to identify forged BGP announcements and develop local policy to deal with the attempted hijacks, Montgomery said.

"It is hard to predict when BGP-PV will be widely deployed in the Internet," he says. "The design and standardization work in the IETF was conducted with the expectation that significant deployment might require [about] 10 years. "

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.