Advancing Routing Security in US Policy
Explore how US regulators are pushing for stronger Internet routing protections through voluntary norms and incentives.
The backbone of the Internet relies on the Border Gateway Protocol (BGP), a system that directs data packets across global networks. Yet, BGP’s vulnerabilities have long exposed users to risks like route hijacks, outages, and data interception. In recent years, US policymakers have turned their attention to these issues, seeking ways to fortify routing without stifling innovation. This article delves into the evolving landscape of routing security, from regulatory inquiries to practical implementations, emphasizing voluntary standards like the Mutually Agreed Norms for Routing Security (MANRS).
Understanding BGP Vulnerabilities
BGP operates as the Internet’s routing table, announcing which networks own specific IP address blocks. Without robust validation, malicious actors can announce false routes, diverting traffic to unauthorized destinations. Historical incidents, such as the 2008 Pakistan YouTube hijack, demonstrate how such flaws can censor content or enable surveillance on a massive scale.
Common threats include prefix hijacking, where attackers claim ownership of IP prefixes they don’t control, and route leaks, accidental announcements that flood the Internet with incorrect paths. These events disrupt services, erode trust, and incur economic losses estimated in billions annually. For instance, a single major outage can halt e-commerce, cloud services, and critical infrastructure.
- Prefix Hijacking: Forged announcements redirect traffic.
- Route Leaks: Misconfigurations propagate erroneous routes.
- IP Spoofing: Falsified source addresses enable attacks like DDoS.
Addressing these requires technical solutions like Resource Public Key Infrastructure (RPKI), which uses cryptographic signatures to validate route origins.
The Role of MANRS in Global Routing Protection
Launched in 2014, MANRS unites network operators, enterprises, and governments in adopting four core actions: filtering routes, validating IP sources, coordinating incident responses, and enabling global validation. This initiative, now led by the Global Cyber Alliance with Internet Society support, has grown to hundreds of participants worldwide.
Filtering prevents invalid routes from entering networks, while global validation—powered by RPKI—verifies announcements against authorized Route Origin Authorizations (ROAs). A 2024 survey showed MANRS members experience 40% fewer incidents, underscoring its effectiveness.
| MANRS Action | Description | Benefits |
|---|---|---|
| Filtering | Implement prefix and AS-path filters | Blocks invalid routes at source |
| Global Validation | Deploy RPKI/ROAs | Cryptographic route origin checks |
| IP Source Validation | Verify packet sources | Mitigates spoofing attacks |
| Coordination | Report anomalies publicly | Reduces incident propagation |
MANRS’s voluntary model fosters adoption without regulatory coercion, making it ideal for policy integration.
FCC’s Inquiry into Secure Routing
In 2022, the Federal Communications Commission (FCC) issued a Notice of Inquiry (NOI) to gather insights on BGP security. The NOI explored existing practices, challenges, and potential interventions, signaling growing regulatory interest.FCC NOI on Internet Routing and Security, 2022 Stakeholders, including the Internet Society, responded by advocating incentives over mandates, citing RPKI’s nascent deployment.
Key recommendations included procurement preferences for MANRS-compliant providers and phased adoption starting with critical sectors like energy and finance. This approach aligns with the National Institute of Standards and Technology (NIST) guidelines on secure routing.
Recent US Government Milestones in RPKI Deployment
Building on the FCC NOI, the US Department of Commerce made headlines in 2024 by implementing RPKI across its networks. The National Telecommunications and Information Administration (NTIA) created ROAs for its IP holdings, protecting against hijacks and setting a federal example.NTIA Press Release: US Department of Commerce Implements Internet Routing Security, 2024-05
NOAA’s N-Wave network now validates routes, with a playbook guiding other agencies. This fulfills Biden-Harris Administration’s National Cybersecurity Strategy, which flagged routing as a “pervasive concern.” Adoption rates remain low among federal entities, but NTIA’s model contract eases implementation.
Routing security has been a concern for over 20 years, yet progress accelerates with leadership from NTIA and partners.
Policy Recommendations: Incentives Over Mandates
Rather than heavy-handed rules, experts urge market-driven solutions. Governments can prioritize MANRS in RFPs, signaling demand for secure providers. A 2017 Internet Society survey found 94% of enterprises willing to pay premiums for MANRS members.Internet Society Research on Enterprise Preferences, 2017
- Procurement Mandates: Require RPKI support in contracts.
- Incentives: Tax credits or grants for early adopters.
- Critical Infrastructure Focus: Prioritize finance, healthcare, utilities.
- International Coordination: Align with global efforts like MANRS.
Hard mandates risk innovation stifling, especially as RPKI matures. The FCC’s staged approach—awareness, incentives, then requirements—offers a balanced path.
Challenges and Future Directions
Deployment hurdles include resource constraints for small operators and validator scalability. ROA inaccuracies can cause over-filtering, disconnecting legitimate routes. Education remains key; many networks lack RPKI awareness.
Looking ahead, integration with emerging tech like segment routing and AI-driven anomaly detection promises enhancements. Policymakers should monitor MANRS Observatory metrics for progress tracking.
FAQs on Routing Security
What is BGP and why is it vulnerable?
BGP is the protocol routing Internet traffic between autonomous systems. Its trust-based model lacks built-in authentication, enabling hijacks.
How does RPKI work?
RPKI issues digital certificates for IP prefixes, signed into ROAs. Routers validate announcements against these before accepting routes.
Is MANRS mandatory?
No, it’s voluntary, but growing adoption through peer pressure and policy incentives drives compliance.
What can enterprises do?
Select MANRS-certified ISPs, deploy source validation, and advocate for secure procurement.
Has the US government acted?
Yes, NTIA’s 2024 RPKI rollout leads federal efforts, with FCC inquiries shaping broader policy.
Conclusion
US strides in routing security—from FCC inquiries to NTIA implementations—herald a more resilient Internet. By championing MANRS and RPKI via incentives, policymakers can mitigate BGP risks without overregulation. Network operators must act swiftly, as secure routing underpins digital economy and national security. Collective commitment will ensure traffic flows securely worldwide.
References
- U.S. Department of Commerce Implements Internet Routing Security — NTIA. 2024-05. https://www.ntia.gov/press-release/2024/us-department-commerce-implements-internet-routing-security
- The US Makes a Big Step Toward Better Routing Security — Internet Society. 2024-05. https://www.internetsociety.org/blog/2024/05/the-us-makes-a-big-step-toward-better-routing-security/
- Mutually Agreed Norms for Routing Security (MANRS) — Internet Society. 2024. https://www.internetsociety.org/learning/manrs/
- Routing Security for Policymakers — Internet Society. 2018. https://www.internetsociety.org/resources/doc/2018/routing-security-for-policymakers/
- NTIA BGP Filing — NTIA. 2022-05-10. https://www.ntia.doc.gov/sites/default/files/publications/ntia_bgp_filing_051022.pdf
Similar Articles
Read full bio of Sneha Tete
