Internet Routing Security: Progress and Challenges
Explore how routing security is improving through global initiatives, yet persistent threats demand ongoing vigilance from network operators worldwide.
The backbone of the internet relies on the Border Gateway Protocol (BGP), which directs data traffic between autonomous networks. However, vulnerabilities in BGP have long exposed the internet to disruptions, from accidental misconfigurations to deliberate attacks. Recent years have witnessed encouraging developments in safeguarding this critical infrastructure, yet the journey toward a fully secure routing ecosystem remains incomplete.
Understanding BGP Vulnerabilities
BGP operates without inherent authentication mechanisms, allowing any network to announce routes for IP address blocks it does not own. This trust-based model, effective in the internet’s early days, now invites risks such as route hijacks—where attackers redirect traffic to malicious destinations—and route leaks, where incorrect announcements flood global tables, causing outages.
These issues can lead to widespread blackouts, data interception, or service degradation. For instance, a single hijack can siphon user data through unauthorized paths, compromising privacy and security.
Positive Trends in Incident Reduction
Data from recent analyses indicate a decline in routing-related disruptions. Total incidents dropped by nearly 10%, with affected autonomous systems (ASes) decreasing proportionally. Fewer networks are perpetrating these events, signaling improved operational practices.
- Overall incidents reduced by 9.6%.
- Victim ASes fell by 12%.
- Perpetrator networks dropped 17%.
This progress suggests that awareness campaigns and technical implementations are yielding results, though the proportion of security incidents versus general outages holds steady.
The Role of Industry Initiatives like MANRS
The Mutually Agreed Norms for Routing Security (MANRS), backed by the Internet Society, establishes voluntary standards for operators. By committing to specific actions, participants enhance collective resilience.
Core MANRS actions include:
- Precise Filtering: Verify outbound route announcements and scrutinize inbound ones from peers using prefix and path details.
- Source Validation: Block spoofed traffic from non-originating sources, especially for edge customers.
- Communication Protocols: Publish accurate contact details for rapid incident response.
- Transparency Tools: Share routing policies in public registries like IRRs or RPKI for peer validation.
These steps address root causes: filters curb leaks, validation prevents hijacks, and coordination speeds resolutions.
Expanding Protections to Internet Exchange Points
Internet Exchange Points (IXPs) amplify risks by aggregating routes. MANRS for IXPs mandates route server filtering using IRR and RPKI data, blocking invalid announcements at the source. IXPs must also advocate MANRS adoption among members, fostering a secure peering environment.
| MANRS for IXPs Requirement | Description | Impact |
|---|---|---|
| Route Filtering | Apply IRR/RPKI checks at route servers | Stops invalid routes from propagating |
| Membership Outreach | Encourage MANRS compliance | Builds network-wide security culture |
| Monitoring Tools | Deploy detection for anomalies | Enables proactive threat mitigation |
Technological Pillars: RPKI and ROAs
Resource Public Key Infrastructure (RPKI) introduces cryptographic validation. Route Origin Authorizations (ROAs) digitally sign prefix ownership, allowing operators to reject unauthorized announcements. Major players like AWS have achieved near-100% coverage, dropping invalid routes globally.
The U.S. government’s 2024 roadmap endorses RPKI, urging widespread ROA creation and validation. Future extensions like BGPsec and AS Path Authorizations promise path verification, closing remaining gaps.
Quantifying the Gains
Statistics underscore momentum:
- 4.4% of ASes impacted annually, down 1%.
- IXP filter checks now monitor compliance worldwide.
- MANRS participants growing, pulling in more adopters.
Despite this, incidents persist, affecting thousands of networks and underscoring the need for universal adoption.
Obstacles to Full Deployment
Challenges include operational complexity, legacy equipment, and inertia among smaller operators. Resource constraints hinder RPKI setup, while inconsistent IRR data undermines filtering. Geopolitical tensions also spur state-sponsored hijacks.
Government mandates, like the White House roadmap, aim to accelerate progress through incentives and standards.
Best Practices for Operators
To contribute:
- Deploy RPKI: Generate ROAs and enable validation.
- Implement Filters: Use max-prefix limits and customer IRR checks.
- Join MANRS: Publicly commit and verify compliance.
- Monitor Actively: Leverage tools like Oracle’s IXP checks.
Future Horizons in Routing Security
Emerging standards like BGPsec will authenticate full paths, while automation via SIDR enhances scalability. Community events like APRICOT reinforce collaboration, as seen in 2019 promotions.
Sustained investment promises a more robust internet, resilient to evolving threats.
Frequently Asked Questions (FAQs)
What is a BGP route hijack?
A route hijack occurs when a malicious actor announces false routes, diverting traffic from legitimate paths.
How does RPKI improve security?
RPKI uses digital signatures to verify route origins, preventing unauthorized announcements.
Why join MANRS?
It standardizes practices, reducing incidents and enhancing reputation among peers.
Are there tools for monitoring?
Yes, services like Internet Society’s Deploy360 and IXP filter checks provide visibility.
What’s the status of global adoption?
Progressing, with leaders like AWS at 99% ROA coverage, but broader uptake needed.
References
- Roadmap to Enhancing Internet Routing Security — The White House. 2024-09. https://bidenwhitehouse.archives.gov/wp-content/uploads/2024/09/Roadmap-to-Enhancing-Internet-Routing-Security.pdf
- How AWS is Helping to Secure Internet Routing — Amazon Web Services. 2023-06-28. https://aws.amazon.com/blogs/networking-and-content-delivery/how-aws-is-helping-to-secure-internet-routing/
- The US Makes a Big Step Toward Better Routing Security — Internet Society. 2024-05. https://www.internetsociety.org/blog/2024/05/the-us-makes-a-big-step-toward-better-routing-security/
- Routing — Internet Society Deploy360. 2023. https://www.internetsociety.org/deploy360/routing/
- Making Progress on Routing Security: The New White House Roadmap — Cloudflare Blog. 2024. https://blog.cloudflare.com/white-house-routing-security/
Similar Articles
Read full bio of medha deb
