The Border Gateway Protocol (BGP) is the protocol used throughout the Internet to exchange routing information between networks. It is the language spoken by routers on the Internet to determine how packets can be sent from one router to another to reach their final destination. BGP has worked extremely well and continues to the be protocol that makes the Internet work.
The challenge with BGP is that the protocol does not directly include security mechanisms and is based largely on trust between network operators that they will secure their systems correctly and not send incorrect data. Mistakes happen, though, and problems could arise if malicious attackers were to try to affect the routing tables used by BGP.
Here, we hope to provide the information that network operators need to understand to secure their routers and ensure that they are doing their part for the security and resiliency of the overall Internet routing infrastructure. We are not focused on a specific approach but rather outlining the different approaches and tools that are available to help secure your routing systems. A great document to understand our overall focus with this section is RFC 7454, “BGP Operations and Security“.
- RFC7454: BGP Operations and Security
- NIST: Special Publication SP 800-54 – Border Gateway Protocol Security
- Internet Society: Routing Security: Report on 3rd Internet Society Operator Roundtable
- RFC 4271: background information on BGP
PKIs and CAs
There are several commonly used mechanisms for supporting secure and private communication, transaction protection and identity assertion and management. These include the so-called Internet PKI commonly used for secure web browsing but which can be used for other applications, PKI for e-mail, RPKI used by Regional Internet Registries to assert the holders of IP resources, and DNSSEC that can be used to validate DNS queries. DANE is a new protocol that uses DNSSEC to allow owners to assert their own digital certificates, and therefore potentially incorporate the functionality of the Internet PKI into the global DNS.
This Introduction to PKIs & CAs provides an overview of how these mechanisms work and how they are deployed.
You may also want to read through the various reports available about securing BGP and explore the work happening in the IETF within the Secure Inter-Domain Routing (SIDR) working group.
Have suggestions for other questions you’d like to see us answer here? Please let us know!