The Daily Swig Web security digest

Best router forward: New network security standards created

James Walker | 03 October 2017 at 12:00

Border Gateway Protocol will help protect internet traffic from hijacking by data thieves, says NIST.

Electronic messages traveling across the internet are under constant threat from data thieves, but new security standards created with the technical guidance of the National Institute of Standards and Technology (NIST) will purportedly reduce the risk of messages being intercepted or stolen.

The set of standards, known as Secure Inter-Domain Routing (SIDR), have been published by the Internet Engineering Task Force (IETF) and represent the first comprehensive effort to defend the internet’s routing system from attack.

Addressing a security weakness that has been a part of the internet since its earliest days, the SIDR initiative has been led by a collaboration between US measurement standards lab NIST and the Department of Homeland Security (DHS) Science and Technology Directorate.

The new specifications provide the first standardized approach for global defense against sophisticated attacks on the internet’s routing system.

The overall strategy creates a defense mechanism for the Border Gateway Protocol (BGP), the system that routers use to determine the path data takes as it travels across the collection of networks that comprise the internet.

“BGP is a global scale system, where routing data for hundreds of thousands of destinations is exchanged between tens of thousands of networks,” Doug Montgomery, a NIST computer scientist and manager of the project.

“The informal trust mechanisms we’ve relied on in the past can’t be scaled up to protect a system of that size. BGP as currently deployed has no built-in security mechanisms, so it is common to see examples of ‘route hijacks’ and ‘path detours’ by malicious parties meant to capture, eavesdrop upon or deny legitimate internet data exchanges.”

The overall defensive effort will use cryptographic methods to ensure routing data travels along an authorized path between networks, utilizing Resource Public Key Infrastructure (RPKI), BGP Origin Validation and BGP Path Validation.

“Employing this idea of ‘path validation’ together with origin validation could deter stealthy attacks intended to reroute data without the recipient realizing it,” explained NIST.

The new specifications for BGP Path Validation, along with the other components of the complete solution, are available at the IETF Secure Inter-Domain Routing Working Group’s website.