Internet Technologies > Securing Border Gateway Protocol (BGP)

Securing Border Gateway Protocol (BGP)

The Border Gateway Protocol (BGP) is the protocol used throughout the Internet to exchange routing information between networks.

It is the language spoken by routers on the Internet to determine how packets can be sent from one router to another to reach their final destination. BGP has worked extremely well and continues to the be protocol that makes the Internet work.

The challenge with BGP is that the protocol does not directly include security mechanisms and is based largely on trust between network operators that they will secure their systems correctly and not send incorrect data. Mistakes happen, though, and problems could arise if malicious attackers were to try to affect the routing tables used by BGP.

Here, we hope to provide the information that network operators need to understand to secure their routers and ensure that they are doing their part for the security and resiliency of the overall Internet routing infrastructure. We are not focused on a specific approach but rather outlining the different approaches and tools that are available to help secure your routing systems. A great document to understand our overall focus with this section is RFC 7454, “BGP Operations and Security“.

Basics

PKIs and CAs

There are several commonly used mechanisms for supporting secure and private communication, transaction protection and identity assertion and management. These include the so-called Internet PKI commonly used for secure web browsing but which can be used for other applications, PKI for e-mail, RPKI used by Regional Internet Registries to assert the holders of IP resources, and DNSSEC that can be used to validate DNS queries. DANE is a new protocol that uses DNSSEC to allow owners to assert their own digital certificates, and therefore potentially incorporate the functionality of the Internet PKI into the global DNS.

This Introduction to PKIs & CAs provides an overview of how these mechanisms work and how they are deployed.

You may also want to read through the various reports available about securing BGP and explore the work happening in the IETF within the Secure Inter-Domain Routing (SIDR) working group.

Follow MANRS blog for more information on BGP.

Did you find this resource helpful? By donating any amount, you help fund more research and content like this.