The new White House report outlines the necessary steps to enhance Internet routing security through the utilization of the Border Gateway Protocol (BGP), a vital component in managing Internet traffic globally.
The concerns regarding routing security came to light in 2022, when reports surfaced of foreign hackers intercepting Internet traffic through vulnerabilities in the BGP protocol, a tactic known as BGP hijacking. This prompted the development of the roadmap.
The report involved various key government agencies including the Department of Justice (DOJ), Department of Defense (DOD), Federal Communications Commission (FCC), Cybersecurity and Infrastructure Security Agency (CISA), and the White House’s Office of the National Cyber Director (ONCD).
The recommendations from ONCD suggest using technologies like RPKI, ROA, and ROV for Internet network operators to ensure the legitimacy of IP addresses and route declarations.
The report emphasizes the implementation of RPKI and its associated technologies, such as ROA, to verify authorized network declarations for specific IP address blocks. ROV is used to validate the correctness and security of declared routes from other networks.
While mentioning the extension technology BGPsec, the focus remains on gradually implementing ROA as the initial step towards enhancing routing security rather than prioritizing BGPsec at present.
A crucial aspect of the strategy involves collaboration with the private sector. The White House plans to form a working group with CISA to develop guidelines and resources to facilitate the adoption of RPKI, ROA, and ROV technologies.
According to data from the National Institute of Standards and Technologies (NIST), nearly half of BGP network routes are currently under ROV validation, with over 70% of IPV4 routes being protected by ROA, as indicated by Kentik’s research. However, as noted by Cloudflare, the majority of this protected traffic originates from international networks rather than domestic U.S. companies, highlighting the need for broader adoption of these security technologies domestically.