Reviewing a Historical Internet Vulnerability: Why Isn't BGP More Secure and What Can We Do About it?

C. Testart
Conference paper
TPRC 46: The Research Conference on Communication, Information and Internet Policy 2018
Washington, DC

The Border Gateway Protocol (BGP) plays a crucial role in today’s communications as it is the inter-domain routing protocol that holds together the Internet, providing the path for IP packets to flow between networks across the globe operated by different providers. Although the first version of BGP was published in 1989 and its lack of security mechanisms has been known since then, BGP remains vulnerable to attacks that can cause large scale outages or can be used for other malicious purposes on the Internet, such as traffic sniffing or spam sending. Moreover, the lack of security has not prevented the surge of new applications that run on top of the Internet, making tampering with BGP increasingly attractive. As an example, BGP hijacking was used to steal at least $83,000 worth of cryptocurrency in 2014, and again more recently in April 2018. Thus, securing BGP is key to increasing the overall security of the Internet ecosystem. This paper offers a historical review of the different ideas put forward to secure inter-domain routing and what happened to these ideas along the way, noting if they were implemented and are in use, the impact they had on other proposals, and other characteristics explaining the difficulty of securing BGP. This study analyzes 10 BGP extensions focused on BGP availability, 7 BGP extensions and best practices focused on securing BGP communication and routing information, and 11 security proposals coming from the research and industry communities. It examines where the ideas came from, the implicit trust delegation and the residual vulnerabilities of proposals. Even though performance and incentives of specific security solutions have been largely discussed, most proposals have not even been implemented, limiting the overall security improvement of BGP. Reviewing the full life cycle of the proposed ideas, the trusted actors and mechanisms and their requirements gives insight into why adoptions rate are so limited. In fact, there is a remarkable lack of consensus on what needs to be secured or validated, and the approach to be taken, preventing solutions to get critical support to move their deployment forward. Additionally, no BGP security mechanism, even the most narrow one, has been easily implemented and deployed. However, there are security best practices that certainly improve local and overall BGP security. Since no solution comes without costs and all proposal have opponents in network operation community, it may be possible that secure routing should be provided as a separate service from routing, and other entities could offer such solutions.