Home / Blogs

Securing the Core

Chris Grundemann

BGP. Border Gateway Protocol. The de-facto standard routing protocol of the Internet. The nervous system of the Internet. I don't think I can overstate the importance, the criticality of BGP to the operation of the modern Internet. BGP is the glue that holds the Internet together at its core. And like so many integral pieces of the Internet, it, too, is designed and built on the principle of trust. That trust has largely been justified. The folks who operate the individual networks that make up the Internet are generally interested in keeping the Internet operating, in keeping the packets flowing. And they do a great job, for the most part.

However, as the scope, scale, and importance of the Internet have grown, so has the risk. Accidents happen, and there are nefarious people out there.

Luckily the industry has taken note in recent years. Ongoing work in the IETF's Secure InterDomain Routing (SIDR) working group is creating solutions. Specifically, the group is focused on ensuring proper route origination through the development of a Resource Public Key Infrastructure (RPKI) and on ensuring AS path validity through the development of the BGPSEC protocol.

We need to pause here for a moment though. These newer efforts to secure BGP, and with it the core of the Internet, are absolutely laudable, and much good will come from them. But there are some other, perhaps simpler, perhaps older techniques to secure BGP that are too often overlooked by network operators today. Things like prefix filters, max-prefix limits, and setting a TTL with your peer. A fairly recent IETF Internet-Draft on BGP operations and security describes these:

...measures to protect the BGP sessions itself (like TTL, MD5, control plane filtering) and to better control the flow of routing information, using prefix filtering and automatization of prefix filters, max-prefix filtering, AS path filtering, route flap dampening and BGP community scrubbing.

Of course, if every network engineer knew how to deploy all of the available mechanisms for securing BGP, the core of the Internet would be a much safer, more secure and resilient place. That's where Deploy360's newest topic "Securing BGP” comes in!

The Internet Society Deploy360 Programme is designed to put practical information grounded in real-world experiences and case studies into the hands of network operators who need to deploy key Internet technologies. Because we believe that securing its core is key to the future of a free and open Internet, we've launched a new topic on Securing BGP:

This section of our site on "Securing BGP” is focused on providing the information that network operators need to understand in order to secure their routers and ensure that they are doing their part for the security and resiliency of the overall Internet routing infrastructure. We are not focused here on a specific approach but rather outlining the different approaches and tools that are available to help secure your routing systems.

The new Securing BGP topic will collect, curate, and create documentation to help network operators deploy the full range of BGP security mechanisms. From adding MD5 to your peering sessions, to proper prefix filtering, and on to RPKI and BGPSEC when the time is right.

You can help!

We need your help Securing BGP! As was noted in the topic launch announcement, there are several ways for you to get involved:

1. Read through our pages and content roadmap – Please take a look through our "Securing BPG" set of pages, and also please take a look at our content roadmap for [Securing] BGP. Are the current resources listed helpful? Is the way we have structured the information helpful? Will the resources we list on our roadmap help you make your routers more secure?

2. Send us suggestions – If you know of a report, whitepaper, tutorial, video, case study, site or other resource we should consider adding to the site, please let us know. We have a list of many resources that we are considering, but we are always looking for more.

3. Volunteer – If you are very interested in this topic and would like to actively help us on an ongoing basis, please fill out our volunteer form and we'll get you connected to what we are doing.

4. Help us spread the word – As we publish resources and blog posts relating to securing BGP, please help us spread those links through social networks so that more people can learn about the topic.

What are you waiting for? Let's secure BGP together!

By Chris Grundemann, Internet Technologist, Author, and Speaker. All opinions are his and his alone. More blog posts from Chris Grundemann can also be read here.

Related topics: Access Providers, Broadband, Cyberattack, Data Center, Internet Protocol, Security, Telecom

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News


Industry Updates – Sponsored Posts

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

Public Sector Experiences Largest Increase in DDoS Attacks (Verisign's Q4 2014 DDoS Trends)

Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS

Verisign iDefense 2015 Cyber-Threats and Trends

What's in Your Attack Surface?

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

3 Questions to Ask Your DNS Host About DDoS

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

Introducing the Verisign Quarterly DDoS Trends Report

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Sponsored Topics

Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines


Sponsored by

DNS Security

Sponsored by


Sponsored by