Home / Blogs

Securing the Core

Chris Grundemann

BGP. Border Gateway Protocol. The de-facto standard routing protocol of the Internet. The nervous system of the Internet. I don't think I can overstate the importance, the criticality of BGP to the operation of the modern Internet. BGP is the glue that holds the Internet together at its core. And like so many integral pieces of the Internet, it, too, is designed and built on the principle of trust. That trust has largely been justified. The folks who operate the individual networks that make up the Internet are generally interested in keeping the Internet operating, in keeping the packets flowing. And they do a great job, for the most part.

However, as the scope, scale, and importance of the Internet have grown, so has the risk. Accidents happen, and there are nefarious people out there.

Luckily the industry has taken note in recent years. Ongoing work in the IETF's Secure InterDomain Routing (SIDR) working group is creating solutions. Specifically, the group is focused on ensuring proper route origination through the development of a Resource Public Key Infrastructure (RPKI) and on ensuring AS path validity through the development of the BGPSEC protocol.

We need to pause here for a moment though. These newer efforts to secure BGP, and with it the core of the Internet, are absolutely laudable, and much good will come from them. But there are some other, perhaps simpler, perhaps older techniques to secure BGP that are too often overlooked by network operators today. Things like prefix filters, max-prefix limits, and setting a TTL with your peer. A fairly recent IETF Internet-Draft on BGP operations and security describes these:

...measures to protect the BGP sessions itself (like TTL, MD5, control plane filtering) and to better control the flow of routing information, using prefix filtering and automatization of prefix filters, max-prefix filtering, AS path filtering, route flap dampening and BGP community scrubbing.

Of course, if every network engineer knew how to deploy all of the available mechanisms for securing BGP, the core of the Internet would be a much safer, more secure and resilient place. That's where Deploy360's newest topic "Securing BGP” comes in!

The Internet Society Deploy360 Programme is designed to put practical information grounded in real-world experiences and case studies into the hands of network operators who need to deploy key Internet technologies. Because we believe that securing its core is key to the future of a free and open Internet, we've launched a new topic on Securing BGP:

This section of our site on "Securing BGP” is focused on providing the information that network operators need to understand in order to secure their routers and ensure that they are doing their part for the security and resiliency of the overall Internet routing infrastructure. We are not focused here on a specific approach but rather outlining the different approaches and tools that are available to help secure your routing systems.

The new Securing BGP topic will collect, curate, and create documentation to help network operators deploy the full range of BGP security mechanisms. From adding MD5 to your peering sessions, to proper prefix filtering, and on to RPKI and BGPSEC when the time is right.

You can help!

We need your help Securing BGP! As was noted in the topic launch announcement, there are several ways for you to get involved:

1. Read through our pages and content roadmap – Please take a look through our "Securing BPG" set of pages, and also please take a look at our content roadmap for [Securing] BGP. Are the current resources listed helpful? Is the way we have structured the information helpful? Will the resources we list on our roadmap help you make your routers more secure?

2. Send us suggestions – If you know of a report, whitepaper, tutorial, video, case study, site or other resource we should consider adding to the site, please let us know. We have a list of many resources that we are considering, but we are always looking for more.

3. Volunteer – If you are very interested in this topic and would like to actively help us on an ongoing basis, please fill out our volunteer form and we'll get you connected to what we are doing.

4. Help us spread the word – As we publish resources and blog posts relating to securing BGP, please help us spread those links through social networks so that more people can learn about the topic.

What are you waiting for? Let's secure BGP together!

By Chris Grundemann, Internet Technologist, Author, and Speaker. All opinions are his and his alone. More blog posts from Chris Grundemann can also be read here.

Related topics: Access Providers, Broadband, Cyberattack, Data Center, Internet Protocol, Security, Telecom

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

Encrypting Inbound and Outbound Email Connections with PowerMTA

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year

Best Practices from Verizon - Proactively Mitigating Emerging Fraudulent Activities

Neustar Data Identifies Most Popular Times of Year for DDoS Attacks in 2015

The Framework for Resilient Cybersecurity (Webinar)

Data Volumes and Network Stress to Be Top IoT Concerns

DKIM for ESPs: The Struggle of Living Up to the Ideal

Verisign Mitigates More Attack Activity in Q3 2015 Than Any Other Quarter During Last Two Years

Verisign & Forrester Webinar: Defending Against Cyber Threats in Complex Hybrid-Cloud Environments

Dyn Evolves Internet Performance Space with Launch of Internet Intelligence

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Faster DDoS Mitigation - Introducing Verisign OpenHybrid Customer Activated Mitigation

Verisign's Q2'15 DDoS Trends: DDoS for Bitcoin Increasingly Targets Financial Industry

Protect Your Network From BYOD Malware Threats With The Verisign DNS Firewall

Announcing Verisign IntelGraph: Unprecedented Context for Cybersecurity Intelligence

Introducing the Verisign DNS Firewall

Sponsored Topics



Sponsored by

DNS Security

Sponsored by
Afilias - Mobile & Web Services


Sponsored by
Afilias - Mobile & Web Services


Sponsored by