Home / Blogs

Securing the Core

Chris Grundemann

BGP. Border Gateway Protocol. The de-facto standard routing protocol of the Internet. The nervous system of the Internet. I don't think I can overstate the importance, the criticality of BGP to the operation of the modern Internet. BGP is the glue that holds the Internet together at its core. And like so many integral pieces of the Internet, it, too, is designed and built on the principle of trust. That trust has largely been justified. The folks who operate the individual networks that make up the Internet are generally interested in keeping the Internet operating, in keeping the packets flowing. And they do a great job, for the most part.

However, as the scope, scale, and importance of the Internet have grown, so has the risk. Accidents happen, and there are nefarious people out there.

Luckily the industry has taken note in recent years. Ongoing work in the IETF's Secure InterDomain Routing (SIDR) working group is creating solutions. Specifically, the group is focused on ensuring proper route origination through the development of a Resource Public Key Infrastructure (RPKI) and on ensuring AS path validity through the development of the BGPSEC protocol.

We need to pause here for a moment though. These newer efforts to secure BGP, and with it the core of the Internet, are absolutely laudable, and much good will come from them. But there are some other, perhaps simpler, perhaps older techniques to secure BGP that are too often overlooked by network operators today. Things like prefix filters, max-prefix limits, and setting a TTL with your peer. A fairly recent IETF Internet-Draft on BGP operations and security describes these:

...measures to protect the BGP sessions itself (like TTL, MD5, control plane filtering) and to better control the flow of routing information, using prefix filtering and automatization of prefix filters, max-prefix filtering, AS path filtering, route flap dampening and BGP community scrubbing.

Of course, if every network engineer knew how to deploy all of the available mechanisms for securing BGP, the core of the Internet would be a much safer, more secure and resilient place. That's where Deploy360's newest topic "Securing BGP” comes in!

The Internet Society Deploy360 Programme is designed to put practical information grounded in real-world experiences and case studies into the hands of network operators who need to deploy key Internet technologies. Because we believe that securing its core is key to the future of a free and open Internet, we've launched a new topic on Securing BGP:

This section of our site on "Securing BGP” is focused on providing the information that network operators need to understand in order to secure their routers and ensure that they are doing their part for the security and resiliency of the overall Internet routing infrastructure. We are not focused here on a specific approach but rather outlining the different approaches and tools that are available to help secure your routing systems.

The new Securing BGP topic will collect, curate, and create documentation to help network operators deploy the full range of BGP security mechanisms. From adding MD5 to your peering sessions, to proper prefix filtering, and on to RPKI and BGPSEC when the time is right.

You can help!

We need your help Securing BGP! As was noted in the topic launch announcement, there are several ways for you to get involved:

1. Read through our pages and content roadmap – Please take a look through our "Securing BPG" set of pages, and also please take a look at our content roadmap for [Securing] BGP. Are the current resources listed helpful? Is the way we have structured the information helpful? Will the resources we list on our roadmap help you make your routers more secure?

2. Send us suggestions – If you know of a report, whitepaper, tutorial, video, case study, site or other resource we should consider adding to the site, please let us know. We have a list of many resources that we are considering, but we are always looking for more.

3. Volunteer – If you are very interested in this topic and would like to actively help us on an ongoing basis, please fill out our volunteer form and we'll get you connected to what we are doing.

4. Help us spread the word – As we publish resources and blog posts relating to securing BGP, please help us spread those links through social networks so that more people can learn about the topic.

What are you waiting for? Let's secure BGP together!

By Chris Grundemann, Internet Technologist, Author, and Speaker; Principal Architect at Myriad Supply. More blog posts from Chris Grundemann can also be read here.

Related topics: Access Providers, Broadband, Cyberattack, Cybersecurity, Data Center, Internet Protocol, Networks, Telecom


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Mobile Internet

Sponsored by Afilias Mobile & Web Services

DNS Security

Sponsored by Afilias

IP Addressing

Sponsored by Avenue4 LLC


Sponsored by Verisign

Promoted Post

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Dyn Partners with the Internet Systems Consortium to Host Global F-Root Nameservers

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?