Home / Blogs

Securing the Core

Chris Grundemann

BGP. Border Gateway Protocol. The de-facto standard routing protocol of the Internet. The nervous system of the Internet. I don't think I can overstate the importance, the criticality of BGP to the operation of the modern Internet. BGP is the glue that holds the Internet together at its core. And like so many integral pieces of the Internet, it, too, is designed and built on the principle of trust. That trust has largely been justified. The folks who operate the individual networks that make up the Internet are generally interested in keeping the Internet operating, in keeping the packets flowing. And they do a great job, for the most part.

However, as the scope, scale, and importance of the Internet have grown, so has the risk. Accidents happen, and there are nefarious people out there.

Luckily the industry has taken note in recent years. Ongoing work in the IETF's Secure InterDomain Routing (SIDR) working group is creating solutions. Specifically, the group is focused on ensuring proper route origination through the development of a Resource Public Key Infrastructure (RPKI) and on ensuring AS path validity through the development of the BGPSEC protocol.

We need to pause here for a moment though. These newer efforts to secure BGP, and with it the core of the Internet, are absolutely laudable, and much good will come from them. But there are some other, perhaps simpler, perhaps older techniques to secure BGP that are too often overlooked by network operators today. Things like prefix filters, max-prefix limits, and setting a TTL with your peer. A fairly recent IETF Internet-Draft on BGP operations and security describes these:

...measures to protect the BGP sessions itself (like TTL, MD5, control plane filtering) and to better control the flow of routing information, using prefix filtering and automatization of prefix filters, max-prefix filtering, AS path filtering, route flap dampening and BGP community scrubbing.

Of course, if every network engineer knew how to deploy all of the available mechanisms for securing BGP, the core of the Internet would be a much safer, more secure and resilient place. That's where Deploy360's newest topic "Securing BGP” comes in!

The Internet Society Deploy360 Programme is designed to put practical information grounded in real-world experiences and case studies into the hands of network operators who need to deploy key Internet technologies. Because we believe that securing its core is key to the future of a free and open Internet, we've launched a new topic on Securing BGP:

This section of our site on "Securing BGP” is focused on providing the information that network operators need to understand in order to secure their routers and ensure that they are doing their part for the security and resiliency of the overall Internet routing infrastructure. We are not focused here on a specific approach but rather outlining the different approaches and tools that are available to help secure your routing systems.

The new Securing BGP topic will collect, curate, and create documentation to help network operators deploy the full range of BGP security mechanisms. From adding MD5 to your peering sessions, to proper prefix filtering, and on to RPKI and BGPSEC when the time is right.

You can help!

We need your help Securing BGP! As was noted in the topic launch announcement, there are several ways for you to get involved:

1. Read through our pages and content roadmap – Please take a look through our "Securing BPG" set of pages, and also please take a look at our content roadmap for [Securing] BGP. Are the current resources listed helpful? Is the way we have structured the information helpful? Will the resources we list on our roadmap help you make your routers more secure?

2. Send us suggestions – If you know of a report, whitepaper, tutorial, video, case study, site or other resource we should consider adding to the site, please let us know. We have a list of many resources that we are considering, but we are always looking for more.

3. Volunteer – If you are very interested in this topic and would like to actively help us on an ongoing basis, please fill out our volunteer form and we'll get you connected to what we are doing.

4. Help us spread the word – As we publish resources and blog posts relating to securing BGP, please help us spread those links through social networks so that more people can learn about the topic.

What are you waiting for? Let's secure BGP together!

By Chris Grundemann, Internet Technologist, Author, and Speaker. All opinions are his and his alone. More blog posts from Chris Grundemann can also be read here.

Related topics: Access Providers, Broadband, Cyberattack, Data Center, Internet Protocol, Security, Telecom

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News


Industry Updates – Sponsored Posts

Dyn Evolves Internet Performance Space with Launch of Internet Intelligence

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Faster DDoS Mitigation - Introducing Verisign OpenHybrid Customer Activated Mitigation

Verisign's Q2'15 DDoS Trends: DDoS for Bitcoin Increasingly Targets Financial Industry

Protect Your Network From BYOD Malware Threats With The Verisign DNS Firewall

Announcing Verisign IntelGraph: Unprecedented Context for Cybersecurity Intelligence

Introducing the Verisign DNS Firewall

TLD Security, Spec 11 and Business Implications

Verisign Named to the Online Trust Alliance's 2015 Honor Roll

3 Key Steps for SMBs to Protect Their Website and Critical Internet Services

Key Considerations for Selecting a Managed DNS Provider

Verisign Mitigates More DDoS Attacks in Q1 2015 than Any Quarter in 2014

Verisign OpenHybrid for Corero and Amazon Web Services Now Available

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

Public Sector Experiences Largest Increase in DDoS Attacks (Verisign's Q4 2014 DDoS Trends)

Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS

Verisign iDefense 2015 Cyber-Threats and Trends

What's in Your Attack Surface?

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

3 Questions to Ask Your DNS Host About DDoS

Sponsored Topics