Security
A Framework for Improving Internet Routing Security
Key Points
- The Routing Security Profile approaches routing security from a holistic, risk management perspective.
- It is applicable for use by any autonomous system operator — large or small — to enhance routing security.
- The profile and the underlying technical controls must continue to evolve to stay ahead of a constantly changing threat landscape.
- Our next step is to engage with the broader internet community to drive awareness and further improve and advance this work.
Reliable and secure routing is essential for the connectivity of critical communications networks, ensuring that data packets reach their intended destinations without being intercepted, altered or dropped. Inadequate routing security can make the entire network susceptible to attacks such as Internet Protocol (IP) spoofing, route hijacking and man-in-the-middle attacks.
With the increasing complexity and ubiquity of IP network infrastructures across the globe, the security of core routing protocols — including the Border Gateway Protocol (BGP) and the Resource Public Key Infrastructure (RPKI) — is an integral facet of the cybersecurity landscape. Malicious actors and threat vectors that target the network routing layer can lead to severe disruptions, such as data leakage, network outages and unauthorized access to sensitive information.
To address the issue, CableLabs has just released a “Cybersecurity Framework Profile for Internet Routing” (Routing Security Profile, or RSP) that serves as a foundation for improving the security of the internet’s routing system. The RSP is an actionable and adaptable guide, aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), that enables Internet Service Providers (ISPs), enterprise networks, cloud service providers and organizations — large and small — to proactively identify risks and mitigate threats to enhance routing infrastructure security.
The RSP was developed as an extension of CableLabs’ and the cable industry’s longstanding leadership and commitment to building and maintaining a more secure internet ecosystem. It also was developed in response to NIST’s call to action to submit examples of “profiles” mapped to the CSF that are aimed at addressing cybersecurity risks associated with a particular business activity or operation.
What Is the Routing Security Profile, and Who Can Use It?
Network engineers, IT managers, cybersecurity professionals and decision-makers involved in network security risk management are prime candidates for using the RSP — with its exclusive focus on routing protocols and services — as one tool in an overall network strategy to enhance existing security policies and risk management procedures within their organizations.
The RSP describes various technologies and techniques used for internet routing security, including BGP, Internet Routing Registries (IRRs), Autonomous System (AS) path filtering and RPKI. In addition, it outlines several key recommendations for improving BGP security that include Route Origin Authorizations (ROAs), Route Origin Validation (ROV), BGP peer authentication, prefix filtering and monitoring for anomalies.
What Can the Routing Security Profile Do?
By mapping routing security best practices and standards to the applicable key categories and subcategories of the NIST CSF 1.1’s Core Functions — Identify, Protect, Detect, Respond and Recover — the RSP can help organizations with the following tasks:
- Identifying systems, assets, data and risks that pertain to IP networks.
- Protecting IP networks by performing self-assessments and adhering to cybersecurity principles.
- Detecting cybersecurity-related disturbances or corruption of IP network services and data.
- Responding to IP network service or data anomalies in a timely, effective and resilient manner.
- Recovering the IP network to proper working order after a cybersecurity incident.
The RSP is a framework for improving security and managing risks for internet routing, which is one key piece of a larger critical infrastructure cybersecurity puzzle. As with any endeavor in security, the RSP will evolve over time to reflect changes to the NIST CSF, including the CSF 2.0 update coming in early 2024, advances in routing security technologies and the rapidly emerging security threat landscape.
The RSP was developed by CableLabs’ Cable Routing Engineering for Security and Trust Working Group (CREST WG). The CREST WG is composed of routing security technologists from CableLabs, NCTA — The Internet & Television Association, as well as network operators from around the world, including representatives from Armstrong, Charter, Comcast, Cox, Eastlink, Liberty Global, Midco, Rogers/Shaw and Videotron. For more information on the CREST WG, please contact us.
We welcome feedback on the RSP from other internet ecosystem stakeholders as we continue to advance this work. Please send comments to Tao Wan. We will also engage with the broader internet community through forums such as M 3AAWG to drive awareness and to further improve the profile for the benefit of all AS operators, including ISPs, cloud service providers, government agencies, universities and other organizations.