CISO2CISO.COM & CYBER SECURITY GROUP

ROUTING SECURITY – BGP INCIDENTS, MITIGATION, TECHNIQUES AND POLICY ACTIONS BY OECD

Routing, the process by which data packets are directed across the Internet to their destinations, is central
to the operation of the Internet. Networks exchange routing information about destinations and the paths by which they can be reached using the Border Gateway Protocol (BGP). When this system fails, the
Internet is unable to forward packets between networks or facilitate communications between them. Given its fundamental importance, ensuring the security and availability of the routing system is critical.
This report aims to analyse three main questions:


 What is the scope and scale of routing incidents?
 Which security techniques have been proposed to address them and how effective are they?
 What is the role of policy makers in securing the routing system?


Internet routing is affected by accidental and intentional disruptions and security breaches. While
the Internet is generally resilient, the vulnerability of its routing continues to grow more pressing. For
example, Facebook’s over five-hour global outage in October 2021 was caused in part by a failure of its
routing, resulted in more than 1.2 trillion person-minutes of service unavailability, and has been cited as
the largest communications outage in history (Madory, 2021[1]). Routing vulnerabilities have been
understood for many years, but persist. This is driven by several challenges, including the complexity
of the issue, the interconnected nature of the global Internet requiring collective action to improve security overall, and a lack of incentives among some stakeholders to spend time, money, or resources to
implement existing techniques or develop new ones.


Another aspect of the problem lies in understanding the scope and scale of routing incidents, for which
robust data over time is needed. Only a few measurement efforts exist, all with varying degrees of
robustness, availability and period of observation. Similarly, there are limited sources to track the
effectiveness of security techniques to decrease the incidence of routing events. This data is required for
policy makers to gauge how routing incidents are evolving over time and to measure the impact of policy
initiatives.


The universe of available routing security techniques each address aspects of routing security but fail to
provide a sufficiently comprehensive solution, even when implemented together. Routing security
techniques consist principally of filtering incorrect or malicious routing information as it enters and leaves
networks, using filters built with various methods. However, currently, no single technique or
combination of techniques will meet the various challenges facing routing security. Nevertheless,
while not a complete solution, network operators should implement the currently deployable techniques
and good practices to ensure all available protection against routing incidents.


In light of the measurement challenges of tracking routing incidents, governments have an important
role to fund the collection and publication of time-series data to identify and analyse routing
incidents. Funding can support existing, neutral multi-stakeholder initiatives and should be longterm
and consistent. Data should be published at no cost, in an easy to read and process format.
Additionally, methods should be developed to track the implementation and effectiveness of routing
security techniques in the same way. Without information on the scope of the problem and the
effectiveness of implemented techniques, policy makers do not have the information necessary to follow
an evidence-based approach to policy making.


Furthermore, policy makers can promote the awareness and deployment of available routing
security techniques among industry by issuing tailored guidance and implementing relevant techniques
in government-owned IP addresses and autonomous systems (ASes). This would not only serve to benefit
the routing system more generally by putting in place good practices, it would also allow the government
to be able to share its experience to help other networks with real-world implementation. Policy makers
could also facilitate information exchange on routing incidents between different stakeholders.

This information sharing could take place in existing structures within national, regional or sectoral
Computer Emergency Response Teams (CERTs) or Information Sharing and Analysis Centres (ISACs),
regulatory bodies, or government agencies. Safeguards should be put in place to protect informants from
liability or reprisal. Existing multi-stakeholder initiatives that encourage cross-border information sharing
and exchange of good practices should also be recognised as key convening bodies that facilitate
international cooperation.


Finally, governments can contribute to enhanced routing security by working with industry and technical
experts to define a common framework to improve routing security. While many governments
currently regard routing security as a subset of cybersecurity, a more specific focus is necessary to make
a significant and lasting improvement on the security of the routing system. OECD members, including
Finland, Japan, and Sweden, are exploring possible approaches from formalised partnerships, to
regulatory monitoring of implemented techniques, to voluntary guidelines, to more defined secondary
legislation.

This report on “Routing Security: BGP incidents, mitigation techniques and policy actions” was prepared
jointly by the Working Party on Communication Infrastructure and Services Policy (WPCISP) and the
Working Party on Security in the Digital Economy (WPSDE). It considers the challenges related to the
digital security of the routing system, the solutions proposed to address some of these challenges and the role of policy makers to foster routing security. This report should be read in conjunction with the
accompanying report on the “Security of the Domain Name System (DNS): an introduction for policy
makers”.
This report was drafted by Lauren Crean with contributions by Verena Weber, Laurent Bernat and
Ghislain de Salins from the OECD Secretariat and by WPCISP and WPSDE delegates. It was prepared
under the supervision of Verena Weber and Laurent Bernat. This publication is a contribution to IOR
1.3.1.3.3, “How to analyse and enhance the security of communication networks” of the 2021-2022
Programme of Work and Budget of the CDEP.


The Secretariat wishes to thank external expert, Sara Alamin, as well as several experts from the technical
community and industry, for their contributions to the report. These include: Amy Alvarez, AT&T; Stewart
Bamford, Principle Architect, Lumen Technologies, Inc.; Einar Bohlin; Chris Boyer, AT&T; Randy Bush,
Research Fellow, Internet Initiative Japan, Member of Technical Staff, Arrcus Inc.; Kathryn Condello,
Senior Director National Security, Lumen Technologies, Inc.; David Conrad, ICANN; Alberto Dainotti,
Georgia Tech; Alain Durand, ICANN; Patrik Fältström, Netnod; Laurent Ferrali, ICANN; Marco
Hogewoning; Geoff Huston, APNIC; Anne- Rachel Inne; Olaf Kolkman, Internet Society; Alexander
Lyamin, Qrator Labs; Doug Madory, Director of Internet Analysis, Kentik; Jason Olson, AT&T; Elena
Plexida, ICANN; Andrei Robachevsky, Internet Society; Nicola Rustignoli, ETH Zürich; Chelsea J.
Smethurst, Microsoft; Job Snijders, Principal Engineer at Fastly and OpenBSD developer; Mark
Svancarek, Microsoft; Cecilia Testart, Georgia Tech; Martin Thygesen, Cisco Systems Inc.; and Andree
Toonk, MySocket.io.
Additionally, we thank the Swedish Post and Telecom Authority (PTS) and the Finnish Transport and
Communications Agency Traficom National Cyber Security Centre (Traficom) for providing input on
specific routing policy initiatives.

Leave a Reply

Your email address will not be published. Required fields are marked *