Email this Article Email   

CHIPS Articles: NIST Draft Pub Offers Guidance to Improve Security and Robustness for Interdomain Traffic Exchange

NIST Draft Pub Offers Guidance to Improve Security and Robustness for Interdomain Traffic Exchange
By CHIPS Magazine - October 21, 2019
In recent years, malicious actors, cyber criminals and political trolls have inundated the internet with numerous routing control plane anomalies, such as Border Gateway Protocol (BGP) prefix hijacking and route leaks, which resulted in denial-of-service (DoS), unwanted data traffic detours, and performance degradation. Large-scale distributed denial-of-service (DDoS) attacks on servers using spoofed internet protocol (IP) addresses and reflection-amplification in the data plane have also been frequent, resulting in significant disruption of services, and financial and reputational damage.

In response, NIST has released a second public draft of Special Publication (SP) 800-189, Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. This draft on Resilient Interdomain Traffic Exchange (RITE) includes initial guidance on securing the interdomain routing control traffic, preventing IP address spoofing, and certain aspects of DoS/DDoS detection and mitigation.

The document provides technical guidance and recommendations for technologies that improve the security and robustness of interdomain traffic exchange. Many of the recommendations in the publication focus on the Border Gateway Protocol (BGP). BGP is the control protocol used to distribute and compute paths between the tens of thousands of autonomous networks that comprise the internet. Technologies recommended in the draft for securing the interdomain routing control traffic include Resource Public Key Infrastructure (RPKI), BGP origin validation (BGP-OV), and prefix filtering. Additionally, technologies recommended for mitigating DoS/DDoS attacks focus on prevention of IP address spoofing using source address validation (SAV) with access control lists (ACLs) and unicast Reverse Path Forwarding (uRPF).

Other technologies, including some application plane methods, such as remotely triggered black hole (RTBH) filtering, flow specification (Flowspec), and response rate limiting (RRL) are also recommended as part of the overall security mechanisms, NIST advised in the release.

The document aims to guide information security officers and managers of federal enterprise networks. The guidance also applies to the network services of hosting providers, such as cloud-based applications and service hosting and internet service providers (ISPs), when used to support federal IT systems. The guidance may also be helpful for enterprise and transit network operators and equipment vendors in general.

Publication details:
https://csrc.nist.gov/publications/detail/sp/800-189/draft

The public comment period ends Nov. 15, 2019. Email Comments to: sp800-189@nist.gov

NIST Planning Note (10/17/2019): Upon final publication, SP 800-189 will supersede SP 800-54, Border Gateway Protocol Security.

Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer