Community Takeaways From FCC Routing Security Workshop
By Andrew Gallo, Principal IT Architect, The George Washington University
Estimated reading time: 7 minutes
This blog post is submitted by Internet2 community member Andrew Gallo, Principal IT Architect at The George Washington University. Viewpoints expressed in this post are those of the author and are shared for informational purposes only.
The Federal Communications Commission (FCC) and the Cybersecurity and Infrastructure Security Agency (CISA) hosted a workshop in July to discuss the current state of internet routing security and to gather information about the progress industry is making toward a more secure infrastructure. I was fortunate to attend that workshop as a member of the research and education (R&E) community, along with Steven Wallace who presented on the Internet2 Routing Integrity Initiative.
A number of executive branch organizations were also in attendance, including the National Institute of Standards and Technology (NIST), Office of the National Cyber Director (ONCD), Executive Office of the President (EOP), Department of Justice (DOJ), and Office of the Director of National Intelligence (ODNI). Industry and subject matter experts were invited.
Aiming for Improvement
FCC chair Jessica Rosenworcel and CISA director Jen Easterly opened the workshop. In a follow-up blog post, Rosenworcel and Easterly shared an honest assessment of the state of U.S. federal routing security posture:
Finally, we fully acknowledge that the U.S. government is lagging behind on BGP security practices, and CISA is working hard to improve this, collaborating with the Office of the National Cyber Director and the Office of Management and Budget to chart a clear path toward cleaning up BGP security practices among all federal agencies.
In her opening remarks, Easterly struck an optimistic tone by pledging improved U.S. performance in this area:
The U.S. must be an exemplar in this space and lead by example, and we remain committed to taking all positive steps to do this. In particular, we at CISA are working to catalyze industry and government action in this area to accelerate progress through planning and coordination, including through the FCC’s [Communications Security, Reliability, and Interoperability Council].
This is welcome news, especially since recent analyses on routing security and RPKI deployment have shown the U.S. federal government is far behind industry in implementing existing routing security technologies. This gap similarly persists within the R&E community.
Earlier this year, the White House released the National Cybersecurity Strategy followed by the National Cybersecurity Strategy Implementation Plan. As the U.S. moves from strategy to the implementation plan, to specific implementation projects and actions, I see several areas where federal leaders can fulfill Easterly’s vision to be a routing security exemplar – paving the way for progress within R&E, as well.
Power of Procurement
The federal government buys a lot of information, communications, and technology products and services. Requiring providers of these services, where applicable, to have routing security measures in place to protect federal services is a first step.
Previously, I looked at the top 25 most popular federal websites and found only about a quarter of the sites were hosted on networks covered by Route Origin Authorizations (ROAs) – the foundational element in Resource Public Key-based origin validation. Many of these sites were hosted by commercial content delivery networks that have ROAs for some of their networks. By adding requirements (or “comply or explain” clauses) for their sites to be hosted on networks covered by ROAs, agencies would signal their commitment to improving routing security.
Power of Grants and Funding
Beyond purchasing, the federal government provides a lot of funding through grants and other funding opportunities. Funding guidelines should include requirements for implementing routing security, where appropriate and applicable. For example, the National Science Foundation provides college and university campuses with funding for “coordinated campus-level networking and cyberinfrastructure improvements for science applications and distributed research projects” through the Campus Cyberinfrastructure (CC*) program. The grant solicitation does call out the Mutually Agreed Norms for Routing Security (MANRS): “Campuses are encouraged to consider emerging best practices in network routing security for network operators as expressed in the Mutually Agreed Norms for Routing Security.” This could be stronger – this could be a requirement. Receiving federal funding to build or improve cyberinfrastructure on a campus is an opportunity to implement current industry best practices.
The National Telecommunications and Information Administration (NTIA) and the FCC provide funding for infrastructure projects. For example, the NTIA has awarded hundreds of millions of dollars through programs such as the Broadband Equity Access and Deployment (BEAD) Program, Tribal Broadband Connectivity Program, and Enabling Middle Mile Broadband Infrastructure Program. In some cases, recipients may build new infrastructure, and interconnect with other providers. Such awards should require routing security measures to be implemented as part of the funded activity. In cases where an awardee procures services from an internet service provider, such services should be protected through appropriate routing security mechanisms.
Implement RPKI for ROV for All Federal Resources
The U.S. government holds large swaths of IPv4 space, on the order of tens of millions of IPv4 addresses. Much of this space is not eligible for new routing security technologies because it is not under an agreement with the American Registry for Internet Numbers (ARIN).
All federal number resources should have ROAs created, even (or especially) if those resources are not expected to be seen on the global network. Creating an “AS0” ROA for these networks tells operators that routing advertisements for these networks are not legitimate and should be dropped. This is similar to the FCC’s “Do Not Originate” list that allows voice operators to block calls from telephone numbers that should never originate a telephone call.
Tangentially related is the federal IPv6 transition. As IPv4 networks are vacated, AS0 ROAs should be created and these resources should not be sold, leased, or otherwise put back into the available pool, which would only extend the slow transition to IPv6.
Support Internet Measurement and Research
Monitoring and analyzing real-world behavior of the internet infrastructure requires both near real-time and longitudinal data collection. This data is important for gauging how various changes are impacting network operations.
Examples of such projects include UC San Diego’s Center for Applied Internet Data Analysis (CAIDA) and the University of Oregon’s RouteViews project. Efforts like these need funding to fulfill the mission of long-term data collection and storage to provide operators and researchers with data needed to analyze the performance and stability of the infrastructure.
Support for Open-Source Software
Most of the current software tools available to operators to implement current BGP security technology are open-source. There are many benefits to this model, but as we’ve learned with the Heartbleed vulnerability in OpenSSL, open-source projects can suffer from a lack of funding or involvement. It is important that software used for critical infrastructure have the resources necessary to fulfill their mission.
Continue Participating in the Multi-Stakeholder Process
Internet standards are cooperatively developed through a multi-stakeholder process, primarily through the Internet Engineering Task Force (IETF), the primary internet standards development organization. Through various working groups – whose voluntary membership includes experts from network operators, equipment and software vendors, network researchers, government participants, and other interested individuals – standards are developed that are then voluntarily adopted by the relevant segments of the internet. There is no single group in charge of the process, nor is there any enforcement mechanism for adopting or following the standards.
NIST has been a leader in helping to develop internet standards, especially in routing security. Continued participation in these groups and new ones such as MANRS is welcome.
Tread Lightly When Considering Regulations
Development of standards via the multi-stakeholder process can appear slow and (messy).
There have been calls for the FCC to issue regulations concerning routing security. Even within the U.S., it’s unclear how much authority the FCC has to issue regulations concerning routing security, given that there are many non-ISP internet operators (e.g., a university using BGP to connect to the internet). Even for operators that are more traditionally under the FCC’s regulatory authority, it’s unclear if routing security is included in that authority. Moreover, the U.S. lacks jurisdiction over all of the network operators overseas.
Routing security among industry, government, and R&E is improving. RPKI adoption is increasing. New technologies, such as Autonomous System Provider Authorization (ASPA) are being tested. (In fact, Internet2 convened its first ASPA Working Group meeting in August 2023 – view the recording here.)
The market hasn’t failed to develop or adopt routing security. Regulations are unneeded at this point. Let the multi-stakeholder process continue.