Border Gateway Protocol Security and Resilience | NIST Releases Public Draft of SP 800-189 Revision 1

In recent years, numerous Internet routing incidents — such as Border Gateway Protocol (BGP) prefix hijacking, and route leaks — have caused data to be delivered to unintended destinations, to divert paths across the Internet to pass through unintended networks, and to cause outages in Internet service.  Whether caused by misconfigurations or malicious actions, such BGP security and resilience incidents can compromise communication security and privacy, enable denial of service, and/or,  disrupt critical infrastructure operations.

NIST has released the initial public draft (IPD) of Revision 1 of NIST Special Publication (SP) 800-189, Border Gateway Protocol Security and Resilience. This document provides technical guidance and recommendations to improve the security and resilience of Internet routing based on BGP. Technologies recommended in this document for securing Internet routing include Resource Public Key Infrastructure (RPKI), Route Origin Authorization (ROA), ROA-based route origin validation (ROA-ROV), and prefix filtering. Additionally, the technologies recommended for mitigating DDoS attacks focus on the prevention of IP address spoofing using source address validation (SAV) with access control lists (ACLs) and unicast Reverse Path Forwarding (uRPF). Other technologies are also recommended as part of the overall security mechanisms, such as remotely triggered black hole (RTBH) filtering and flow specification (Flowspec).

While this document is intended to guide information security officers and managers of federal enterprise networks, it also applies to the network services of hosting providers (e.g., cloud-based applications and service hosting) and Internet service providers (ISPs) that support federal IT systems. This guidance may also be useful for enterprise and transit network operators and equipment vendors in general.

The public comment period ends February 25, 2025. See the publication details for a copy of the document.