NIST SPECIAL PUBLICATION 1800 -14 Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How -To Guides (C) William Haag Doug Montgomery William C. Barker Allen Tan This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.1800 -14 The first draft of this publication is available free of charge from : https://www.nccoe.nist.gov/sites/default/files/library/sp1800/sidr -piir-nist-sp1800 -14-draft.pdf NIST SPECIAL PUBLICATION 1800 -14 Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation  Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B) ; and How -To Guides (C) William Haag Applied Cybersecurity Division Information Technology Laboratory Doug Montgomery Advanced Network Technolog ies Division Information Technology Lab oratory Allen Tan The MITRE Corporation McLean, VA William C. Barker Dakota Consulting Silver Spring, MD June 2019 U.S. Department of Commerce Wilbur Ross, Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Undersecretary of Commerce for Standards and Technology NIST SPECIAL PUBLICATION 1800 -14A Protecting the Integrity of Internet Routing: Border Gate way Protocol (BGP) Route Origin Validation  Volume A: Executive Summary William Haag Applied Cybersecurity Division Information Technology Laboratory Doug Montgomery Advanced Network Technolog ies Division Information Technology Laboratory Allen Tan The MITRE Corporation McLean, VA William C. Barker Dakota Consulting Silver Spring, MD June 2019 This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.1800 -14 The first draft of this publication is available free of charge from: https://www.nccoe.nist.gov/sites/default/files/library/sp1800/sidr -piir-nist-sp1800 -14-draft.pdf NIST SP 1800 -14A: Protecting the Integrity of Internet Routing 1 This publication is ava ilable free of charge from: http://doi.org/10.6028/NIST.SP.1800 -14 Executive Summary ▪ It is difficult to overstate the importance of the internet to modern business and to society in general. The internet is essential to the exchange of all manner of information, including transactional data, marketing and advertising informat ion, remote access to services, entertainment , and much more. ▪ The internet is not a single network , but rathe r a complex grid of independent interconnected networks. The design of the internet is based on a trust relations hip between these networks  and relies on a protocol known as the Border Gateway Protocol (BGP) to route traffic among the various networks worldwide. BGP is the protocol that internet service providers (ISPs) and enterprises use to exchange route informati on between them.  ▪ Unfortunately, BGP was not designed with security in mind. Traffic typically traverses multiple networks to get from its source to its destination. Networks implicitly trust the BGP information that they receive from each other, making BG P vulnerable to route hijacks. ▪ A route hijack attack can deny access to internet services, misdeliver  traffic to malicious endpoints, and cause routing instability. A technique known as BGP route origin validation (ROV) is designed to p rotect against route hijacking. ▪ The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has developed proof -of-concept demonstrations of a BGP ROV implementation designed to improve the security of the internet’s routing infrastructure. ▪ This NIST Cybersecurity Practice Guide demonstrates how netwo rks can protect BGP routes from vulnerability to route hijacks by using