CableLabs, NCTA – The Internet & Television Association and a cohort of cable operators are touting a new framework for internet routing security.
It's no secret that internet routing is imperfect. At a recent CableLabs event, Distinguished Technologist Brian Scriber said growing complexity has left engineers "scared to death" to try new routing configurations for fear of breaking something on their network.
Scriber explained that the Border Gateway Protocol (BGP), a mechanism commonly used for network routing between different autonomous systems (the machines that route internet traffic), has been improved since its 1989 inception, but BGP still allows for vulnerabilities.
That's why CableLabs this week introduced its Routing Security Profile (RSP), a guide to best practices for routing protocols such as the BGP. The new profile also outlines other technologies and techniques used for routing, including internet routing registries (IRRs), autonomous system path filtering and resource public key infrastructure (RPKI). And it provides a risk management life cycle to identify and mitigate threats.
CableLabs developed the document with participation from operators including Armstrong Cable, Charter Communications, Comcast, Cox Communications, Eastlink, Liberty Global, Midco, Rogers Communications and Videotron. Mark Walker, CableLabs VP of technology policy noted the security profile isn’t a finished work, but rather “a starting point.”
The next step will be to "engage with the broader internet community" to continue advancing the document, as the profile itself and the underlying technical controls must continue to evolve to stay ahead of a constantly changing threat landscape.
CableLab's RSP is aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), after NIST’s call to action for the industry to submit examples of “profiles” mapped to the CSF.
The cable industry has been working to bolster routing security standards for years now. In March 2022, the Federal Communications Commission (FCC) launched a review of internet routing security, aiming to suss out what vulnerabilities exist in the BGP used by operators around the world to direct traffic, and how they might be fixed. Later that year, the U.S. Departments of Defense and Justice (DoD and DoJ) urged the FCC to boost internet routing security through the implementation of unified standards.
For its part, NCTA CTO Rikin Thakker said the industry group has been making “significant efforts for over a decade" to develop best secure routing practices.
Operators tout resource public key infrastructure
At the CableLabs event several operators lauded the resource public key infrastructure protocol, a public infrastructure framework designed to secure the internet's routing infrastructure. RPKI provides a way to connect Internet number resource information (such as IP Addresses) to a trust anchor, specifically in the context of border gateway protocol.
Comcast Engineering fellow Tony Tauber noted that NTCA in 2022 brought together a group of cable operators to write helpful recommendations for deploying RPKI, and the new Routing Security Profile is just “another opportunity to improve state of play and make all networks better.
Charter’s VP of technology policy, Rob Alderfer, said the operator likewise views RPKI as“a critical tool” across its network, as it allows for network operators to distinguish valid routing announcements from those that are invalid and ensure that traffic is routed as intended.
Meanwhile, mid-sized operators are benefiting from RPKI as well. John Lubeck, director of core IP and transport at Midco said the company’s adoption of RPKI has been useful as its network has expanded, because the company doesn't have a lot of automation, engineers and developers to help with day-to-day updates that go out to its routing network.
As Midco goes through the trial and error of finding what works for its network, Lubeck said the new profile will help map out the process for rolling out new routing security policies.
Federal gov’t lags on routing security
CableLab's profile could also help out the Biden administration’s National Security Strategy, an implementation plan for which came out in July. The administration has focused on the issue of securing the technical foundation of the internet as a primary objective in the national cybersecurity strategy.
At this week's event Deputy Assistant for the National Cyber Director Brian Scott said there is a recognition that routing security is “a key piece.” But he added that the federal government is lagging behind in the adoption of secure routing technologies, specifically, RPKI adoption.
“We are working towards that, as any disruption of BGP can have serious implications for critical services,” said Scott, adding that the federal government will be looking toward not just RPKI but all secure routing technologies, both near term and long term as it develops the cybersecurity initiative.