New standards to make web traffic more secure

NIST and the Department of Homeland Security (DHS) Science and Technology Directorate have recently worked in collaboration with the industry internet to increase the cybersecurity of electronic messages and data flowing through the internet.

A new set of standards called Secure Inter-Domain Routing (SIDR), has been published by the Internet Engineering Task Force (IETF). This represents the first standardized approach for global defense against sophisticated attacks on the internet’s routing system.

The new standards will help overcome the vulnerabilities within the Border Gateway Protocol (BGP), a system that the Internet's core routers use to direct traffic. BGP forms the technical glue holding the internet together, but historically, its lack of security mechanisms makes it an easy target for hacking.

The overall defensive effort will use cryptographic methods to ensure routing data travels along an authorized path between networks. There are three essential components of the IETF SIDR effort:

1. Resource Public Key Infrastructure (RPKI), provides a way for a holder of a block of internet addresses—typically a company or cloud service provider—to stipulate which networks can announce a direct connection to their address block;
2. BGP Origin Validation, allows routers to use RPKI information to filter out unauthorized BGP route announcements, eliminating the ability of malicious parties to easily hijack routes to specific destinations.
3. BGP Path Validation (also known as “BGPsec”), is what is described in the suite of draft standards (RFCs 8205 through 8210) the IETF has just published. Its innovation is to use digital signatures by each router to ensure that the entire path across the internet crosses only authorized networks. Employing this idea of “path validation” together with origin validation could deter stealthy attacks intended to reroute data without the recipient realizing it.

Source: www.nist.gov