In recent years, numerous Internet routing incidents — such as Border Gateway Protocol (BGP) prefix hijacking, and route leaks — have resulted in denial of service (DoS), unwanted data traffic detours, and performance degradation. Large-scale distributed denial-of-service (DDoS) attacks on servers using spoofed Internet Protocol (IP) addresses and reflection amplification in the data plane have resulted in significant disruptions of services and damages.
NIST has released the initial public draft (IPD) of Revision 1 of NIST Special Publication (SP) 800-189, Border Gateway Protocol Security and Resilience. This document provides technical guidance and recommendations to improve the security and resilience of Internet routing based on BGP. Technologies recommended in this document for securing Internet routing include Resource Public Key Infrastructure (RPKI), Route Origin Authorization (ROA), ROA-based route origin validation (ROA-ROV), and prefix filtering. Additionally, the technologies recommended for mitigating DDoS attacks focus on the prevention of IP address spoofing using source address validation (SAV) with access control lists (ACLs) and unicast Reverse Path Forwarding (uRPF). Other technologies are also recommended as part of the overall security mechanisms, such as remotely triggered black hole (RTBH) filtering and flow specification (Flowspec).
While this document is intended to guide information security officers and managers of federal enterprise networks, it also applies to the network services of hosting providers (e.g., cloud-based applications and service hosting) and Internet service providers (ISPs) that support federal IT systems. This guidance may also be useful for enterprise and transit network operators and equipment vendors in general.
The public comment period ends February 25, 2025. See the publication details for a copy of the document.