Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

SP 800-189(Draft)

Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation (2nd Draft)

Date Published: October 2019
Comments Due: November 15, 2019 (public comment period is CLOSED)
Email Questions to: sp800-189@nist.gov

Planning Note (10/17/2019): Upon final publication, SP 800-189 will supersede SP 800-54, Border Gateway Protocol Security.

Author(s)

Kotikalapudi Sriram (NIST), Douglas Montgomery (NIST)

Announcement

In recent years, numerous routing control plane anomalies such as Border Gateway Protocol (BGP), prefix hijacking, and route leaks have resulted in denial of service (DoS), unwanted data traffic detours, and performance degradation. Large-scale distributed denial of service (DDoS) attacks on servers using spoofed internet protocol (IP) addresses and reflection-amplification in the data plane have caused significant disruption of services and resulting damages.

This document provides technical guidance and recommendations for technologies that improve the security and robustness of interdomain traffic exchange. Technologies recommended in this document for securing the interdomain routing control traffic include Resource Public Key Infrastructure (RPKI), BGP origin validation (BGP-OV), and prefix filtering. Additionally, technologies recommended for mitigating DoS and DDoS attacks include prevention of IP address spoofing using source address validation with access control lists (ACLs) and unicast Reverse Path Forwarding (uRPF). Other technologies such as remotely triggered black hole (RTBH) filtering, flow specification (Flowspec), and response rate limiting (RRL) are also recommended as part of the overall security mechanisms.

The document is intended to guide information security officers and managers of federal enterprise networks. The guidance also applies to the network services of hosting providers (e.g., cloud-based applications and service hosting) and internet service providers (ISPs) when they are used to support federal IT systems. The guidance may also be useful for enterprise and transit network operators and equipment vendors in general.

Comments were received from several sources on the first draft (December 2018). Those comments are incorporated in this second draft (also see the summary of comments and responses).

NOTE: A call for patent claims is included on page vi of this draft.  For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

Abstract

Keywords

routing security and robustness; Internet infrastructure security; Border Gateway Protocol (BGP) security; prefix hijacks; IP address spoofing; distributed denial-of-service (DDoS); Resource Public Key Infrastructure (RPKI); BGP origin validation (BGP-OV); prefix filtering; BGP path validation (BGP-PV); BGPsec; route leaks; source address validation (SAV); unicast Reverse Path Forwarding (uRPF); remotely triggered black hole (RTBH) filtering; flow specification (Flowspec)
Control Families

None selected

Documentation

Publication:
SP 800-189 (Draft) (DOI)
Local Download

Supplemental Material:
Comments and responses for Initial Public Draft SP 800-189 (Dec. 2018) (pdf)

Related NIST Publications:
SP 800-54

Document History:
12/17/18: SP 800-189 (Draft)
10/17/19: SP 800-189 (Draft)