Withdrawn Draft Warning Notice The attached draft document has been withdrawn, and is provided solely for historical purposes. It has been superseded by the document identified below. Withdrawal Date October 17, 2019 Original Release Date December 17, 2018 Superseding Document Status 2nd Public Draft (2PD) Series/Number NIST Special Publication 800-189 Title Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation Publication Date October 2019 DOI https://doi.org/10.6028/NIST.SP.800-189-draft2 CSRC URL https://csrc.nist.gov/publications/detail/sp/800-189/draft Additional Information 1 Draft NIST Special Publication 800-189 2 3 Secure Interdomain Traffic Exchange 4 BGP Robustness and DDoS Mitigation 5 6 Kotikalapudi Sriram 7 Doug Montgomery 8 9 10 11 12 13 This publication is available free of charge from: 14 https://doi.org/10.6028/NIST.SP.800-189-draft 15 16 17 C O M P U T E R S E C U R I T Y 18 19 20 Draft NIST Special Publication 800-189 21 22 Secure Interdomain Traffic Exchange 23 BGP Robustness and DDoS Mitigation 24 25 Kotikalapudi Sriram 26 Doug Montgomery 27 Advanced Network Technology Division 28 Information Technology Laboratory 29 30 31 32 33 34 35 36 This publication is available free of charge from: 37 https://doi.org/10.6028/NIST.SP.800-189-draft 38 39 40 December 2018 41 42 43 44 45 U.S. Department of Commerce 46 Wilbur L. Ross, Jr., Secretary 47 48 National Institute of Standards and Technology 49 Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology 50 Authority 51 This publication has been developed by NIST in accordance with its statutory responsibilities under the 52 Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law 53 (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including 54 minimum requirements for federal information systems, but such standards and guidelines shall not apply 55 to national security systems without the express approval of appropriate federal officials exercising policy 56 authority over such systems. This guideline is consistent with the requirements of the Office of Management 57 and Budget (OMB) Circular A-130. 58 Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and 59 binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these 60 guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, 61 Director of the OMB, or any other federal official. This publication may be used by nongovernmental 62 organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, 63 however, be appreciated by NIST. 64 National Institute of Standards and Technology Special Publication 800-189 65 Natl. Inst. Stand. Technol. Spec. Publ. 800-189, 70 pages (December 2018) 66 CODEN: NSPUE2 67 This publication is available free of charge from: 68 https://doi.org/10.6028/NIST.SP.800-189-draft 69 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an 70 experimental procedure or concept adequately. Such identification is not intended to imply recommendation or 71 endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best 72 available for the purpose. 73 There may be references in this publication to other publications currently under development by NIST in accordance 74 with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, 75 may be used by federal agencies even before the completion of such companion publications. Thus, until each 76 publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For 77 planning and transition purposes, federal agencies may wish to closely follow the development of these new 78 publications by NIST. 79 Organizations are encouraged to review all draft publications during public comment periods and provide feedback to 80 NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at 81 https://csrc.nist.gov/publications. 82 [1/29/2019: Comment period extended.] 83 Public comment period: December 17, 2018 through March 15, 2019 84 National Institute of Standards and Technology 85 Attn: Advanced Network Technologies Division, Information Technology Laboratory 86 100 Bureau Drive (Mail Stop 8920) Gaithersburg, MD 20899-8920 87 Email (for submission of reviewers’ comments): [email protected] 88 All comments are subject to release under the Freedom of Information Act (FOIA). NIST SP 800-189 (DRAFT) SECURE INTERDOMAIN TRAFFIC EXCHANGE: BGP ROBUSTNESS & DDOS MITIGATION 89 Reports on Computer Systems Technology 90 The Information Technology Laboratory (ITL) at the National Institute of Standards and 91 Technology (NIST) promotes the U.S. economy and public welfare by providing technical 92 leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test 93 methods, reference data, proof of concept implementations, and technical analyses to advance the 94 development and productive use of information technology. ITL’s responsibilities include the 95 development of management, administrative, technical, and physical standards and guidelines for 96 the cost-effective security and privacy of other than national security-related information in federal 97 information systems. The Special Publication 800-series reports on ITL’s research, guidelines, and 98 outreach efforts in information system security, and its collaborative activities with industry, 99 government, and academic organizations. 100 Abstract 101 In recent years, numerous routing control plane anomalies such as Border Gateway Protocol 102 (BGP) prefix hijacking and route leaks have resulted in Denial of Service (DoS), unwanted data 103 traffic detours, and performance degradation. Large-scale Distributed Denial of Service (DDoS) 104 attacks on servers using spoofed Internet Protocol (IP) addresses and reflection-amplification in 105 the data plane have also been frequent, resulting in significant disruption of services and 106 damages. This special publication on Secure Interdomain Traffic Exchange (SITE) includes 107 initial guidance on securing the interdomain routing control traffic, preventing IP address 108 spoofing, and certain aspects of DoS/DDoS detection and mitigation. 109 Many of the recommendations in this publication focus on the Border Gateway Protocol (BGP). 110 BGP is the control protocol used to distribute and compute paths between the tens of thousands 111 of autonomous networks that comprise the Internet. Technologies recommended in this 112 document for securing the interdomain routing control traffic include Resource Public Key 113 Infrastructure (RPKI), BGP origin validation (BGP-OV), and prefix filtering. Additionally, 114 technologies recommended for mitigating DoS/DDoS attacks focus on prevention of IP address 115 spoofing using Source Address Validation (SAV) with Access Control Lists (ACLs) and unicast 116 Reverse Path Forwarding (uRPF). Other technologies (including some application plane 117 methods) such as Remotely Triggered Black Hole (RTBH) filtering, Flow Specification 118 (Flowspec), and Response Rate Limiting (RRL) are also recommended as part of the overall 119 security mechanisms. 120 Keywords 121 Routing security and robustness; Internet infrastructure security; Border Gateway Protocol 122 (BGP) security; prefix hijacks; IP address spoofing; Distributed Denial of Service (DDoS); 123 Resource Public Key Infrastructure (RPKI); BGP origin validation (BGP-OV); prefix filtering; 124 BGP path validation (BGP-PV); BGPsec; route leaks; Source Address Validation (SAV); unicast 125 Reverse Path Forwarding (uRPF); Remotely Triggered Black Hole (RTBH) filtering; Flow 126 Specification (Flowspec). 127 ii NIST SP 800-189 (DRAFT) SECURE INTERDOMAIN TRAFFIC EXCHANGE: BGP ROBUSTNESS & DDOS MITIGATION 128 Acknowledgements 129 The authors are grateful to William T. Polk, Scott Rose, Okhee Kim, Oliver Borchert, Susan 130 Symington, William C. Barker, William Haag, Allen Tan, and Jim Foti for their review and 131 comments. 132 Audience 133 This document gives technical guidance and recommendations for secure interdomain traffic 134 exchange. The primary audience include information security officers and managers of federal 135 enterprise networks. The guidance also applies to the network services of hosting providers (e.g., 136 cloud-based applications and service hosting) and Internet Service Providers (ISPs) when they 137 are used to support federal IT systems. The guidance will also be useful for enterprise and transit 138 network operators and equipment vendors in general. 139 It is expected that the guidance and applicable recommendations from this publication will be 140 incorporated in the security plans and operational processes of federal enterprise networks. 141 Likewise, it is expected that applicable recommendations will be incorporated into the service 142 agreements for federal contracts for hosted application services and Internet transit services. 143 Trademark Information 144 All registered trademarks belong to their respective organizations. iii NIST SP 800-189 (DRAFT) SECURE INTERDOMAIN TRAFFIC EXCHANGE: BGP ROBUSTNESS & DDOS MITIGATION 145 Executive Summary 146 There have
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages71 Page
-
File Size-