Released earlier this week, the White House’s Roadmap to Enhancing Routing Security (“the Roadmap”) is an important step by the US government toward strengthening routing security in the United States. The US has long lagged behind the rest of the world when it comes to routing security.
The Internet Society has been a strong advocate for routing security for over a decade. It has nurtured, developed, and continues to support the Mutually Agreed Norms for Routing Security initiative (MANRS), which is a voluntary, controls-based, industry-led effort to enhance routing security, now a project of the Global Cyber Alliance.
While the US industry has made impressive gains in recent years, the routing security of government networks has remained significantly behind. That’s why the Roadmap, along with the Office of the National Cyber Director’s (ONCD) efforts to tackle significant challenges facing the adoption of best practices by federal networks, is so important.
How Does Internet Routing Work?
Internet routing, the invisible backbone of the digital age, silently directs trillions of data packets every second, ensuring our global connectivity and powering modern life and the economy. We wouldn’t have an Internet if the networks didn’t know how to send packets to the right destination! That means that the security of how information is routed across the Internet is vital. Just like sending a physical package through the mail, users don’t want their Internet packets to be lost, sent an overly complicated and slow path, or sent to the wrong destination.
Governments have an important and nuanced role to play in improving the security of the routing ecosystem. We are incredibly excited that the Roadmap demonstrates a strong understanding of the importance of routing security best practices while recognizing these nuances.
The Roadmap avoids suggesting top-down mandates for the private sector, which could unintentionally undermine the evolving security of our routing system. The Roadmap also appropriately acknowledges the diversity of networks and their varying capabilities and needs in implementing routing security best practices.
The Roadmap also recognizes that US government’s federal networks still have a lot of work to do in terms of routing security. As the Roadmap notes, one of the biggest challenges facing the adoption of resource public key infrastructure (RPKI) on federal networks is a legal contract problem with the American Registry for Internet Numbers (ARIN). This was preventing federal networks from being able to register their routes cryptographically using RPKI, an important step towards improving routing security.
| August 2023 | August 2024 | |
|---|---|---|
| Valid | 87 | 215 |
| Unknown | 15,755 | 17,788 |
| Invalid | 2 | 2 |
The Office of the National Cyber Director (ONCD) led an effort with ARIN and other agencies “to resolve barriers to Federal agencies’ signing of the ARIN Registration Services Agreement (RSA) and develop a Federal RSA template addendum that can be used by Federal departments and agencies to facilitate their adoption of RPKI and other ARIN services.” This effort has already made a significant impact.
While the number of routes announced by federal networks being able to be validated using RPKI remains small, the number has doubled since August 2023 (see Figure 1). As noted in the Roadmap, around 21% of the IPv4 address space in the ARIN region is held by the US federal government. Improving the routing security of federal networks alone would have a large impact on the routing security ecosystem globally.
Additionally, the Roadmap’s recommendations regarding federal procurement and grant guidance utilize the unique strengths of the federal government as one of the largest consumers to incentivize the use and implementation of best practices. The United States government now requires strong routing security practices from its network providers, sending a clear message to the private sector to demand good routing security practices.
The Roadmap is an important step towards improving routing security in the United States. However, it is just the beginning. It is up to federal agencies to begin implementing these actions to improve routing security in the United States.
At the same time, it is critical that the US government does not misstep and take actions that lean more towards top-down mandates. As the Federal Communications Commission continues to weigh its own actions around routing security, it is vital that the Roadmap’s guidance is reflected in any future FCC action.
Secure global routing makes the Internet safer and more resilient. Learn more about the work we’re doing for better routing security.
Image © Photo by René DeAnda on Unsplash