Cable industry puts its weight behind Internet routing security

CableLabs, NCTA – The Internet & Television Association, and several large and midsized cable operators are promoting a new framework profile for secure Internet routing that they hope to expand and enhance by engaging with other types of service providers, Internet organizations and IP networking groups.

Tied in, CableLabs has released a "Cybersecurity Framework Profile for Internet Routing" that aims to serve as the foundation for improving the security of the Internet's routing system, with an emphasis on core routing protocols such as the Border Gateway Protocol (BGP), the Resource Public Key Infrastructure (RPKI) and Internet Routing Registries (IRRs).

CableLabs described the profile as "an actionable and adaptable guide that enables Internet Service Providers (ISPs), enterprise networks, cloud service providers and organizations — large and small — to proactively identify risks and mitigate threats to enhance routing infrastructure security." The new framework aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), CableLabs added.

Organizations and operators involved in the profile development working group included CableLabs, NCTA, Armstrong Cable, Charter Communications, Cox Communications, Midco, Eastlink, Rogers Communications, Comcast, Liberty Global and Videotron.

CableLabs released the initial Routing Security Profile (RSP) – available for download here – in concert with a press event today featuring a range of organizations and government agencies.

The RSP has some ties to a National Security Strategy that the Biden administration announced last year. It was also developed in response to NIST's call to action to submit examples of "protocols" that map to the organization's Cybersecurity Framework.

'Roadmap' to improve routing security

"We heard the call from policy makers and the federal government for mature industries like ours to take the lead in developing initiatives that enhance national security… This profile will serve as a roadmap for improving cybersecurity routing systems for the communications sector," NCTA SVP and CTO Rikin Thakker said at today's event.

The initial RSP is just a "starting point," according to Mark Walker, who leads the tech policy group at CableLabs. The cable industry will endeavor to work with other groups and organizations, including M3AAWG, to gather feedback on the profile, enhance it and promote its widespread adoption.

"The profile and underlying tech controls must continue to evolve to stay ahead of the constant threat landscape and to stay ahead of the changing technical dimensions of routing," Walker said.

The broader idea is to secure the routing of Internet data across a wide range of independent and separate networks and "autonomous systems" that are used to route that traffic, CableLabs Distinguished Technologist Brian Scriber explained.

The Border Gateway Protocol has been improved along the way, "but it's imperfect," he added. Vulnerabilities surface as new routes are established due to misconfigurations or threats from inside and outside of individual organizations.

"There are real threats that exist and real actions that have been taken against [autonomous systems]," Scriber said, referencing threats such as prefix hacking, AS path manipulation and route leaking.

Managing complex systems

Scriber also acknowledged that changing these complex systems, even for the sake of enhancing security, can be daunting. The new framework should help to make network operators more comfortable and confident in making such changes, he added.

Jason Bishop, senior manager of core network design at Cox Communications, agreed about the complexity.

"It's not like implementing a patch on your computer," Bishop said. "These are very complex devices, running 30,000 lines of configuration." A code testing cycle could take about 12 weeks, he added.

Still, ahead of today's announcement, cable operators in the US and abroad have been enhancing the security of their routing infrastructure by deploying RPKI.

Midco, for example, moved ahead with full deployment of RPKI last summer, according to John Lubeck, Midco's director of core IP and transport.

Liberty Global started to roll out RPKI across its core network a couple of years ago, focusing first on peering points. More customers are starting to ask for RPKI routing protection, said Kick Fronenebroek, the company's director of cybersecurity strategy.

Charter Communications' Rob Alderfer, VP of technology policy, called RPKI a "critical tool," adding that the company has implemented it across its network.

"We're really looking to move this issue forward in the broader industry," Alderfer added. "I really think there is potential here to have this as a tool that is broadly useful."