Routing Security Analysis of the top 25 US Federal Sites

Previously, I wrote about comments filed in response to the Federal Communications Commission’s (FCC’s) Notice of Inquiry In the Matter of Secure Internet Routing. In that article, I highlighted a comment filed by the Department of Defense and Department of Justice that advocated a much more activist role for the FCC:

Carefully constructed rules, issued in concert with other government actions, could far more effectively reduce the risks associated with foreign operators or bad actors exploiting BGP insecurity.

In that article, I raised concern with that comment:

Few federal networks have RPKI ROAs; few of the top-20 federal sites from analytics.usa.gov are hosted on networks covered by ROAs, even when hosted by CDNs that have ROAs for other network prefixes.

In this article, I will update that analysis and provide more detail about the method and results.

Method

I took data from analytics.usa.gov, which provides information about US federal websites:

About this Site:

These data provide a window into how people are interacting with the government online. The data come from a unified Google Analytics account for U.S. federal government agencies known as the Digital Analytics Program. This program helps government agencies understand how people find, access, and use government services online.

Not every government website is represented in these data. Currently, the Digital Analytics Program collects web traffic from around 400 executive branch government domains, across about 5,700 total websites, including every cabinet department. We continue to pursue and add more sites frequently; to add your site, email the Digital Analytics Program.

For this update, I downloaded the full data set for the past 30 days (as of July 5, 2023). I took the top 25 sites for this set, sorted by visits. I then resolved these names to addresses. Using `nicinfo`, a Registry Data Access Protocol (RDAP) client, to find the organization responsible for the addresses. It was fairly easy to determine if the networks were administered by the federal agency itself or a hosting provider based on the network handle.

Using the resolved addresses, I checked one of our routers for the validation state and origin Autonomous System.

Limitations

The sites listed in the dataset appear to be ‘main’ sites that users visit; it isn’t clear if they cover any back-end systems linked to these main sites. For example, the site tools.usps.com allows users to lookup packages by tracking number. The back-end systems needed to track the packages may be hosted on different networks.

Also, not checked were any mail records associated with the names in the dataset.

Results

Table 1 summarizes the results.

Of the eleven self-hosted sites, only one, nhc.noaa.gov, has a Route Origin Authorization (ROA) generated. Of the 14 sites hosted, less than half had ROAs generated.

Table 2 is a detailed view of the top 25 sites, by protocol.

Of the hosted sites, nine had no covering ROA but were hosted by providers that have ROAs for other prefixes.

Table 3 is the same analysis for other “interesting” sites not in the top 25

Comments

A majority of the top 25 sites are not on networks covered by ROAs, even if they are hosted on providers that have created ROAs for other prefixes. Before considering promulgating routing security regulations, I hope the federal government improves its own routing security posture. These sites are highly visible and important sources of authoritative information. It is especially disappointing that some of these sites are hosted by providers that have ROAs for other networks. Requiring these hosting providers, which have demonstrated routing security competency, to host federal sites on prefixes covered by ROAs seems like an obvious and easy way to begin to protect these sites.

I invite the federal government to participate more actively in the community-led routing security effort. NIST has been a leader in this area for many years. In 2018, Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation was released. NTIA is also an important champion. It does appear that we’re seeing movement- the White House recently release FACT SHEET: Biden-⁠Harris Administration Publishes the National Cybersecurity Strategy Implementation Plan.

The US federal government is in a unique position with respect to internet governance. It not only acts a regulator, in the way the FDA might be with respect to medical equipment. The federal government is a large stake holder in internet security in addition to its potential regulatory role. It operates important and popular websites. It holds large blocks of number resources. Prior to considering requiring network operators to deploy specific routing security technologies, it should be doing a better job at implementing those technologies, participating in the routing security community, and leading by example.

By way of comparison, the government of the Netherlands has committed to routing security by the end of 2024. See this link (in Dutch) for details and current statistics.

The scope of the US federal network is vast, and I recognize that implementing routing security will take some time. I look forward to seeing greater involvement.