---

Project Summary

Research and Education (R&E) networks offer specialized capacity to their member institutions that is not available through commodity (commercial) networks, enabling data-intensive collaborative research across scientific disciplines. To support seamless workflows for domain scientists, R&E networks typically prioritize R&E routes ahead of commodity Internet routes. Although optimal for scientific collaboration, this approach introduces vulnerabilities to the integrity of the underlying routing infrastructure for two related reasons.

First, prioritizing R&E paths increases the importance of ensuring correctness in all R&E router configurations. Even minor misconfigurations have resulted in significant route leaks, inadvertently transmitting sensitive U.S. scientific traffic through unintended international routes. Second, aca- demic networks operate under constrained budgets with limited operational staffing. Consequently, many of these networks have yet to implement routing security innovations recommended as best practices for over a decade. Furthermore, as with many security measures, new routing innovations can introduce unforeseen vulnerabilities, creating additional barriers to their adoption.

To address these critical issues, we propose developing a security-focused routing observatory and operational support system designed to ensure that routing policies align with the security and integrity goals of the U.S. science ecosystem. The outcomes of our project will establish a foundational routing security auditing framework coordinated and sustained by Internet2. Our project is structured into three tasks, executed in close collaboration with Internet2 to ensure maximum effectiveness:

1. Measurement and Analysis: We will adapt and integrate recently developed measurement and analysis capabilities to detect route leaks between R&E and commodity (non-R&E) networks. Such leaks, whether due to accidental misconfigurations or malicious activities, threaten the availability and integrity of critical R&E network services.
2. Operational Dashboard: We will develop a user-friendly dashboard to operationalize mea- surement findings. This dashboard will enable a broader set of R&E community stakeholders to identify vulnerabilities, quantify gaps in infrastructure resilience, and implement security best practices effectively, reducing the risk of misconfigurations.
3. Community Engagement: We will engage actively with the community to disseminate the innovations developed through this project, encourage widespread adoption, and quantita- tively assess impact based on deployment metrics.

Project leads, key team members

kc claffy (CAIDA/SDSC/UCSD)
Steve Wallace (Internet2) Matthew Luckie (CAIDA/SDSC/UCSD)

Broader Impacts

Integrating these security-focused innovations within the academic network operations community will have a transformative impact on the adoption of foundational cybersecurity best practices, which have historically seen limited deployment. Consistent with the objectives of the CICI pro- gram, our project outcomes will strengthen the ability of network operators to protect the integrity, availability, and overall performance of the U.S. scientific cyberinfrastructure.

Acknowledgment of awarding agency’s support

This material is based on research sponsored by the National Science Foundation (NSF) grant OAC-2530871. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of NSF.