In 1996 the U.S. government tapped BBN to develop a more secure version of the primary protocol used to route information around the Internet.

The effort was not in response to any particular data or network security breach. It stemmed from a realization that the Border Gateway Protocol (BGP) was becoming ever more vulnerable as the Internet grew in size and importance.

Yet seven years later, BBN's Secure BGP (S-BGP), which establishes a public-key infrastructure to stymie IP address spoofing, is still a work in progress and has yet to be implemented in Internet routers. Router memory constraints, processing overhead concerns and the downtrodden state of the telecom economy are cited as reasons why.

"The state of security in BGP is pretty minimal," says Alex Zinin, area director of the routing and sub-IP working groups in the Internet Engineering Task Force (IETF). "As it is deployed today, there is no mechanism to authenticate and identify the authorization of a specific [routing information] announcement."

What's more, work on BGP security is more divided than united. Cisco and some ISPs are working on an alternative to BBN's S-BGP, called Secure Origin BGP (soBGP), which authenticates yet also lets ISPs implement routing policy.

"S-BGP is dead in the water," says Cisco Fellow Fred Baker, former chair of the IETF.

That's an assertion to which Steve Kent, BBN's chief scientist for information security, counters: "Some of the options offered in soBGP would be disastrous from a security standpoint. There are concerns that soBGP doesn't architecturally nail things down."

Security isn't the only concern with BGP. Other public and private efforts have sprung up to address BGP's perceived shortcomings in scalability and reliability as traffic on the Internet continues to double each year.

Some say it's time to move beyond the 14-year-old protocol, while others say doing so would cause drastic disruptions to the thousands of routers in and providing access to the Internet.

"A whole new protocol tends to make people think significant investment and high risk," says Martin Capurro, senior director of product management at Qwest. "We'd like to see a solution that just enhances the current one."

Proposed enhancements are plentiful. For reliability, the IETF and a number of router vendors developed so-called non-stop routing/forwarding and graceful restart extensions to BGP to keep data flowing as the protocol resets.

But ISPs are highly selective when it comes to incorporating such revisions.

Packet Design, a start-up led by industry veteran Judy Estrin, learned this firsthand.

Click to see:

The company last year unveiled BGP Scalable Transport, a protocol for streamlining communication of BGP routing information. By reducing the number of TCP connections required between routers, the technology could improve scalability and lessen security risks and the effect of lost connections, Estrin says.

But this Packet Design technology never caught on.

"We felt that the routing vendors just did not seem to want to spend the energy on fixing BGP," Estrin says. "The service providers were in enough disarray in terms of reorganizing and consolidation, [and] they didn't feel that they could put significant pressure on the routing vendors to get the capability. We couldn't deploy it without a router."

And router vendors found no need for such a technology.

"It's not something that we, as an implementor of the protocol, ever felt necessary to avail ourselves of," says Matthew Kolon, senior solutions engineer at Juniper.

As a general-purpose protocol, BGP contains the features necessary to implement the scalability and security features appropriate between ISPs, Kolon says.

"A lot of it has to do with the implementation," he says. "[Limitations are] related not to the protocol itself but to the business and political relationships that are inherent in interdomain situations."