The U.S. Federal Communications Commission (FCC) launched a review of internet routing security, aiming to suss out what vulnerabilities exist in the Border Gateway Protocol (BGP) used by operators around the world to direct traffic and how these might be fixed. The agency indicated its move comes in response to fears the Russian government might exploit such openings in attacks against the U.S. given its recent aggression against Ukraine. But experts told Fierce the agency has a monumental task ahead of it.
In a Notice of Inquiry (NoI), the FCC sought public input on a range of questions related to internet routing security. Among other things, it asked how widely internet service providers have BGP routers deployed in their networks and whether cloud operators use them as well; what threats to internet routing exist besides hijacking; whether the industry has a system for tracking BGP routing security incidents; how effective resource public key infrastructure (RPKI) is at preventing BGP hijacking; and what other security measures might help prevent or mitigate attacks.
The FCC said the NoI is part of an effort to reinforce the security of critical communications infrastructure, particularly “in light of Russia’s escalating actions inside of Ukraine.” In interviews with Fierce, experts explained why the FCC is focused on shoring up BGP.
Lay of the land
BGP is a foundational element of the internet and is responsible for routing essentially all of the world’s traffic. Angelique Medina, head of Internet Intelligence at Cisco’s ThousandEyes, told Fierce all providers who want to send traffic over the internet use BGP, including internet service providers, cloud companies, application providers and content delivery networks.
“The internet is made up of thousands of independent networks and BGP is the communication protocol that allows these networks to talk to each other, navigating traffic through the correct networks and to the final destination,” she explained.
Aftab Siddiqui, Senior Manager of Internet Technology - Asia-Pacific at the Internet Society, added there are approximately 73,000 networks across the internet, each of which has a unique Autonomous System Number identifier. All of these use BGP to exchange information, he said. The Internet Society notably supports the Mutually Agreed Norms for Routing Security (MANRS) initiative, which aims to improve the security of routing infrastructure.
While BGP itself isn’t inherently insecure, Medina said it is based on the premise of trust “and as such can be used for attacks where incorrect route information is advertised, either accidentally or in order to intercept or disrupt traffic.” As noted in the FCC NoI, hijacking or redirecting traffic is one type of attack, but Medina also pointed to blackholing as another. Blackholing is when traffic is misdirected to prevent it from reaching its destination entirely.
Keyur Patel is founder and CTO of networking company Arrcus and previously spent more than a decade as a Distinguished Engineer at Cisco working on inter-domain routing. He told Fierce BGP is also vulnerable to man-in-the-middle attacks, where an attacker inserts themself in between two end points. He cited one famous incident involving traffic which should have followed a Mexico City-Austin-New York-Virginia path but was instead detoured after Austin to San Francisco-London-Ukraine-Moscow before being set back on the original path from New York to Virginia.
Siddiqui summed up the scale of the issues: “Not a single day goes by without dozens of incidents affecting the routing system. Route hijacking, route leaks, IP address spoofing and other harmful activities can lead to DDoS attacks, traffic inspection, lost revenue, reputational damage and more. These incidents are global in scale, with one operator’s routing problems cascading to impact others.”
Approximately 775 instances of hijacking alone were identified in 2021, with another 830 incidents classified as routing misconfigurations known as BGP leaks, according to MANRS data.
Medina, Patel and Siddiqui all pointed to RPKI, which utilizes cryptographic signatures to validate the origin of a traffic route, as an initial step in the right direction in countering attacks. But Medina said not all operators have implemented it. Additionally, RPKI notably does not secure the route path itself. To secure against man-in-the-middle attacks which target the route, Patel said it’s necessary to cryptographically secure the path hop by hop.
Patel noted a solution called BGPsec, which makes it impossible to alter path information without notice, is the next step beyond RPKI. BGPSEc has already been standardized. Thus far, Siddiqui said it has failed to be adopted due to “technical roadblocks,” but Patel said he expects vendors to begin implementing it within the next year or two.
Siddiqui added the Internet Engineering Task Force (IETF) is developing additional protocols, called ASPA and AS-Cone, which will further help in overall BGP security while MANRS has released a set of best practices which operators can use to improve BGP security. The latter include steps to improve filtering, combat spoofing through the use of source address validation, improve incident response by ensuring contact information is up to date and enable global validation of issues by publishing route data.
Patel said as the FCC moves ahead with its inquiry, it should also explore ways to secure IP addresses for U.S. businesses. “IP addresses are going to be very precious going forward. IP addresses are going to be more like your personal identity,” he said. “Case in point, if you have a big business and you have IP addresses catering to them, how are you going to build networks that will ensure those addresses don’t get hijacked?”
However, participation will be key to any solution. Patel and Arrcus CEO Shekar Ayyar said there are likely millions of BGP routers in networks across the globe. Due to the interconnected nature of networks, Siddiqui noted all “networks have to make the same improvements to secure the Internet routing system before the entire network begins to enjoy the benefits of these security measures.”
Ayyar argued there’s one more thing providers can do to help improve security: switch to a software-based infrastructure. While this move would clearly benefit a company like Arrcus, he said it would make implementing security upgrades much easier than doing so currently is on hardware.