FCC takes some action against notorious BGP

US broadband providers will soon have to provide proof to Uncle Sam that they are taking steps to prevent Border Gateway Protocol (BGP) hijacking and locking down internet routing in general.

The FCC has unanimously approved a notice of proposed rulemaking that will require internet service providers to prepare, and annually update, a confidential BGP security risk management plan. Presumably they have to stick to their plan.

BGP is a protocol used by the internet to establish the most efficient traffic routes between systems, by allowing those systems to advertise their presence to each other and then figuring out the best way forward. More simply put, the internet is a network of networks of yet more networks, and BGP is part of the glue that binds them together in a streamlined manner. Crucially, it wasn't designed with security in mind; these networks are trusted to do the right thing.

The problem is that rogue or bungling network administrators and providers can maliciously or accidentally use BGP to redirect traffic intended for one network to go to another, causing connections to go to the wrong machines – potentially enabling surveillance or data manipulation in the process – or nowhere. This is called BGP hijacking.

Some of the worst examples of BGP issues include a 2008 incident during which Pakistan knocked YouTube offline in an attempt to censor content. Russia also exploited BGP vulnerabilities to limit access to Twitter as it invaded Ukraine.  

Closer to home, the US Departments of Defense and Justice found China Telecom has used BGP to reroute American internet traffic at least six times, according to FCC boss Jessica Rosenworcel. 

"While BGP has allowed network operators to grow and evolve the modern internet, it was not designed with explicit security features to ensure trust in exchanged information," Rosenworcel said [PDF] on Thursday. 

• That thing to help protect internet traffic from hijacking? Here's how to break it
• UK internet providers told to mind their MANRS and start following Border Gateway Protocol best practices
• Feds finally decide to do something about years-old SS7 spy holes in phone networks
• Big Telco takes aim at renewed net neutrality rules

In addition to filing confidential reports annually, for the FCC's eyes only, the nine biggest US broadband providers would also be required to file quarterly public statements. And the regulator wants to see movement being made on implementing RPKI-based security to lock down BGP issues.

Resource Public Key Infrastructure (RPKI) is a system intended to prevent route leaks and BGP hijacking. It provides cryptographically verifiable guarantees for networks to validate the IP prefixes of others — although even this system isn't foolproof and potentially can be circumvented.

"In proposing to measure RPKI deployment, we will help inform both the private and public sectors about what more needs to be done to secure our networks," Commissioner Geoffrey Starks said [PDF] on Thursday, noting that the FCC's actions are part of a "multi-pronged" government approach to securing the internet.

"It is also consistent with Initiative 4.1.5 of the National Cybersecurity Strategy Implementation Plan, which tasks the Office of the National Cyber Director, along with stakeholders and government agencies, to develop a roadmap to increase adoption of secure Internet routing techniques including BGP security," Starks added.

Smaller ISPs, however, would not have to file regular BGP security plans with the FCC, though they must submit those details to the commission if asked.

Now that the FCC has adopted the notice of proposed rulemaking, companies and individuals can submit public comments on the proposal before it is cemented. ®