BGP (Border Gateway Protocol) is the routing protocol that holds the internet together - and it has a well-known security problem. BGP was designed for a cooperative internet where participants trusted each other. In today's environment, where route hijacking and misconfigurations can redirect massive amounts of internet traffic, that trust model creates real risks.
The FCC's BGP security proposal
The Federal Communications Commission has proposed new requirements for major internet service providers to improve the security of BGP routing. The proposal focuses on implementing RPKI (Resource Public Key Infrastructure), a cryptographic framework that allows network operators to verify that BGP route announcements are authorized by the legitimate holders of the IP address space being announced.
What is RPKI?
RPKI is a security framework that creates a chain of trust from the Regional Internet Registries (RIRs) that allocate IP address space down to individual network operators. By creating Route Origin Authorizations (ROAs) that cryptographically sign their route announcements, network operators can enable others to verify that their routes are legitimate.
BGP security best practices
Beyond RPKI, comprehensive BGP security involves several additional measures:
1. Route Filtering: Implementing strict route filters that only accept routes that are expected from each peer or transit provider. This prevents the accidental or malicious announcement of routes that don't belong to the announcing party.
2. Maximum Prefix Limits: Configuring maximum prefix limits on BGP sessions to protect against route leaks that could destabilize routing tables.
3. BGP Communities: Using BGP communities to implement traffic engineering policies and signal routing preferences to upstream providers.
4. MANRS Compliance: The Mutually Agreed Norms for Routing Security (MANRS) framework provides a set of concrete actions that network operators can take to improve routing security. MANRS compliance is increasingly seen as a baseline expectation for responsible network operation.
5. ROV (Route Origin Validation): Implementing Route Origin Validation to filter routes that fail RPKI validation.
The business case for BGP security
Beyond regulatory compliance, improving BGP security protects network operators from the reputational and operational damage caused by route hijacking incidents. For ISPs and network operators, BGP security is increasingly a competitive differentiator and a customer expectation.
Capcon Networks implements comprehensive BGP security practices across all of our transit and peering relationships, helping to protect our customers' traffic and contributing to a more secure global routing system.