FCC prepares secure internet routes
Internet routing tables (BGP) are susceptible to manipulation. US providers should therefore be obliged to take security measures.
(Image: asharkyu/Shutterstock.com)
Internet service providers in the USA are to be legally obliged to secure their border gateways cryptographically so that they are less susceptible to false or manipulated data routing. This was decided unanimously by the regulatory authority FCC (Federal Communications Commission) on Thursday. The reason is that the routing tables of the Internet (Border Gateway Protocol, BGP) are susceptible to errors and deliberate manipulation. Through "BGP hijacking", data traffic is maliciously rerouted, subverted or brought to a standstill.
"BGP has enabled network operators to grow and create the modern Internet, but it was not designed with explicit security features to ensure trust in the information exchanged," said FCC Chairwoman Jessica Rosenworcel at the time of the FCC's decision. "I want to thank the Department of Defense and the Department of Justice for making public that China Telecom used BGP to reroute U.S. Internet traffic on at least six occasions. These BGP highjackings can expose personal data and enable theft, extortion and government espionage." This disclosure certainly helped Rosenworcel gain the support of her Republican FCC colleagues. After all, the obligation to secure the BGP is an initiative of the head of the FCC , who is a Democrat.
The FCC would initially like to oblige US broadband providers to secure their data routes with RPKI (Resource Public Key Infrastructure). This helps to prevent erroneous routing. Providers should submit confidential BGP security risk management plans with implementation status and plans at least once a year. Only when RPKI has been rolled out can the next security measure BGPsec, which offers better protection against deliberate BGP hijacking, take effect.
The country's nine largest ISPs are even required to submit their reports on a quarterly basis until they have reached an acceptable level of security. In addition, they would have to make certain information public on a quarterly basis. Small operators would be exempt from regular reporting requirements, but would have to provide relevant information to the FCC upon request. The corresponding FCC regulation is now under review (Notice of Proposed Rulemaking FCC 24-62), where interested parties can submit comments.
BGP and RPKI
The BG protocol (RFC 1105) specifies the exchange of information between routers, because of which they can identify the best route for the data packets transmitted between their networks - the Autonomous Systems (AS). The border routers record the best paths in routing tables. The Border Gateway Protocol suffers from the fact that it dates back to a time when people trusted each other in the network. Anyone can declare any route they want, there are no automatic controls.
In so-called prefix hijacking, an attacker passes off the prefixes of his victims as his own. For example, the attacking network can announce more specific addresses from the victim's network or claim to offer a shortcut to certain IP address blocks. Routers without RPKI simply have to believe this.
With RPKI (RFC 6840 plus over 40 other RFCs), Route Origin Authorizations (ROA) can be used to determine which IP prefixes an autonomous system is responsible for. If it suddenly announces other IP prefixes, this triggers an alarm. This is primarily intended to prevent the frequently occurring errors when announcing routes. Perhaps the best-known example of this is the redirection of YouTube traffic to Pakistan Telecom.
BGPsec dreams of the future
Theoretically, there has also been a weapon against deliberate BGP hijacking since 2017: BGPsec (RFC 8204). It secures the routing information on its way through the network. Instead of simply checking the authenticity of the origin of a route announcement, the aim is to ensure that no manipulation occurs along the path. However, it would only help if, firstly, RPKI was rolled out and, secondly, all network operators switched to BGPsec at the same time so that unsigned information could be ignored. Such a changeover is not in sight because this would require many routers to be replaced and the network operators would have considerable additional work to manage all the BGPsec keys required for each routing hop.
In addition, BGPsec requires that the issuers of the cryptographic certificates are trusted. However, if these bodies are under state control, there may not be much to be gained. This is because most manipulations are the result of perpetrators from corrupt countries or even state actors pursuing their own interests. They could also issue certificates that give their attacks the appearance of legitimacy.
Detector for corporate networks
A case from 2013 is famous; at that time, data traffic from other countries, including Germany, Iran, South Korea and the USA, was routed via Belarus 21 times – sometimes for a few minutes, but sometimes for hours. This was only noticed weeks later. In order to detect such incidents quickly, a group at the computer science department of Indiana University in Bloomington published a program called Bongo seven years ago.
Bongo is intended for local networks that receive BGP routing data from their Internet provider, such as companies and universities. The administrator can set for each autonomous system which countries are (not) allowed to appear in the routing. If the software detects an unacceptable route, it can, depending on the configuration, alert the administrator or instruct the firewall itself to block the data flow to the corresponding autonomous system.
(ds)