FCC chief wants to secure the Border Gateway Protocol
The Internet has been susceptible to data routing errors. RPKI would remedy this, but ISPs are not obliged to do so. The head of the FCC wants to change that.
(Image: Maximumm/Shutterstock.com)
The routing tables of the Internet (Border Gateway Protocol, BGP) are susceptible to manipulation. Through "BGP hijacking", data traffic is maliciously rerouted, foisted or brought to a standstill. In addition, incorrect entries are made by mistake, resulting in disruptions. The Chairman of the US regulatory authority FCC, Jessica Rosenworcel, now wants to oblige US broadband providers to at least take precautions against erroneous incorrect routes.
Resource Public Key Infrastructure (RPKI) is used for this purpose. Only once RPKI has been rolled out can the next security measure, BGPsec, which offers better protection against deliberate BGP hijacking, take effect. Rosenworcel wants to convince her four colleagues at the FCC that the agency should require US broadband providers to secure their data routes with RPKI.
The nine largest ISPs in the country will also have to submit reports: A secret report outlining their plans to implement RPKI, as well as quarterly public progress reports that should also show whether the implementation plan is reasonable. Rosenworcel cites unspecified security warnings from US intelligence agencies, as well as the results of an FCC investigation from 2022 and a Border Gateway Protocol Security Workshop from last summer.
Delay due to the abolition of net neutrality
The problem of unsecured data routes has been known for a long time. Even when BGP was introduced in 1989, experts pointed out that traffic on the internet could easily be redirected so that attackers could see, change or simply make the data traffic disappear. Little happened for a long time. About 20 years ago, cryptographic protection of the routing system was finally designed using RPKI and BGPsec. However, implementation has been slow, even though state attackers, particularly from Russia, have repeatedly attacked the Internet infrastructure.
However, it is easy to explain why the FCC is only now taking action: shortly before the end of Donald Trump's term of office as US President, the FCC withdrew its responsibility for internet regulation. In this way, the Republican majority in the FCC at the time managed to abolish net neutrality. And after Democrat Joe Biden took office, Republicans in the US Parliament prevented the appointment of a Democratic FC Commissioner for a long time.
It was only a few weeks ago that the FCC was able to regain responsibility for regulating internet service providers and reintroduce net neutrality. This will take effect at the end of June. Accordingly, it now makes sense to tackle further aspects of internet regulation.
BGP and RPKI
The BG protocol (RFC 1105) specifies the exchange of information between routers, because of which they can identify the best route for the data packets transmitted between their networks – the Autonomous Systems (AS) –. The border routers record the best paths in routing tables. The Border Gateway Protocol suffers from the fact that it originates from a time when people still trusted each other in the network. Anyone can declare any route they want, there are no automatic controls.
In so-called prefix hijacking, an attacker passes off the prefixes of his victims as his own. For example, the attacking network can announce more specific addresses from the victim's network or claim to offer a shortcut to certain IP address blocks. Routers without RPKI simply have to believe this.
With RPKI (RFC 6840 plus over 40 other RFCs), Route Origin Authorizations (ROA ) can be used to determine which IP prefixes an autonomous system is responsible for. If it suddenly announces other IP prefixes, this triggers an alarm. This is primarily intended to prevent the frequently occurring errors when announcing routes. Perhaps the best-known example of this is the redirection of YouTube traffic to Pakistan Telecom.
BGPsec dreams of the future
Theoretically, there has also been a weapon against deliberate BGP hijacking since 2017: BGPsec (RFC 8204). It secures the routing information on its way through the network. Instead of simply checking the authenticity of the origin of a route announcement, the aim is to ensure that no manipulation occurs along the path. However, it would only help if, firstly, RPKI was rolled out and, secondly, all network operators switched to BGPsec at the same time so that unsigned information could be ignored. Such a changeover is not in sight, because this would require the replacement of many routers and the network operators would have considerable additional work to manage all the BGPsec keys required for each routing hop.
In addition, BGPsec requires that the issuers of the cryptographic certificates are trusted. However, if these bodies are under state control, there may not be much to be gained. This is because most manipulations are the result of perpetrators from corrupt countries or even state actors pursuing their own interests. They could also issue certificates that give their attacks the appearance of legitimacy.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmmung wird hier ein externes YouTube-Video (Google Ireland Limited) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (Google Ireland Limited) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(ds)