FCC proposes BGP security measures

Jessica Rosenworcel wants ISPs to tell her how they’re securing Border Gateway Protocol (BGP), a critical system for routing internet traffic.

The chairwoman of the US Federal Communications Commission has proposed that the FCC require large broadband service providers to submit confidential reports on their plans to manage security risks associated with their use of BGP. The proposal aims to protect against bad actors who could pose a threat to national security and disrupt critical Internet infrastructure by exploiting BGP vulnerabilities, the FCC said Wednesday.

The FCC began taking a close interest in BGP security in 2022, in response to the threat posed by Russian hackers following the invasion of Ukraine. “Russian network operators have been suspected of exploiting BGP’s vulnerability for hijacking in the past,” the FCC statement said, adding, “BGP hijacks can expose Americans’ personal information, enable theft, extortion, state-level espionage, and disrupt otherwise-secure transactions.”

The US Cybersecurity Infrastructure Security Agency (CISA) describes BGP as “the most important part of the internet you’ve probably never heard of.”

Network operators use BGP to let their network neighbors know which destinations they can reach — but there are few technical controls on whether those statements are honest. “A bad network actor may deliberately falsify BGP reachability information to redirect traffic,” the FCC statement added.

National security experts have raised concerns that, by exploiting vulnerabilities in BGP, bad actors can disrupt critical services that rely on the internet resulting in misdirection, interception, inspection, or manipulation of data.

“It is vital that communication over the internet remains secure,” Rosenworcel said in the statement. “Although there have been efforts to help mitigate BGP’s security risks since its original design, more work needs to be done. With this proposal, we would require broadband providers to report to the FCC on their efforts to implement industry standards and best practices that address BGP security.”

New solution to an old problem

BGP is decades old. It was first described in RFC 1105 in June 1989. The current version, BGP4, was published as RFC 4271 in January 2006, although other RFCs have proposed updates enhancements since. Exploits of BGP, too, have been around for years. The absence of security and authentication controls in early drafts makes it challenging to verify the legitimacy of route operations, leaving networks vulnerable to unauthorized route advertisements.

To address this, the FCC proposal calls for adoption of origin validation and RPKI (Resource Public Key Infrastructure), enabling cryptographic verification of route origins and associations between IP address blocks and network holders, the statement added.

Under the proposal, broadband internet access service (BIAS) providers will have to develop BGP Routing Security Risk Management Plans (BGP Plans) detailing their efforts to implement BGP security measures using RPKI

In addition, the nine largest broadband providers will have to submit their plans confidentially to the Commission, and file public quarterly reports on their progress in securing BGP. With these reports, the FCC and its national security partners will be able to collect more up-to-date information about this critical internet routing capability.

The FCC will vote on whether to adopt the proposal at June Open Meeting.

Although it constitutes extra work for service providers, few in the industry are likely to oppose making BGP more secure.

“BGP security is of paramount importance for national security due to its central role in facilitating communication, commerce, and critical services over the internet,” said DR Goyal, senior architect at telecommunications equipment provider Rakuten Symphony. “It is imperative for policymakers, regulators, industry stakeholders, and cybersecurity professionals to prioritize BGP security initiatives and adopt comprehensive measures to mitigate risks effectively.”