Breaking down FCC’s proposal to strengthen BGP security
In this Help Net Security interview, Doug Madory, Director of Internet Analysis at Kentik, discusses the FCC’s proposal requiring major U.S. ISPs to implement RPKI Route Origin Validation (ROV), and addresses concerns about the impact on smaller ISPs and the global implications of U.S.-mandated changes.
The FCC’s proposal requires nine major U.S. ISPs to deploy RPKI Route Origin Validation (ROV). What are the main benefits and potential challenges of implementing RPKI on such a large scale, especially considering the varying levels of RPKI deployment among these providers?
RPKI ROV is the best mechanism we have to reduce the risk of disruption due to BGP routing mishaps.
To deploy RPKI ROV, a network must do two things. First, it must create Route Origin Authorizations (ROAs), which are records asserting the proper AS origin for each route. Secondly, it must configure its routers to evaluate incoming BGP announcements and reject those that don’t match published ROAs.
Both steps require a dedicated effort from the engineers at the company to establish and maintain these capabilities.
Regulatory mandates on BGP security could impose significant burdens on smaller ISPs, particularly regarding their ability to adapt to emerging security standards. How valid are these concerns, and what measures could be implemented to support smaller ISPs?
Deploying RPKI ROV requires engineering time, so the concern about the burden placed on smaller ISPs is valid. This was a concern that was raised by the joint response from the Global Cyber Alliance and the Internet Society.
The FCC’s current proposal focuses on the largest ISPs, so at present it is unclear how this requirement could extend to smaller ISPs. There is some protection afforded to smaller ISPs that make use of transit from larger ISPs that have deployed RPKI ROV.
The FCC proposal includes a metric that at least 90% of routes should be validated by ROAs. However, only five of the nine major ISPs currently meet this threshold. What are the technical and operational challenges that are preventing full RPKI adoption among the remaining ISPs?
When we look at all of the routes originated by providers like AT&T and Verizon, for example, we see that they are presently below the 90% threshold. However, these companies provide a number of services in addition to mobile service, including announcing routes that belong to other companies.
If the FCC is only concerned about the mobile service these two companies are best known for, it may be the case that 90% of those routes have ROAs.
And, of course, there are tricks these providers could play to game such a metric like breaking up routes with ROAs into smaller routes to increase the count.
The FCC will need to provide more guidance on which routes count towards this metric.
The proposal encourages a “risk management” approach rather than treating all BGP routes equally. Can you elaborate on how focusing on traffic volume and route significance could provide a more effective framework for managing BGP security risks?
The proposal asks the providers to use risk management to determine where to focus their efforts and leaves the interpretation up to them. Some routes may host important services like DNS or authentication software that would pose higher risk if they were disrupted.
Kentik is in the unique position of having traffic statistics to each route and so we used those metrics as a risk score in our analysis. The insight being that routes with more traffic pose higher risk if disrupted.
This traffic-based risk model showed that some of the providers might be doing better than just counting routes might suggest. In other words, many of the routes without ROAs didn’t carry much or any traffic, posing little risk if disrupted.
While the FCC’s proposal is U.S.-centric, BGP is a global protocol. How might these U.S.-mandated changes impact international routing and global internet stability, especially in regions where RPKI adoption is still in its early stages?
While BGP is a global protocol, the current state is that some countries have near universal RPKI ROV deployment while others have very little. If the US were to improve its posture domestically, it might have some spillover effect to providers in other countries due to the centrality of the US on the internet.
But the concern raised by GCA and ISOC, which is shared throughout the internet industry, is that codifying this requirement might make it difficult to adapt to new technologies as these things inevitably change over time.
Looking beyond RPKI, what other emerging technologies or strategies (like ASPA or Peerlock) could complement or enhance BGP security? How should ISPs balance the adoption of these various technologies?
RPKI ROV is good at defending against a certain type of routing mishap (e.g. origination leaks), but there are several other scenarios for which it can’t help. ASPA is newer technology built on RPKI that will help limit the disruption caused by routing leaks between providers. ASPA is fairly new so we’ll need more adoption before it begins to help.
Ultimately, ISPs will need a “belt & suspenders” approach to routing hygiene that combines RPKI ROV, ASPA, and other types of route filtering mechanisms. The good news is that over the past decade, ISPs have been doing a good job deploying these tools and routing security has improved greatly from where it was just a few years ago!