This spring, the services big hitters like Google and Facebook seemed glitchy or inaccessible for people all over the world for over an hour. But this was not a hack, or even a glitch in an organization. It was the last accident to come from the design weaknesses of the “Border Gateway Protocol”, the universal and fundamental routing system of the Internet. Now, after years of slow progress in implementing improvements and safeguards, a coalition of Internet infrastructure partners is finally turning a corner in their fight to make BGP more secure.
Today, the group known as Mutually Agreed Standards for Routing Security is announce a task force specifically dedicated to helping “content delivery networks” and other cloud services adopt the filters and cryptographic controls needed to strengthen BGP. In some respects, the step is gradual, as MANRS has already formed working groups for network operators and so-called “Internet exchange points”, the physical physical infrastructure where Internet providers and CDNs transmit data to each other’s networks. But this process happening in the cloud represents tangible progress that has been elusive so far.
“With nearly 600 total attendees at MANRS to date, we believe the enthusiasm and hard work of CDN and cloud providers will encourage other network operators around the world to improve routing security for all of us. Says Aftab Siddiqui, MANRS project manager and senior Internet technology executive at the Internet Society.
BGP is often thought of as a GPS navigation service for the Internet, allowing infrastructure players to quickly and automatically determine routes for sending and receiving data through complex digital topography. And like your favorite GPS mapping tool, BGP has some quirks and flaws that usually don’t cause problems, but can sometimes get you in heavy traffic on bridges. This happens when entities such as Internet service providers “wrong route” send data randomly and misguided across the Internet, and often into oblivion. This is when web services seem to be down. And the risks of this BGP insecurity don’t end with service disruptions – weaknesses can also be intentionally exploited by bad actors to redirect data over the networks they control for interception. This practice is known as “BGP hijacking” and has been used by hackers all over the world, including by China, for espionage and data theft.
A handful of leading CDNs have already spoken out on implementing BGP best practices and safeguards in their own systems and promoting them to others. After the so-called road leak in April, for example, Cloudflare launched a tool called “Is BGP still secure?” to let regular Internet users know if their Internet service provider has implemented cryptographic routing controls and filters. And on Wednesday, Google released an update on its efforts with MANRS to overhaul its own BGP infrastructure and convince industry contacts to do the same.
Organizations like Google and Cloudflare are increasingly motivated to support this change for the overall health of the internet, but also because the BGP route leaks that lead to outages reflect them poorly, no matter what the source of the problem. These types of important organizations are essential in fostering the adoption of these types of voluntary and cooperative technical changes, as they have relationships with infrastructure providers around the world.
“I spent 20 years in financial services doing cybersecurity for big banks, but a little over two years ago I joined Google because you are starting to see that the company’s dependence on this infrastructure is so big, ”said Royal Hansen, vice president of engineering security for Google Cloud. “My leverage was going to be so much more at Google than it ever would be in a company.”
One of the main BGP guarantees promoted by MANRS is RPKI, or “Routing Public Key Infrastructure”, a public database of routes that have been cryptographically signed as proof of their validity. RPKI adoptees publish their suggested routes and check the database to confirm the routes of others, but the system can only eliminate route leaks and breakdowns through universal adoption. If many ISPs or other organizations are not using it, providers will still need to accept unsigned, i.e., non-validated routes.