Industry: Border Gateway Protocols Issues Are International, FCC Regs Unwise
Industry counseled against FCC regulation on vulnerabilities to the security and integrity of border gateway protocols (BGP), in early comments on a February notice of inquiry from the FCC (see 2202250062). Cisco and other commenters said the issues are difficult and complex and require an international approach. The notice is part of the FCC’s cybersecurity focus as it looks at vulnerabilities posed by Russian companies (see 2203180051).
BGP is “one of the greatest success stories of network engineering,” but “the global routing system is complex and decentralized, with tens of thousands of actors making individual decisions about how to route their traffic, secure their networks, design new protocol extensions, and support the system with new measurement, monitoring, infrastructure, and services,” Cisco said: Any major changes on BGP specifications and operations “inherently must involve a large number of parties, each of whom must perceive a significant benefit before they can be induced to modify well-established operational practices.”
U.S. rules on their own won’t be enough, Cisco warned. “Route hijack and leak activity involving overseas networks would continue to impact U.S. entities, and the kinds of fraud and traffic interception resulting from exploitation of BGP vulnerabilities today would likely continue to affect U.S. users,” the company said.
The FCC “can play an important role as a convener by bringing all relevant stakeholders together to focus on the development and adoption of realistic and implementable solutions,” but it shouldn’t “prescribe static compliance-based requirements,” said USTelecom. The group called for a Communications Security, Reliability and Interoperability Council working group to “address safe routing and specifically the current state of BGP, Resource Public Key Infrastructure deployment and next steps recommendations.”
Juniper Networks said BGP is “a truly global ecosystem” and the U.S. must work with others. “Hijacking attacks can be spawned from anywhere in the world and attack connectivity of U.S. content providers or consumers,” the company said: “Overall security requires global cooperation, and regulating only one small portion of the problem, while helpful, is not ultimately a solution.”
The Internet Architecture Board (IAB) agreed FCC rules by themselves would have minimal effect. “The success of future standardization efforts intended to increase routing security, … will be highly dependent on educating BGP users about BGP operational issues and how well real-world deployment experience can be fed back into the multistakeholder standards development process, as opposed to a mandated top-down approach, which would fail to meet the diverse needs of the global community,” IAB said.
David Wheeler, Linux Foundation director-open source supply chain security, urged a federal approach on countering attacks. “Some attackers are determined and may develop techniques to counter existing countermeasures,” he said: “The Commission should not only strive to have existing best practices and technologies deployed, but also help fund future improvements.”
APCO cited public safety concerns and said it hopes to learn from the filings: “While some risks to public safety are evident, we look forward to reviewing the record to better understand the steps service providers have taken to prevent BGP hijacking that would redirect or otherwise disrupt 9-1-1 calls.”
Faculty members from the University of Connecticut Department of Computer Science and Engineering urged the FCC to focus on source address validation mechanisms “to defend against spoofing of source IP addresses, which is key to many attacks, esp. abused for Denial-of-Service.” They also urged attention to domain name security measures.
“The overall cybersecurity community continues to observe steadily increasing overall risk to exposure from malicious cyber operations,” said Joe Head, chief technology officer at security company Intrusion. “Unless adequate defenses are deployed, BGP will be ‘in play’ for operations based on current trends and observations,” he said.