Dissecting the FCC’s Proposal to Improve BGP Security

https://www.kentik.com/blog/dissecting-the-fccs-proposal-to-improve-bgp-security/

-Hank

As a not-security person trying to get to grips with this, am I mis-understanding the type of attack that this is pushing to mitigate?

My current understanding:

-Bad guys announce space for Facebook / Amazon / banks / whatever

-Some traffic for high-value destinations gets diverted to Bad Guys

-Bad Guys do Bad Things

By focusing on BIAS-providers to secure *their own* routes, aren't you stopping the Bad Guys from hijacking eyeball space, rather than high-value destination space? Is there a useful attack vector where the return traffic from Facebook to my residential CPE is diverted via the Bad Guys?

My instinct is that the quick win comes from high-value targets (or their ISPs) *generating* ROA, and ensuring that the BIAS providers are *validating* (ROV) that their customer traffic is going to the "real" Facebook.

I'm struggling with how much issuing ROAs for residential broadband ranges helps with this particular problem, and why - any free clues or pointers to reading gratefully received.

Thanks,
Tim.

As a not-security person trying to get to grips with this, am I mis-understanding the type of attack that this is pushing to mitigate?
My current understanding:
-Bad guys announce space for Facebook / Amazon / banks / whatever
-Some traffic for high-value destinations gets diverted to Bad Guys
-Bad Guys do Bad Things

Well… That’s kind of the generous take on it. Perhaps a more realistic scope would be “well-intentioned-but-BGP-speaking people fat-finger their configs, misoriginating Facebook / Amazon / banks / whatever, causing temporary chaos.” If there were actually bad guys involved, RPKI isn’t really going to slow them down.

Origin Path

Intentional |

_|

RPKI lives |

Unintentional in this |
quadrant. |

By focusing on BIAS-providers to secure their own routes, aren’t you stopping the Bad Guys from hijacking eyeball space,

No, you aren’t (see above), but…

rather than high-value destination space?

…your point is, more or less, correct. For RPKI to work, the people advertising the space have to generate ROAs, and the people receiving the space have to validate them and use the output of the validation as a check on the routes they integrate into their routing tables. So, both ROAs and validation are needed on all networks that matter or care, for RPKI to help. If these networks generate ROAs and other networks validate them, then other networks protect themselves against misoriginated eyeball routes. If other networks generate ROAs and these networks validate them, these eyeballs are protected against misoriginated other (including content) routes.

Is there a useful attack vector where the return traffic from Facebook to my residential CPE is diverted via the Bad Guys?

Sure, the Bad Guy could start with a downgrade and then issue you a redirect, and then they’re fully in the middle, both directions. But, again, if there’s anyone intentionally trying to hijack routes, RPKI isn’t going to stop them anyway. It’s like a lock on a door: a reminder for well-intentioned people.

My instinct is that the quick win comes from high-value targets (or their ISPs) generating ROA, and ensuring that the BIAS providers are validating (ROV) that their customer traffic is going to the “real” Facebook.

Yes, that direction is more valuable.

I’m struggling with how much issuing ROAs for residential broadband ranges helps with this particular problem, and why.

Well… if the basic proposition is that all safety-nets are beneficial, and we’re not looking at cost or alternatives or the big picture, then sure, RPKI is worth doing everywhere. The FCC isn’t particularly known for looking at costs or alternatives or the big picture.

But this isn’t bad if you aren’t too concerned about fragility, and aren’t worried about it completely distracting people from the other three quadrants of that matrix.

-Bill