
Is BGP Safe Yet? - eastdakota
https://isbgpsafeyet.com/
======
Liblor
A professor at my University mentioned that when he was a student, the
professors at that time claimed that the security of BGP is a solved problem
and nobody is going to talk about it in ~2 years. This was +20 years ago. He
has spent a lot of his research on an alternative for BGP called SCION[1], as
the adaption of BGPSec is not very straight forward and rather an ugly fix. I
think it is pretty interesting that the problems of BGP are not discussed more
widely and often.

[1] [https://www.scion-architecture.net/](https://www.scion-architecture.net/)

~~~
cachestash
I worked for a big European network vendor and ended up on a project trying to
sort out the utter mess that is legacy SS7.

SS7 networks are basically wide open, with no auth and anyone can get an SS7
hub for cheap and start sending nefarious commands to peoples handsets. They
can forward or record calls and read SMS. They can track you or they could
just be a jerk and keep rebooting your phone. Worse still it can be used to
intercept 2FA codes over SMS, which is the approach a lot of banks are taking
for personal account security. intelligence agencies are without a doubt using
it for intercepting and tracking.

The Telcos are lost with how to address the issues combined with cost
considerations, so most are taking the approach of hoping it stays out of the
news and waiting for it to eventually be deprecated from the network.

~~~
fulafel
I hope in the long the telco world will adopt the internet approach of
treating the network as untrusted.

------
tptacek
It would be interesting to read more about the _problems_ with RPKI. The set
of organizations that need to implement RPKI to make it effective is pretty
small, and yet it's been a long slog to get it even to this point. It's not
like network engineers at Google, Comcast, and Verizon are unfamiliar with it.
What's going wrong?

~~~
pathseeker
RPKI doesn't sign hops in the path for a BGP update. That means to hijack a
prefix, all you need to do is to take a legitimate route and re-advertise it
with your AS as the second hop in the path.

This isn't as damaging as being able to advertise a smaller prefix because it
won't send _all_ traffic to you. It will just send from routers where your
path is shorter than the original.

To actually prevent hijacking via path shortening attacks like this, you need
a full BGPSEC implementation
[https://en.wikipedia.org/wiki/BGPsec](https://en.wikipedia.org/wiki/BGPsec)
which is a much higher barrier than RPKI because the crypto operations jump 1
or 2 orders of magnitude (signing every re-advertised route rather than just
originated routes).

So RPKI gets the cert infra in place, but it doesn't really fully solve the
problem.

~~~
korethr
But, with RPKI getting the cert infra in place, would that not then make it
relatively easier to take that 2nd step, than when not even RPKI was in place?

~~~
topranks
The problem is the number of updates / changes that happen all the time in
BGP, and having each router cryptographically validate each one / sign every
update it sends.... it doesn’t scale well.

The BGPSEC theory is there but not sure if we can make a workable system.

[https://www.potaroo.net/ispcol/2011-07/bgpsec.pdf](https://www.potaroo.net/ispcol/2011-07/bgpsec.pdf)

~~~
mlyle
Current routers can't handle it, but ... it's not like routes changes _that_
much that we're talking about an intolerable amount of RSA operations. We're
really talking about fewer operations per day per router than some web
frontends do in a second.

~~~
tptacek
That doesn't sound right? In 2018 there were, according to Geoff Huston, days
with 700,000 updates per day. That sounds high for handshakes/second.

~~~
mlyle
OK, OK, my bad; a single large multicore NGINX box can only do about 100k full
TLS handshakes per second with 2048 RSA. So it'd be several seconds.

On the other hand, verify is cheaper. My crappy laptop will do ~320k RSA-2048
verifications per second...

~~~
mititelu
[https://www.nginx.com/wp-content/uploads/2014/07/NGINX-
SSL-P...](https://www.nginx.com/wp-content/uploads/2014/07/NGINX-SSL-P..).

350 per core per second... you are way off at 100k/s.

If there is such a thing I'd really like to see setup to get it running / try
it out myself as well.

do note there are ways to cache ssl data so connections are resumed / avoid
handshake again for same user

~~~
mlyle
[https://www.nginx.com/blog/testing-performance-nginx-
ingress...](https://www.nginx.com/blog/testing-performance-nginx-ingress-
controller-kubernetes/)

60k/second across 24 cores, admittedly on very fast hardware (though not using
all the cores that hardware has). Pretty much the same number on 16 cores.

In general, telling someone they're "way off" about performance and citing 6
year old benchmarks isn't a winning plan.

In any case, it's immaterial to what we're discussing. My slow laptop could
verify all the signatures for a busy day of updates in a couple seconds, and
it's clearly -possible- to put a big fraction of this horsepower in a router.

~~~
mititelu
Thanks for the reference, new benchmark looks nice.

Apologize for the 'way off', its reach-able.

And agree its immaterial to signature checks, but since it was brought up...

Either way, there is probably something holding routers back from reaching
that, would be fun to speculate.

------
rsync
Hrm...

I have been a huge fan of Hurricane Electric (he.net) for over ten years and
have done a lot of evangelizing ... rsync.net uses he.net pops all over the
world (except for Zurich, where we use init7...).

They have been very progressive, clueful and efficient in all of our dealings
with them.

So I am surprised to see them marked unsafe. I have emailed my point of
contact there and asked for some explanation - perhaps I can update this
comment in a bit ...

~~~
bsder
A startup company that several of my friends worked at many years ago had
boxes that continuously monitored routing around that would and would flag and
delay BGP updates that caused a significant topological change. They could be
added manually immediately, or would be implemented with a delay after they
had enough data that the route was legitimate.

My ISP had one of these boxes and was quite proud of it. It worked really well
against BGP idiocy. It might not have worked against a concerted attack, but
it did stop several of the "Ooops. All the routes are belong to us." problems
that seem to be the "normal" BGP "attacks".

I am surprised that these big players don't already have something that does
something similar.

~~~
aspenmayer
Of course they do have such equipment, which makes you wonder how
sophisticated the attacks are and now flimsy the security is. It’s obvious
that this equipment exists. How else would the equipment in the same or likely
next room over [0] know the state of packets that need further routing
adjustments?

Maybe the relevant parties didn’t get the message because the call was coming
from inside the building. [1]

[0]
[https://en.wikipedia.org/wiki/Room_641A](https://en.wikipedia.org/wiki/Room_641A)

[1]
[https://tvtropes.org/pmwiki/pmwiki.php/Main/TheCallsAreComin...](https://tvtropes.org/pmwiki/pmwiki.php/Main/TheCallsAreComingFromInsideTheHouse)

~~~
topranks
I’m not so sure.

The internet community (I.e. routing guys/Nanog/ietf etc) is fairly open. I’ve
not heard much of such approaches being used. It is a very interesting
idea.... I guess you gotta weight delaying inserting an update with
potentially blackholing a destination until you do.

~~~
aspenmayer
For an quick dragnet to get an IP in a sea of noise, it would work. In any
case, you just have someone else do it, accidentally of course. The more
accidental and and wide reaching and quickly reverted the outage is, the more
plausibly deniable it is.

I agree that this approach isn’t really suitable for much else because it’s
much too overt and likely to notify the target. Modern engagements use BGP
hijacks as a critical tool with a lot of capabilities but also extreme
visibility and publicity. So it’s not good for most jobs as other better
suited tools for those jobs already exist. [0] [1]

[0]
[https://en.wikipedia.org/wiki/Operation_Onymous](https://en.wikipedia.org/wiki/Operation_Onymous)

[1] [https://arstechnica.com/tech-policy/2015/11/fbi-the-
allegati...](https://arstechnica.com/tech-policy/2015/11/fbi-the-allegation-
that-we-paid-cmu-1m-to-hack-into-tor-is-inaccurate/)

------
notaplumber
OpenBSD just released a portable version of their privsep rpki-client(8)* this
week!

[https://www.rpki-client.org/](https://www.rpki-client.org/)

rpki-client 6.6p1 was released Apr 13, 2020: [https://www.rpki-
client.org/txt/rpki-client-6.6p1.txt](https://www.rpki-client.org/txt/rpki-
client-6.6p1.txt)

* [https://man.openbsd.org/rpki-client](https://man.openbsd.org/rpki-client)

Looks like there may be problems with the mirror sites, a generated tarball is
on the official portable github, but it may be worth waiting for an official
announcement as github can re-roll these (it's not an uploaded release asset):
[https://github.com/rpki-client/rpki-client-
portable/releases](https://github.com/rpki-client/rpki-client-
portable/releases)

~~~
job
please check back in a few days, we are almost there.

you can also work with [https://github.com/rpki-client/rpki-client-
portable](https://github.com/rpki-client/rpki-client-portable) currently runs
on a bunch of systems! coming to packages in the popular formats close to you
soon!

~~~
notaplumber
Thanks for the update!

------
eastdakota
More details on the problem of BGP hijacking and how the IsBGPSafeYet.com test
was implemented: [https://blog.cloudflare.com/is-bgp-safe-yet-rpki-routing-
sec...](https://blog.cloudflare.com/is-bgp-safe-yet-rpki-routing-security-
initiative/)

~~~
eastdakota
Also Wired story: [https://www.wired.com/story/cloudflare-bgp-routing-safe-
yet/](https://www.wired.com/story/cloudflare-bgp-routing-safe-yet/)

------
shifty1
Interesting response to this by UK ISP Andrews & Arnold:
[https://www.aa.net.uk/etc/news/bgp-and-
rpki/](https://www.aa.net.uk/etc/news/bgp-and-rpki/)

~~~
topranks
I love the way they basically say they are gonna do their own assessment and
won’t roll in behind the consensus on RPKI. Like the trend-setting industry
leaders they are.

They deserve to be called out for this. It’s not hard to implement RPKI. Only
valid excuse is if your routers don’t support it.

Signing ROAs is trivially easy in the RIPE region. Why haven’t they done so
before the pandemic???

Wasting time with this response instead isn’t maybe the best use of their
time.

------
DyslexicAtheist
the most promising replacement is the SCION[1] project. See section
"Authentication and PKI"[2]. It's already used by SwissCom and another CH
based ISP. It can do path selection, geo-fencing, and traffic shaping. Really
cool DDoS mitigation[3] as well. It has been previously discussed on HN[4].

[1] [https://www.scion-architecture.net/](https://www.scion-architecture.net/)

[2] [https://www.scion-
architecture.net/pages/publications/](https://www.scion-
architecture.net/pages/publications/)

[3]
[https://news.ycombinator.com/item?id=21546214](https://news.ycombinator.com/item?id=21546214)

[4]
[https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...](https://hn.algolia.com/?dateRange=all&page=0&prefix=false&query=SCION%20project&sort=byPopularity&type=all)

~~~
bifrost
I'm not sure thats truly "promising" in any sense :)

------
jamieweb
For those who don't have their own Autonomous System, but want to play with
RPKI validation, you can join DN42 [1] and validate routes there.

Netravnen kindly provides a route export compatible with GoRTR and Routinator
[2], which has been working nicely for me.

[1] [https://dn42.us](https://dn42.us)

[2] [https://github.com/netravnen/dn42-roa-
export](https://github.com/netravnen/dn42-roa-export)

~~~
stallmanite
This is really frickin cool thanks for sharing it.

------
thoraway1010
This is actually a very very powerful idea.

The trick is to get something VPs / "Decision Makers" can use to make
decisions that's easy for them to digest especially if they are not
technically sophisticated. This meets that criteria.

They should add microsoft azure to this list.

This could absolutely become an RFP requirement / preference point for a lot
of compliance focused / not only tech focused buyers (govt / large agencies
and companies)

A huge thumbs up!

------
rodiger
Wow the diagrams are really well done here. Really well-made and presented.

~~~
imagine99
Yes, they look really great and responsive, too. I'd actually like to know how
they were done... Are they just basically coded by hand or is there a visual
tool you can use to design interactive graphical stuff like this in what I
guess is HTML5/CSS/maybe JavaScript, similar to (dare I mention the word)
Flash in the olden days? (Sorry, haven't done any web development in decades,
obviously :-)).

~~~
adamschwartz
Yup, they were coded by hand!

Here was the initial commit which added the first diagram (originally there
was only one):

[https://git.io/JfJ4K](https://git.io/JfJ4K)

~~~
job
a really cool way to explain RPKI, thanks for sharing!

------
topranks
While RPKI is great, saying BGP will be “secure” once it’s deployed is not
true.

It’ll be more secure, sure. But RPKI only addresses origin validation, not
path validation. It won’t stop me announcing your space spuriously provided it
has your AS as the origin. Path-validation a la BGPSEC would be needed to stop
that. But that’s an extremely difficult problem to solve given the amount of
churn in the global routing table. The amount of crypto validation routers
would need to do is prohibitive. And Moore’s law doesn’t help because as CPU
power goes up so do the key sizes we need to use.

Either way people should implement RPKI, or at least sign ROAs for their
space. It’s easy to do and makes a bit improvement.

------
amelius
It seems to me that trust is not a global thing. If A trusts B then that does
not mean that C would also trust B. Does the protocol capture that principle?

~~~
AnotherGoodName
No it doesn't.

I remember the first time i setup a rack of servers in a cage in a datacenter
for a company i founded. We bought a block of IPs in bulk and then we bought
an interconnect from a provider within the datacenter. To get those IPs
pointing to our server we had our severs announce ownership over BGP. It's
that easy.

Usually BGP messages are filtered out by routers. Otherwise home users would
announce ownership of the Google addresses and have all those messages come to
them for example. But if you have access to an interconnect in a datacenter
you can state you own whatever IP addresses you want. There's really nothing
at all stopping it right now.

~~~
icedchai
Many upstream transit providers have route filters in place. They won't accept
any route, like they did in the 90's. Some still do, of course.

Also, normally you have your _router_ announce routes over BGP, not your
_servers_.

------
Bluecobra
I would argue that for BGP to be safe, all ~68,000 autonomous systems will
need to embrace RPKI, not just a handful of ISPs/telcos/CDNs. Akamai is
announcing ~2,300 prefixes, shouldn’t they use RPKI?

~~~
eastdakota
Yes, though it’s a bit like if every airline implemented an accurate COVID-19
health check. You’d still have local problems, but the infection would keep
from spreading worldwide. In the case of BGP, if the major transit providers
properly filter routes, hijacks do much less damage to the broad network.

~~~
dsl
How are you verifying compliance? It looks like to pass the test all I need to
do is implement filtering on my interconnects with Cloudflare (or just drop
103.21.244.0/24 entirely).

To your example, airlines could screen passengers flying out of Eastdakota
Regional Airport but nowhere else.

~~~
eastdakota
We can always change up the bad IP range announced.

But, more generally, I think the network engineers at ISPs want to implement
RPKI. It’s the managers who haven’t prioritized. Hopefully this helps escalate
it as a priority.

~~~
bifrost
Very few people want to implement RPKI, those that are doing it either are
really hot for it or are being forced to do it.

------
surround
[http://isThisYourPaperOnSingleServingSites.com/](http://isThisYourPaperOnSingleServingSites.com/)

~~~
aspenmayer
Thank you for this link.

I really appreciate this kind of meta-commentary on the recent trend of single
purpose sites. It would be easy to dismiss them, but they’re as much a part of
the web as any other content a browser can render. It’s a sign of a mature
platform when you have trends and norms while also admitting outliers and
oddities.

------
lordleft
I have no comment re: the actual campaign but I find the site wonderfully
clean.

~~~
devmunchies
going on a tangent here... I looked at the stylesheet
([https://isbgpsafeyet.com/index.css?v=24](https://isbgpsafeyet.com/index.css?v=24))
and saw things like `border-top-color: currentColor;` and other variables used
in plain CSS that I didn't even know you could do.

~~~
adamschwartz
(Designer here) YES! `currentColor` is amazingly useful and supported
everywhere
[https://caniuse.com/#feat=currentcolor](https://caniuse.com/#feat=currentcolor)

------
toomuchtodo
Love this effort. [EDIT: Removed poorly thought out idea]

~~~
ocdtrekkie
I would discourage this approach. Internet spam-generating campaigns aren't
really an effective way of creating change, and the poor employee required to
read the emails at that contact address is probably not responsible for the
decisions holding up implementation.

Which is to say: Please don't advocate for behaviors that harass line
employees at corps you don't like.

~~~
eastdakota
Agree. Mentioning them on Twitter is one thing. Harassing NOCs already
stressed during this time of unprecedented Internet usage is another.

~~~
toomuchtodo
Point taken. Please excuse the over exuberance during uncertain times.

------
xyzte
Another RPKI tool: [https://rtrlib.rpki.net/](https://rtrlib.rpki.net/) allows
to fetch RPKI data from a cache server. using the rtrclient, which is part of
the package, you can export ROAs to any format.

------
moondev
What is the barrier of entry for an individual or company to obtain a public
ASN and theoretically announce a nefarious route?

Would it come down to an irresponsible ISP blindly trusting the bad router?

It does seem important for not putting this burden on each ISP, just trying to
understand the scope of all this.

~~~
ShakataGaNai
Getting a public ASN is relatively trivial. If you're curious, you can read
more about it here:
[https://www.arin.net/resources/guide/request/](https://www.arin.net/resources/guide/request/)

As for whats stopping the announcement of bad routes? Mostly just the ISPs,
the big transit providers, and the IX's.

The problem isn't the small users. You, as a nefarious individual, are
unlikely to be able to cause much real damage. In datacenters where you don't
bring your own dedicated transit (expensive), you have to tell them your ASN
and IP information so it gets whitelisted.

The problem is large players. If China Telecom wants to claim Google's IPs...
well the entire world's transit providers may not acknowledge that - but
enough will to cause a real problem. More examples:
[https://en.wikipedia.org/wiki/BGP_hijacking#Public_incidents](https://en.wikipedia.org/wiki/BGP_hijacking#Public_incidents)

~~~
moondev
Thank you for the detailed reply, exactly what I was looking for and very
interesting!

------
joan_kode
I was playing around with this, and it seems the entire section "What's a BGP
hijack?" totally disappears on smaller screens. Is this intended? Seems like a
pretty important section!

------
daxfohl
Does this solution apply to private networks? I learned first hand how
dangerous it can be when I brought down our datacenter with an accidental BGP
announcement.

~~~
kitteh
You can do this. I know a few large well know networks which have suffered
from internal BGP hijacks within their data centers from different business
units stepping on each other. You can either try to implement via strict route
policies or try to do RPKI.

------
strbean
I remember doing an IP range scan with nmap from an EC2 instance in the early
days, and finding a bunch of exposed BGP routers. I wonder how vulnerable they
were.

~~~
bifrost
TLDR; Not very unless they were general purpose operating systems vs network
operating systems.

------
kmod
It's interesting to note that the Bitcoin ecosystem depends on BGP being
secure

------
larkster
Semi-tangential, but an interesting alternative to RPKI that uses blockchain:
[https://ieeexplore.ieee.org/abstract/document/8751229](https://ieeexplore.ieee.org/abstract/document/8751229)

