Is BGP safe?
December 23, 2021
In this blog, You will need to see if your ISP has secured you with RPKI correctly to sign cryptography traffic over your network. This will check if your insecured or secured from BGP hijacking.
Why is BGP unsafe?:
By default, BGP does not embed any security protocols. It is up to every autonomous system to implement filtering of “wrong routes”. Leaking routes can break parts of the Internet by making them unreachable. It is commonly the result of misconfigurations. Although, it is not always accidental. A practice called BGP hijack consists of redirecting traffic to another autonomous system to steal information (via phishing, or passive listening for instance).
BGP can be made safe if all autonomous systems (AS) only announce legitimate routes. A route is defined as legitimate when the owner of the resource allows its announcement. Filters need to be built in order to make sure only legitimate routes are accepted. There are a few approaches for BGP route validation which vary in degrees of trustability and efficiency. A mature implementation is RPKI.
What is RPKI?:
With 800k+ routes on the Internet, it is impossible to check them manually. Resource Public Key Infrastructure (RPKI) is a security framework method that associates a route with an autonomous system. It uses cryptography in order to validate the information before being passed onto the routers. You can read more about RPKI on the Cloudflare blog.
On May 14th, Job Snijders from NTT will present a free RPKI 101 webinar.
How does the test work?:
In order to test if your ISP is implementing BGP safely, Cloudflare announce a legitimate route, but they make sure the announcement is invalid. If you can load the website that they host on that route, that means the invalid route was accepted by your ISP. A leaked or a hijacked route would likely be accepted too.
Sources:
https://blog.cloudflare.com/is-bgp-safe-yet-rpki-routing-security-initiative/