Border Gateway Protocol, or BGP, is the routing protocol of the Internet. It provides a common interface between the networks administered by the world’s ISPs, enterprises, governments and other entities. Each of these entities is known in BGP parlance as an ‘autonomous system’ (AS). By exchanging routing information with each other via BGP, each AS gets a full view into the state of the network and learns the various available routes available to each IP address on the Internet.
Many smaller organizations obtain IP address space directly from their ISP. For those organizations, BGP isn’t a direct concern. Those with larger, more sophisticated networks that need redundant connectivity through multiple ISPS will often get their own IP address space from a Regional Internet Registry (RIR) and announce it to the Internet via BGP.
In my experience, the average IT person’s knowledge of BGP and Internet routing generally is poor. The average IT Specialist or IT Manager knows enough to forward their organization’s outbound traffic to their ISP’s router (also known as their ‘default gateway’). Where it goes, or how the network ‘knows’ how to route their traffic seems a magical mystery – one that frequently just shows up on their network diagram as the proverbial ‘cloud’.
Yet because of this critical role in directing traffic on the Internet, BGP is essential. A misconfiguration in an organization’s BGP settings could end up distributing bad routing information around the globe in a matter of seconds, with potentially huge impacts to other Internet users.
BGP is a decades-old protocol. It was built, like the SMTP e-mail protocol, in an era where much of the network operated on trusting the intentions of fellow network participants. This model seems quaint and sadly naïve in hindsight. The protocol itself does not care if you happen to tell the Internet that your organization has the world’s best route to Azure (AS8075), or Amazon Web Services (AS16509) or Spectrum’s Cable Internet IP Space (AS20001). Absent additional configuration and controls, the protocol will happily tell your BGP neighbors about your fancy new routes and they’ll tell everyone else. Fortunately, most large ISPs have procedures in place to ensure their BGP customers only announce IP addresses that they have previously verified belong to them.
But what about when it’s not a large ISP. What if it’s a government actor that’s making the mistake? What if it’s not a mistake? And what if the controls break down? Back in 2008, an attempt by the Government of Pakistan to block YouTube domestically caused a ‘blackhole’ BGP route to be leaked to the greater Internet, causing an hours long YouTube outage for most of the world. In the relatively recent past, even big names like Amazon haven’t been immune, such as the 2018 BGP route hijack of Amazon’s DNS server namespace. The higher up the ‘food chain’, the fewer controls exist to prevent misconfigured routing information from getting into the global routing pool.
While the protocol has seen attempts to add security to the system by cryptographically signing routing information (RPKI), not all network participants participate in it and the required equipment upgrades required to enable it are costly.
In today’s climate, with war in Europe and geopolitical tensions running high, cybersecurity preparedness and the defense of our critical infrastructure is top of mind. I’m honestly surprised we haven’t seen a larger scale BGP attacks. They would be quite challenging to defend, especially if sponsored by nation-states. Maybe those with the capability are waiting to show their cards.
For those working in IT – I encourage you to learn about BGP and the essential role it plays in the Internet. After all, how can you be sure that the IP address you think you’re connecting to really is the right one and not a decoy caused by a hijacked BGP route? Something to think about…