The Internet is considered a network of interconnected networks. People with devices like PCs or mobile phones (hosts) connect to Internet via networked Internet Service Providers (ISPs) that in turn are connected to other ISPs. Applications running on devices work with other devices through a maze of interconnections that pass data from router to router within the ISP’s domain and through or to other ISPs, enterprises, campuses, etc. The resulting network of networks is quite complex, but it connects the world’s Internet traffic with the help of specific routing protocols.

Border Gateway Protocol (BGP) is one such protocol and integral to the global Internet. Sometimes known as the “Post Office of the Internet,” it was developed in the 1980s to help networks exchange information about how to reach other networks. They basically determine the best path for data packets to reach their destination. BGP enables network administrators to manage and optimize network traffic by advertising the Internet routes they offer and the ones they can reach. With BGP, they can prioritize certain routes, influence the path selection process to balance traffic loads between different servers, and adapt to changing network conditions.

Despite its usefulness, many nations are worried about BGP’s security vulnerabilities.

In the US, the Federal Communications Commission (FCC) is concerned that the Internet presents security threats to the US economy, defense capabilities, public safety, and critical utilities such as energy, water, and transportation. These concerns are echoed by other countries. Malicious or sometimes incompetent actors can exploit or mismanage BGP vulnerabilities through hijacking or spoofing attacks. They can also reroute traffic to intercept or disrupt data flows. The FCC says that while efforts have been made to mitigate the Internet’s security risks, more work needs to be done, especially on BGP.

How Does BGP Work?

Jim Kurose does a great job explaining BGP and its importance in this video:

BGP connects the world by enabling communication and cooperation among autonomous systems, ensuring that data packets can traverse the vast and interconnected network of networks that make up the Internet. It bridges separate, but also networked ASes such as campuses, companies, and countries. BGP works to ensure that data packets originating from one location can cross over between ISPs and other WANS (Wide Area Networks) to reach their destination anywhere else on the planet. Network routers read the prefix numbers on packets to determine how which way they will be sent.

BGP’s ability to adapt to changing network conditions, manage data traffic, and facilitate redundant paths is crucial for the stability and reliability of the global Internet, but it also poses several dangers. Without the continuing implementation of software-defined networks (SDN), BGP will organize routing tables locally throughout its network. And the information for the routing calculations will be based on trust relationships with other ASes. Ideally, this will result in connections that can quickly reroute traffic through alternative paths to maintain network integrity. If one route becomes unavailable due to network outages, maintenance, or policy, it has the ability to quickly find other routes.

BGP is designed for interdomain routing, which means it focuses on routing decisions between different autonomous systems. This is in contrast to intradomain routing protocols like OSPF or Enhanced Interior Gateway Routing Protocol (EIGRP), which operate within a single AS. BGP is the protocol of choice for interdomain routing and that can mean between countries and even large scale Tier 1 ISPs.

Who Uses Border Gateway Protocols?

BGP users include telecommunications companies such as ISPs, Content Delivery Networks (CDNs) such as Akamai and Cloudflare, and Internet Exchange Points (IXPs) that bypass multiple networks and allow specific networks to interconnect directly rather than routing through various ISPs. Cloud providers like Amazon’s AWS, Google Cloud, and Microsoft Azure also use BGP to manage the traffic between their data centers and ISPs, allowing them to provide reliable cloud services globally.

Many large enterprises with extensive networks operate their own ASes and have BGP access to control routing policies across their internal networks and connections to external services. Universities and research institutions often employ their own ASes and use BGP when connecting to national and international research networks supporting scientific collaboration.

The image above from Top “tier-1” commercial Internet Service Providers (ISPs) use BGP as well. Tier-1 ISPs are considered the top-tier providers in the global internet hierarchy. They own and operate extensive networks and are responsible for a significant portion of the global Internet’s infrastructure. BGP is crucial for them route and exchange network reachability information with ASes, and it plays a crucial role in how these tier-1 ISPs manage their networks and interact with other ASes. Tier-1 ISPs use BGP to implement routing policies that align with their business strategies and network management goals.

A Tier-1 ISP has access to an entire Internet Region like Singapore solely via its free and reciprocal peering agreements with BGP as its glue. Examples include AT&T in the US or KDDI in Japan. BGP allows them to announce their IP prefixes to the wider Internet and receive routing updates from other ASes. Tier-1 ISPs use BGP to make routing decisions based on various criteria, including network policies, path attributes, and reachability information. BGP allows them to determine the best path for routing traffic through their networks, considering factors like latency, cost, and available capacity.

Tier-1 ISPs can establish BGP peer relationships with other ASes. These relationships can take the form of settlement-free peering or transit agreements. Peering involves the mutual exchange of traffic between two ASes, while transit agreements typically involve the provision of Internet connectivity to a customer AS in exchange for a fee. Network effects increase the importance and centrality of existing network hubs, giving them a stronger “gravitational pull,” making it more difficult for new entrants to establish themselves in the market. Effective relationships enable the global Internet to function as a connected network of networks.

BGP allows the managers of autonomous systems to consider various factors when selecting the best path, including network policies, routing metrics, and the reliability and performance of available routes. BGP helps maintain Internet reachability by constantly updating routing tables and responding to changes in network topology. It identifies the most efficient path for data packets to travel from source to destination and allows ISPs to advertise what routes they are able to offer other ISPs. BGP empowers network managers to control how data is routed, manage traffic, and enforce security policies.

How Governments Use and Abuse BGP

Military agencies usually maintain BGP access within their data infrastructure, especially to secure sensitive networks or manage national Internet traffic and, in some cases, control public Internet access to their networks. BGP allows militaries to define specific routing policies, such as prioritizing certain types of traffic (e.g., command-and-control data) or restricting traffic to trusted allies. In field operations, militaries use deployable communication systems that rely on satellite links and mobile base stations. BGP allows these systems to dynamically integrate into broader military networks. Militaries increasingly rely on drones and Internet of Things (IoT) devices, which require efficient routing of data. BGP works to ensure that data from these systems is routed optimally within military infrastructures.

A study of the early Russian-Ukrainian conflict revealed that Russian and separatist forces modified BGP routes to establish a “digital frontline” that mirrored the military one. This strategy involved diverting local internet traffic from Ukraine, the Donbas region, and the Crimean Peninsula. The research focused on analyzing the strategies employed by actors manipulating BGP, categorizing these tactics, and mapping digital borders at the routing level. Additionally, the study anticipated future uses of BGP manipulations, ranging from re-routing traffic for surveillance to severing Internet access in entire regions for intelligence or military objectives. It underscored the critical role of Internet infrastructure in modern conflict, illustrating how BGP manipulations can serve as tools for strategic control in both cyber and physical domains.

Government and other malicious actors can manipulate the Internet through multiple techniques including BGP hijacking, IP blacklisting and filtering, network partitioning and isolation, content monitoring and traffic analysis, traffic throttling and prioritization, shutdowns and access control, border routing as well as policies and compliance.

By influencing or manipulating BGP routes, governments or actors with access to BGP-enabled networks can reroute traffic to go through specific regions or servers. This is often done by injecting false BGP announcements to redirect traffic to specific router. This can allow governments to block, intercept, or monitor certain data flows. Such an approach was seen with incidents in various countries where traffic was rerouted through state-managed systems.

Governments worldwide can influence or control national ASes and various network providers. They can use BGP to dictate the paths data takes across the Internet on a large scale to manage, manipulate, or filter traffic for their own ends. This capability provides a point of control that governments can leverage for regulatory, security, or censorship purposes.

Government and military agencies usually maintain BGP access within their data infrastructure, especially to secure sensitive networks or manage national Internet traffic and, in some cases, control public Internet access. Governments worldwide can influence or control national ASes and local network providers. Because BGP controls traffic flow, it provides a point of control that governments can leverage for regulatory, security, or censorship purposes. They can dictate the paths data takes across the Internet on a large scale to manage, manipulate, or filter traffic for their own ends.

Governments can mandate that ISPs refuse to announce or accept specific IP prefixes or routes associated with restricted sites or content. By implementing BGP blacklists, they can prevent access to certain websites or services entirely by removing or altering the BGP routes that lead to these destinations, effectively blocking them at the network level.

Some governments impose strict routing policies that partition national networks from the global Internet. By requiring ISPs to use BGP filtering rules that isolate local traffic, they can keep Internet activity confined within national borders. China’s Great Firewall is an example, where BGP filtering and routing policies prevent certain global routes and confine users to government-approved internet spaces.

Governments can influence routing so that Internet traffic passes through surveillance or monitoring points. By injecting specific BGP routes, traffic can be directed to infrastructure where deep packet inspection (DPI) or other monitoring techniques are applied. This enables governments to analyze or even censor content in real time.

Through BGP route manipulation, governments can slow down or prioritize traffic to specific networks. For example, they may route traffic through slower networks or specific filtering points to control Internet speeds to certain services or prioritize government-approved traffic sources.

In extreme cases, governments can mandate ISPs to withdraw BGP routes to cut off access entirely, effectively disconnecting regions, communities, or entire countries from the global Internet. This can be seen in certain political scenarios or during unrest when governments initiate BGP route withdrawals, isolating the local Internet temporarily.

Governments can also enforce policies that restrict data to specific geographic boundaries, requiring ISPs to adjust BGP configurations to comply with data residency or border policies. This limits data flows outside national borders and aligns with regulatory frameworks on data sovereignty.

Concerns

Nations worldwide have growing concerns regarding the security and resilience of BGP, which is fundamental to Internet routing. While critical for directing Internet traffic between ASes, BGP has vulnerabilities that can pose significant risks to national security, data integrity, and overall network resilience.

Through these mechanisms, governments can exercise significant influence over network behavior and access at a national level, using BGP as a powerful tool for traffic control, monitoring, and regulation. Such actions raise concerns over Internet freedom, privacy, and access rights on a global scale.

Citation APA (7th Edition)

Pennings, A.J. (2023, Dec 10). Connecting a Dangerous World: Border Gateway Protocol (BGP) and National Concerns. apennings.com https://apennings.com/global-e-commerce/connecting-a-dangerous-world-border-gateway-protocol-bgp-and-national-concerns/

Share

© ALL RIGHTS RESERVED

---

Anthony J. Pennings, PhD is a Professor at the Department of Technology and Society, State University of New York, Korea teaching broadband policy and ICT for sustainable development. He is also a Research Professor at Stony Brook University. From 2002-2012 he was on the faculty of New York University where he digital economics and information systems management. He also taught in Digital Media MBA at St. Edwards University in Austin, Texas, where he lives when not in the Republic of Korea.

Related

Category: artificial intelligence, data analytics and meaning, digital coordination, digital geography, enabling frameworks, global communications, global e-commerce, science and technology studies, smart new deal, sustainable development, technology management, telecom policy and net neutrality
Tags: Amazon's AWS > AT&T > autonomous system (AS) > Border Gateway Protocol (BGP) > Content Delivery Networks (CDNs) > Denial-of-Service (DoS) > Distributed Denial-of-Service (DDoS) > Federal Communications Commission (FCC) > Google Cloud > Internet Exchange Points (IXPs) > Microsoft Azure > Open Shortest Path First (OSPF) > Resource Public Key Infrastructure (RPKI) > Tier-1 ISPs

Comments

Comments are closed.