The Internet is considered a network of interconnected networks. People with devices like PCs or mobile phones (hosts) connect to Internet via networked Internet Service Providers (ISPs) that in turn are connected to other ISPs. Applications running on devices work with other devices through a maze of interconnections that pass data from router to router within the ISP’s domain and through or to other ISPs, enterprises, campuses, etc. The resulting network of networks is quite complex, but it connects the world’s Internet traffic with the help of specific routing protocols.

Border Gateway Protocol (BGP) is one such protocol and integral to the global Internet. Sometimes known as the “Post Office of the Internet,” it was developed in the 1980s to help networks exchange information about how to reach other networks. They basically determine the best path for data packets to reach their destination. BGP enables network administrators to manage and optimize network traffic by advertising the Internet routes they offer and the ones they can reach. With BGP, they can prioritize certain routes, influence the path selection process to balance traffic loads between different servers, and adapt to changing network conditions.

Despite its usefulness, many countries are worried about BGP’s security vulnerabilities. In the US, the Federal Communications Commission (FCC) is concerned that the Internet presents security threats to the US economy, defense capabilities, public safety, and critical utilities such as energy, water, and transportation. These concerns are echoed by other countries. Malicious or sometimes incompetent actors can exploit or mismanage BGP vulnerabilities through hijacking or spoofing attacks. They can also reroute traffic to intercept or disrupt data flows. The FCC says that while efforts have been made to mitigate the Internet’s security risks, more work needs to be done, especially on BGP.

How Does BGP Work?

Jim Kurose does a great job explaining BGP and its importance in this video:

BGP connects the world by enabling communication and cooperation among autonomous systems, ensuring that data packets can traverse the vast and interconnected network of networks that make up the Internet. It bridges separate, but also networked ASes such as campuses, companies, and countries. BGP works to ensure that data packets originating from one location can cross over between ISPs and other WANS (Wide Area Networks) to reach their destination anywhere else on the planet. Network routers read the prefix numbers on packets to determine how which way they will be sent.

BGP’s ability to adapt to changing network conditions, manage data traffic, and facilitate redundant paths is crucial for the stability and reliability of the global Internet, but it also poses several dangers. Without the continuing implementation of software-defined networks (SDN), BGP will organize routing tables locally throughout its network. And the information for the routing calculations will be based on trust relationships with other ASes. Ideally, this will result in connections that can quickly reroute traffic through alternative paths to maintain network integrity. If one route becomes unavailable due to network outages, maintenance, or policy, it has the ability to quickly find other routes.

BGP is designed for interdomain routing, which means it focuses on routing decisions between different autonomous systems. This is in contrast to intradomain routing protocols like OSPF or Enhanced Interior Gateway Routing Protocol (EIGRP), which operate within a single AS. BGP is the protocol of choice for interdomain routing and that can mean between countries and even large scale Tier 1 ISPs.

Who Uses Border Gateway Protocols?

BGP users include telecommunications companies such as ISPs, Content Delivery Networks (CDNs) such as Akamai and Cloudflare, and Internet Exchange Points (IXPs) that bypass multiple networks and allow specific networks to interconnect directly rather than routing through various ISPs. Cloud providers like Amazon’s AWS, Google Cloud, and Microsoft Azure also use BGP to manage the traffic between their data centers and ISPs, allowing them to provide reliable cloud services globally.

Many large enterprises with extensive networks operate their own ASes and have BGP access to control routing policies across their internal networks and connections to external services. Universities and research institutions often employ their own ASes and use BGP when connecting to national and international research networks supporting scientific collaboration.

Military agencies usually maintain BGP access within their data infrastructure, especially to secure sensitive networks or manage national Internet traffic and, in some cases, control public Internet access to their networks. BGP allows militaries to define specific routing policies, such as prioritizing certain types of traffic (e.g., command-and-control data) or restricting traffic to trusted allies. In field operations, militaries use deployable communication systems that rely on satellite links and mobile base stations. BGP allows these systems to dynamically integrate into broader military networks. Militaries increasingly rely on drones and Internet of Things (IoT) devices, which require efficient routing of data. BGP works to ensure that data from these systems is routed optimally within military infrastructures.

A study of the early Russian-Ukrainian conflict revealed that Russian and separatist forces modified BGP routes to establish a “digital frontline” that mirrored the military one. This strategy involved diverting local internet traffic from Ukraine, the Donbas region, and the Crimean Peninsula. The research focused on analyzing the strategies employed by actors manipulating BGP, categorizing these tactics, and mapping digital borders at the routing level. Additionally, the study anticipated future uses of BGP manipulations, ranging from re-routing traffic for surveillance to severing Internet access in entire regions for intelligence or military objectives. It underscored the critical role of Internet infrastructure in modern conflict, illustrating how BGP manipulations can serve as tools for strategic control in both cyber and physical domains.[6]

Governments worldwide can influence or control national ASes and various network providers. BGP can dictate the paths data takes across the Internet on a large scale to manage, manipulate, or filter traffic for their own ends. This capability provides a point of control that governments can leverage for regulatory, security, or censorship purposes.

Government and military agencies usually maintain BGP access within their data infrastructure, especially to secure sensitive networks or manage national Internet traffic and, in some cases, control public Internet access. Governments worldwide can influence or control national ASes and local network providers. Because BGP controls traffic flow, it provides a point of control that governments can leverage for regulatory, security, or censorship purposes. They can dictate the paths data takes across the Internet on a large scale to manage, manipulate, or filter traffic for their own ends.

The image above from Top “tier-1” commercial Internet Service Providers (ISPs) use BGP as well. Tier-1 ISPs are considered the top-tier providers in the global internet hierarchy. They own and operate extensive networks and are responsible for a significant portion of the global Internet’s infrastructure. BGP is crucial for them route and exchange network reachability information with ASes, and it plays a crucial role in how these tier-1 ISPs manage their networks and interact with other ASes. Tier-1 ISPs use BGP to implement routing policies that align with their business strategies and network management goals.

A Tier-1 ISP has access to an entire Internet Region like Singapore solely via its free and reciprocal peering agreements with BGP as its glue. Examples include AT&T in the US or KDDI in Japan. BGP allows them to announce their IP prefixes to the wider Internet and receive routing updates from other ASes. Tier-1 ISPs use BGP to make routing decisions based on various criteria, including network policies, path attributes, and reachability information. BGP allows them to determine the best path for routing traffic through their networks, considering factors like latency, cost, and available capacity.

Tier-1 ISPs can establish BGP peer relationships with other ASes. These relationships can take the form of settlement-free peering or transit agreements. Peering involves the mutual exchange of traffic between two ASes, while transit agreements typically involve the provision of Internet connectivity to a customer AS in exchange for a fee. Network effects increase the importance and centrality of existing network hubs, giving them a stronger “gravitational pull,” making it more difficult for new entrants to establish themselves in the market. Effective relationships enable the global Internet to function as a connected network of networks.

BGP allows the managers of autonomous systems to consider various factors when selecting the best path, including network policies, routing metrics, and the reliability and performance of available routes. BGP helps maintain Internet reachability by constantly updating routing tables and responding to changes in network topology. It identifies the most efficient path for data packets to travel from source to destination and allows ISPs to advertise what routes they are able to offer other ISPs. BGP empowers network managers to control how data is routed, manage traffic, and enforce security policies.

Mitigating BGP Cybersecurity Risks

While BGP is crucial for the functioning of the Internet, it also presents many security concerns due to its decentralized and trust-based nature. These include BGP route hijacking, route leaking, distributed denial-of-service (DDoS) attacks, IP blacklisting and filtering, network partitioning and isolation, content monitoring and traffic analysis, traffic throttling and prioritization, shutdowns and access control, border routing as well as policies and compliance.

One of the most significant security threats associated with BGP is route hijacking, where malicious actors illegitimately announce IP prefixes that they do not own or control. This can divert traffic intended for legitimate destinations to unauthorized networks, allowing attackers to intercept, modify, or block communications.

BGP sessions are vulnerable to hijacking attacks, where attackers gain unauthorized access to BGP routers or compromise the integrity of BGP sessions between ASes. By hijacking BGP sessions, attackers can inject false routing updates, manipulate routing tables, or disrupt communication between network peers. In addition to route hijacking, attackers may engage in IP prefix hijacking, where they falsely claim ownership of IP address blocks assigned to legitimate entities. By announcing these hijacked prefixes, attackers can redirect traffic destined for the legitimate IP addresses to their own infrastructure, enabling various malicious activities such as traffic interception, data exfiltration, or distributed denial-of-service (DDoS) attacks.

Another concern are route leaks that can occur when an AS inadvertently or intentionally announces IP prefixes learned from one peer to another, causing unintended consequences such as suboptimal routing, traffic congestion, or disruption of service. The Internet Engineering Task Force (IETF) provides a working definition of a BGP Route Leak as “the propagation of routing announcement(s) beyond their intended scope” in RFC 7908. Specificially when the AS of a learned BGP route is sent to another AS in violation of any intended policies of ASes along the preceding AS path as well as the the sender and receiver. Route leaks can result from malicious actions but also from misconfigurations or software bugs.

A related problem is BGP prefix deaggregation, which involves announcing smaller IP address blocks instead of aggregated prefixes. This leads to increased routing table size, memory consumption, and processing overhead for network routers. While not inherently malicious, excessive prefix deaggregation can strain network infrastructure and impact routing stability and efficiency.

BGP is also susceptible to distributed denial-of-service (DDoS) attacks aimed at disrupting BGP routing operations or exhausting network resources. Attackers may flood BGP routers with excessive routing updates, consume bandwidth with large routing tables, or overload routers with malicious traffic, causing service degradation or outages.

Without mechanisms for verifying the legitimacy of route announcements, BGP relies on trust relationships between ASes. However, these trust relationships can be exploited by attackers to propagate false routing information. Origin validation mechanisms, such as Resource Public Key Infrastructure (RPKI), aim to mitigate this risk by cryptographically verifying the legitimacy of route announcements.

BGP lacks built-in security mechanisms for authenticating the source of routing updates, making it susceptible to spoofing and impersonation attacks. Without proper authentication mechanisms, verifying the authenticity and integrity of BGP messages is challenging, leaving the protocol vulnerable to manipulation and abuse.

Mitigating Other BGP Risks

Addressing these security concerns requires technical solutions, best practices, and collaborative efforts among network operators, ISPs, and standardization bodies. Measures such as route filtering, route validation, secure routing protocols (e.g., BGPsec), and enhanced monitoring and detection capabilities can help mitigate the risks associated with BGP security vulnerabilities. Additionally, ongoing research and development efforts aim to improve the global BGP infrastructure’s security, resilience, and trustworthiness.

Network administrators can use route filtering and route maps to control which routes learned via BGP are redistributed into OSPF and vice versa. This allows for finely determined control over which routes cross AS boundaries and which remain internal.

BGP offers more flexibility in terms of policy-based routing decisions. Network administrators can set up complex routing policies influencing route selection and propagation. Policies can determine which ASes to advertise or which ASes to accept packets from. It can also choose what countries to send packets through or receive packets from.

BGP can be used for traffic engineering purposes, such as load balancing and route preference by bandwidth or cost. By controlling BGP policies and redistributing routes into OSPF, network administrators can influence traffic flows within the AS. For instance, when an enterprise like Starbucks gets an HTTP request for a webpage, enterprises can adjust internal route selection based on application requirements, time-of-day, or bandwidth constraints.

BGP, while not directly manipulating content, introduces complexities that can be exploited to undermine net neutrality principles. Addressing these concerns requires transparency in routing policies, fosters international cooperation to address potential misuse, and upholds the core tenets of equal internet access for all.

BGP can be hijacked to disrupt essential services and connectivity. Rerouted traffic can lead to network instability, which can cause critical services to either become inaccessible or experience degraded performance.

How Governments Use and Abuse BGP

So government and other malicious actors can manipulate the Internet through multiple techniques including BGP hijacking, IP blacklisting and filtering, network partitioning and isolation, content monitoring and traffic analysis, traffic throttling and prioritization, shutdowns and access control, border routing as well as policies and compliance.

By influencing or manipulating BGP routes, governments or actors with access to BGP-enabled networks can reroute traffic to go through specific regions or servers. This is often done by injecting false BGP announcements to redirect traffic to specific router. This can allow governments to block, intercept, or monitor certain data flows. Such an approach was seen with incidents in various countries where traffic was rerouted through state-managed systems.

Governments can mandate that ISPs refuse to announce or accept specific IP prefixes or routes associated with restricted sites or content. By implementing BGP blacklists, they can prevent access to certain websites or services entirely by removing or altering the BGP routes that lead to these destinations, effectively blocking them at the network level.

Some governments impose strict routing policies that partition national networks from the global Internet. By requiring ISPs to use BGP filtering rules that isolate local traffic, they can keep Internet activity confined within national borders. China’s Great Firewall is an example, where BGP filtering and routing policies prevent certain global routes and confine users to government-approved internet spaces.

Governments can influence routing so that Internet traffic passes through surveillance or monitoring points. By injecting specific BGP routes, traffic can be directed to infrastructure where deep packet inspection (DPI) or other monitoring techniques are applied. This enables governments to analyze or even censor content in real time.

Through BGP route manipulation, governments can slow down or prioritize traffic to specific networks. For example, they may route traffic through slower networks or specific filtering points to control Internet speeds to certain services or prioritize government-approved traffic sources.

In extreme cases, governments can mandate ISPs to withdraw BGP routes to cut off access entirely, effectively disconnecting regions, communities, or entire countries from the global Internet. This can be seen in certain political scenarios or during unrest when governments initiate BGP route withdrawals, isolating the local Internet temporarily.

Governments can also enforce policies that restrict data to specific geographic boundaries, requiring ISPs to adjust BGP configurations to comply with data residency or border policies. This limits data flows outside national borders and aligns with regulatory frameworks on data sovereignty.

Through these mechanisms, governments can exercise significant influence over network behavior and access at a national level, using BGP as a powerful tool for traffic control, monitoring, and regulation. However, such actions often raise concerns over Internet freedom, privacy, and access rights on a global scale.

National Concerns

The nations worldwide have growing concerns regarding the security and resilience of BGP, which is fundamental to Internet routing. While critical for directing Internet traffic between ASes, BGP has vulnerabilities that can pose significant risks to national security, data integrity, and overall network resilience.

Citation APA (7th Edition)

Pennings, A.J. (2023, Dec 10). Connecting a Dangerous World: Border Gateway Protocol (BGP) and National Concerns. apennings.com https://apennings.com/global-e-commerce/connecting-a-dangerous-world-border-gateway-protocol-bgp-and-national-concerns/

Share

© ALL RIGHTS RESERVED

---

Anthony J. Pennings, PhD is a Professor at the Department of Technology and Society, State University of New York, Korea teaching broadband policy and ICT for sustainable development. He is also a Research Professor at Stony Brook University. From 2002-2012 he was on the faculty of New York University where he digital economics and information systems management. He also taught in Digital Media MBA at St. Edwards University in Austin, Texas, where he lives when not in the Republic of Korea.

Related

Category: artificial intelligence, data analytics and meaning, digital coordination, digital geography, enabling frameworks, global communications, global e-commerce, science and technology studies, smart new deal, sustainable development, technology management, telecom policy and net neutrality
Tags: Amazon's AWS > AT&T > autonomous system (AS) > Border Gateway Protocol (BGP) > Content Delivery Networks (CDNs) > Denial-of-Service (DoS) > Distributed Denial-of-Service (DDoS) > Federal Communications Commission (FCC) > Google Cloud > Internet Exchange Points (IXPs) > Microsoft Azure > Open Shortest Path First (OSPF) > Resource Public Key Infrastructure (RPKI) > Tier-1 ISPs

Comments

Comments are closed.