Getty Images | Yuichiro Chino
The Federal Communications Commission wants to verify that Internet service providers are strengthening their networks against attacks that take advantage of vulnerabilities in Border Gateway Protocol (BGP).
The FCC today unanimously approved a Notice of Proposed Rulemaking that would require ISPs to prepare confidential reports “detail[ing] their progress and plans for implementing BGP security measures that utilize the Resource Public Key Infrastructure (RPKI), a critical component of BGP security.”
“Today, we begin a rulemaking to help make our Internet routing more secure,” FCC Chairwoman Jessica Rosenworcel said. “We propose that all providers of broadband Internet access service prepare and update confidential BGP security risk management plans. These plans would describe and attest to their efforts to follow existing best practices with respect to Route Origin Authorizations and Route Origin Validation using the Resource Public Key Infrastructure. In addition, we propose quarterly reporting for the largest providers to ensure we are making progress addressing this well-known vulnerability.”
The FCC said the initial design of BGP that remains widely deployed today “does not include intrinsic security features to ensure trust in the information that is relied upon to exchange traffic among independently managed networks on the Internet.” Hackers can “deliberately falsify BGP reachability information to redirect traffic” in BGP hijacks that “can expose Americans’ personal information; enable theft, extortion, and state-level espionage; and disrupt services upon which the public or critical infrastructure sectors rely,” the FCC said.
In a 2022 incident, hackers used BGP hijacking to seize control of over 250 IP addresses used by Amazon for its cloud service. The hackers reportedly stole $235,000 worth of cryptocurrency.
A draft of the proposal released before today’s meeting explains that “RPKI helps to create trust in reachability information by enabling cryptographically verifiable associations between specific IP address blocks, or autonomous system numbers (ASNs), and the ‘holders’ of those Internet number resources.”
Stricter rules for largest ISPs
The FCC will take public comments on its proposed rulemaking for 45 days after it is published in the Federal Register, and it could finalize the regulations in the coming months. Under the proposal, ISPs must “prepare and update confidential BGP security risk management plans at least annually,” the FCC said.
The nine largest broadband providers would also have to “file their BGP plans confidentially with the Commission as well as file quarterly data available to the public that would allow the Commission to measure progress in the implementation of RPKI-based security measures and assess the reasonableness of the BGP plans,” the FCC said. The quarterly reports would include data on ROA [Route Origin Authorization] registrations.
The draft said the stricter reporting requirements would apply to AT&T, Altice, Charter, Comcast, Cox, Lumen (aka CenturyLink), T-Mobile, TDS (including subsidiary US Cellular), and Verizon. “These significant providers are likely to originate routes covering a large proportion of the IP address space in the United States and will play critical roles ensuring effective implementation of ROV [Route Origin Validation] filtering,” the draft proposal said.
The large providers would be allowed to stop submitting annual plans once they “attest that they are maintaining ROAs covering at least 90 percent of originated routes for IP address prefixes under their control.” Smaller ISPs may be asked to submit their plans on a case-by-case basis. “Smaller broadband providers would not be required to file their plans with the Commission but rather make them available to the Commission upon request,” the FCC said.
Cable lobby group NCTA-The Internet & Television Association argued that “prescriptive rules are not needed in this area” but said it supports the FCC “proposal to eliminate an ISP’s annual RPKI reporting requirement once it attests to covering 90 percent of its originating Internet traffic routes with ROAs.” The NCTA urged the FCC to also eliminate the quarterly data submission requirement for ISPs that hit the 90 percent mark.
