FCC Issues Notice Of Inquiry To Examine Internet Global Routing System Vulnerabilities
February 28, 2022 – The Federal Communications Commission has released a Notice Of Inquiry (NOI) to “begin an inquiry into the vulnerabilities of the Internet’s global routing system.”[1]
Specifically, in the NOI, the FCC is seeking “comment on vulnerabilities threatening the security and integrity of the Border Gateway Protocol (BGP), which is central to the Internet’s global routing system, its impact on the transmission of data from email, e-commerce, and bank transactions to interconnected Voice-over Internet Protocol (VoIP) and 9-1-1 calls, and how best to address them.”
Comments in response to the NOI are due on or before 30 days after the NOI is published in the Federal Register. Reply comments are due 60 days after publication.
What Is The Border Gateway Protocol?
Here is how Cloudflare explains the BGP:
Border Gateway Protocol (BGP) is the postal service of the Internet. When someone drops a letter into a mailbox, the Postal Service processes that piece of mail and chooses a fast, efficient route to deliver that letter to its recipient. Similarly, when someone submits data via the Internet, BGP is responsible for looking at all of the available paths that data could travel and picking the best route, which usually means hopping between autonomous systems.
BGP is the protocol that makes the Internet work by enabling data routing. When a user in Singapore loads a website with origin servers in Argentina, BGP is the protocol that enables that communication to happen quickly and efficiently.[2]
Notice Of Inquiry – Issues For Public Comment
The FCC has teed up the issues and questions below for public comment. The are found in paragraphs 8 – 19 of the NOI.
¶8 Scope of Inquiry. In this Notice, we seek comment on any steps that the Commission should consider taking to help protect and strengthen the nation’s communications network and other critical infrastructure from vulnerabilities posed by BGP, and how we can best facilitate the implementation of industry standards and best practices to mitigate the potential harms posed by these vulnerabilities.
In order to better understand the BGP ecosystem, we seek comment on the extent to which Internet Service Providers, public Internet Exchange Providers, and providers of interconnected VoIP service have deployed BGP routers in their networks.
Do content delivery networks, and providers of cloud services operate BGP routers in their networks as well?
What other types of entities operate BGP routers? We recognize that there are entities that do not operate BGP routers, but that are otherwise well positioned to support the development and implementation of BGP security practices. For example, there are several regional, national, and local Internet registries that manage the allocation and registration of Internet number resources, and support RPKIs. Additionally, the Internet Corporation for Assigned Names and Numbers (ICANN), through its affiliate, Internet Assigned Numbers Authority (IANA), has responsibility for coordinating the Internet’s unique identifiers.
We seek comment on what role these and other entities, including vendors of BGP routers or other networking equipment, have in supporting the development and implementation of BGP security practices.
What threats to Internet routing should the Commission consider within the scope of this inquiry in addition to BGP hijacking? For example, to what extent could BGP security measures prevent pervasive monitoring?
¶9 Measuring BGP Security. We seek comment on whether industry has defined metrics for identifying BGP routing security incidents and for quantifying their scope and impact.
To what extent are available tools, such as NIST’s RPKI Monitor, Automatic and Real-Time dEtection and Mitigation System (ARTEMIS), BGPstream, BGPMon, Kentik, and Traceroute, able to rapidly and accurately detect BGP hijacks or router misconfigurations?
To what extent do these tools distinguish malicious routing changes from accidental ones?
Do artificial intelligence and machine learning tools promise advancements in this area?
¶10 Deployment of BGP Security Measures. We seek comment on the security measures that have been developed and deployed by industry to secure BGP.
In addition to the measures recommended by CSRIC III and VI (RPKI, MANRS, and applicable IETF Best Common Practice standards), BGPsec, and the NIST practice guide, what other standards, specifications, or best practices have been developed to address potential attacks that exploit BGP vulnerabilities?
We seek comment on the extent to which network operators have implemented any of the available BGP security measures developed by industry. How effective are these measures in practice?
We seek comment on how to assess, measure, demonstrate, or increase the effectiveness of these security measures. To the extent that network operators have not implemented security measures, we seek comment on why such measures have not been implemented. To the extent that network operators have implemented security measures, how effective have they been at mitigating the vulnerability? What obstacles have prevented them from doing so?
¶11 We seek comment on the extent to which RPKI, as implemented by other regional Internet registries, effectively prevents BGP hijacking.
To what extent do network operators take advantage of the RPKI services that regional Internet registries offer by implementing RPKI in their networks?
To what extent, if any, do network operators’ service level agreements affect the ability of network operators to drop traffic that RPKI deems invalid?
How do regional Internet registries maintain the certificate authority for the RPKIs in a way that mitigates the risk of a single point of failure vulnerable to distributed denial of service attacks?
How do regional Internet registries prevent conflicts among distributed RPKI trust anchors?
¶12 We seek comment on whether and to what extent network operators anticipate integrating BGPsec-capable routers into their networks. The specification for the BGPsec extension to BGP became available in 2017, but it appears that BGPsec has not been widely deployed despite BGP’s known vulnerabilities.
Why have network operators not taken more aggressive steps to adopt BGPsec?
What particular obstacles or concerns about BGPsec have slowed their adoption?
To what extent does the introduction of BGPsec routers potentially introduce compatibility issues among managed networks or introduce delays?
¶13 For network operators that currently participate in MANRS and comply with its requirements, including support for IETF Best Common Practice standards, we seek comment on the efficacy of such measures for preventing BGP hijacking.
To what extent do the network operators that participate in MANRS support both its required and recommended routing security actions, as well as applicable IETF Best Common Practice standards on which those actions are based?
To what extent do network operators participate in MANRS’ various programs, including its equipment vendor program, launched in 2021, which aims to enable routing security features on network equipment and provide support and training guidance to use them, or take advantage of the MANRS Observatory.
¶14 Commission’s Role. Ensuring continued U.S. leadership requires that we explore opportunities to spur trustworthy innovation for more secure communications and critical infrastructure. The Commission has sought to promote the security of U.S. networks and network equipment both by drawing attention to available resources and through exercise of its regulatory authority.
We seek comment on steps the Commission, in coordination with other federal agencies, could take to prevent BGP hijacking or otherwise promote secure Internet routing.
We seek comment on whether the Commission has a role in helping U.S. network operators deploy BGP security measures. If so, how can the Commission be most helpful?
We seek comment on our authority to promote the security of Internet routing through regulation, including as it may apply to wireless and wireline Internet Service Providers, Internet Exchange Providers, interconnected VoIP providers, operators of content delivery networks, cloud service providers, and other enterprise and organizational stakeholders.
We seek comment on whether regulatory clarity could help network operators prioritize investments in the security of their networks.
¶15 We seek comment on the extent to which other nations’ telecommunications regulators and multistakeholder organizations have issued rules, guidance, or otherwise encouraged network operators, network security organizations, and equipment vendors to implement BGP security measures and on any lessons learned from those endeavors.
We seek comment on the extent to which the effectiveness of BGP security measures may be related to international participation and coordination.
¶16 Costs and Benefits. We seek comment on the one-time and ongoing costs of implementing the BGP security measures discussed herein.
What capital and operational expenditures attend their implementation?
Does the availability of a protocol for RPKI keep implementation costs low?
Would network operators need to replace existing routers to support the BGPsec extension?
Could support be enabled through a software upgrade, particularly for routers that are not considered to be “end-of-life”?
To what extent can network operators support MANRS’ required and recommended actions by updating their policies and practices, and without equipment replacement or software updates?
What costs would consumer likely experience from BGP security implementations, such as higher service costs or speed reductions?
¶17 We seek comment on whether the Commission should encourage industry to prioritize the deployment of BGP security measures within the networks on which critical infrastructure and emergency services rely, as a means of helping industry to control costs otherwise associated with a network-wide deployment.
Would this or another phased or gradual implementation of BGP security measures be effective and help network operators to plan for and control implementation costs?
¶18 We also seek comment on the national security, economic, and public safety benefits of more secure Internet routing, both within the U.S. and globally.
What entities are particularly affected by threats to BGP security?
To what extent would the security measures discussed herein be effective in mitigating BGP hijacking?
What is the potential impact of mitigating BGP hijacking on U.S. national security and the U.S. economy?
Have stakeholders attempted to quantify the benefits that secure Internet routing could convey by protecting critical infrastructure, sensitive communications, and personally identifiable information?
Have stakeholders attempted to quantify the benefits of secure Internet routing in terms of the potential loss of Intellectual Property, communications delays, or disruptions that BGP’s unmitigated vulnerability represents?
Have stakeholders attempted to measure or quantify the extent to which BGP hijacking poses a threat to life and property by disrupting 9-1-1 calls carried by providers of interconnected VoIP service?
What other benefits could potentially accrue from this inquiry?
¶19 Digital Equity and Inclusion. Finally, the Commission, as part of its continuing effort to advance digital equity for all, including people of color, persons with disabilities, persons who live in rural or Tribal areas, and others who are or have been historically underserved, marginalized, or adversely affected by persistent poverty or inequality, invites comment on any equity-related considerations and benefits (if any) that may be associated with the proposals and issues discussed herein.
Specifically, we seek comment on how our proposals may promote or inhibit advances in diversity, equity, inclusion, and accessibility, as well the scope of the Commission’s relevant legal authority.
**********
[1] Secure Internet Routing, PS Docket No. 22-90, Notice Of Inquiry, FCC 22-18 (Feb. 28, 2022) (NOI), https://docs.fcc.gov/public/attachments/FCC-22-18A1.pdf.
[2] https://www.cloudflare.com/learning/security/glossary/what-is-bgp/.