Notes From an Engineer on the FCC’s Routing Security Inquiry

Introduction

Earlier this year, the Federal Communications Commission in the United States issued a “Notice of Inquiry” concerning routing security. Officially titled In the Matter of Secure Internet Routing, the FCC’s Public Safety and Homeland Security Bureau asks a series of open-ended questions seeking information on the current and potential future states of Internet Routing Security. As this is an area of special interest for me, I decided to read all the comments to see what the industry and subject matter experts saw as the current state and possible future of routing security. What follows is an engineer’s view of the proceeding.

“With this Notice of Inquiry (Notice), we seek comment on vulnerabilities threatening the security and integrity of the Border Gateway Protocol (BGP), which is central to the Internet’s global routing system, its impact on the transmission of data from email, e-commerce, and bank transactions to interconnected Voice-over Internet Protocol (VoIP) and 9–1–1 calls, and how best to address them.”

The Process

First, a brief explanation of the process. This proceeding was a “Notice of Inquiry” which is one of several ways the FCC can formally seek comments from the public on its activities. In the FCC’s own words, “A Notice of Inquiry (NOI) will ask the public to comment on specific questions about an issue. The responses will help the FCC to determine if further action by the Commission is warranted.” Essentially, the Commission and its staff want to gather information on a specific topic, and this is a formal way to seek input from interested parties, which are often companies and interest groups that might be impacted by any FCC action, subject matter experts, and anyone else that has an opinion.

Another process the Commission uses is the Notice of Proposed Rule Making (NPRM). Where NOIs tend to be more open-ended, seeking general information, an NPRM is where the Commission is publicly announcing an intention to establish new rules or regulations. To explain this informally, the commission is saying, “we are planning on establishing new rules, or changing existing ones. Please comment.” The issues and questions in an NRPM are generally more focused because there are specific, proposed rules that are being considered.

Many filings are written by lawyers and have a formal format. They’ll have headings, with proceeding and docket identifiers, they’ll be heavily foot-noted, and overall read like a legal briefing. In many cases, especially with NPRM comments, there are legal arguments being made. To my fellow network engineers, I say- please don’t let the look or format of many submissions intimidate or deter you. Please, if you have some valuable information, or an opinion to share, write something, share it! Especially for Notices of Inquiry- the FCC is asking for information; use this as an opportunity to share your expertise- you’ve got the hands-on experience designing, implementing, and operating networks. The FCC wants to know about it! The Electronic Comment Filing System (ECFS, the site where comments are filed) even allows for entering a comment directly on the site, without uploading a document.

In this NOI, the FCC asked several questions, including: types of BGP security operators are using, the effectiveness of these deployments, how security is measured and monitored, the use and effectiveness of RPKI, reasons for the lack of BGPsec adoption, and the adoption and effectiveness of MANRS, among others.

Some proceedings generate lots of comments. The 2015 Open Internet Order attracted tens of millions of responses. Most, however, generate much less interest. For this proceeding, some numbers:

• There were 46 comments filed with a total page count of 487.
• There were 16 individuals (or groups of individuals) and 29 organizations (companies, industry groups, government agencies).
• There were two notices of ex parte communication.
• Nearly 70% of the responses included some mention of the Mutually Agreed Norms for Routing Security (MANRS), some heavily relied on MANRS for recommendations (e.g., Microsoft), many used MANRS articles and data as citations and references.

Highlights of Responses

To no surprise, many respondents cautioned the Commission against using its regulatory powers to encourage or require some action to improve routing security. The reasons included:

• The FCC lacks jurisdiction for nearly all operators because the Internet is a global network.
• Even within the US, it’s unclear how much authority the FCC has to issue regulations concerning routing security, given that there are many non-ISP Internet operators (e.g., a university using BGP to connect to the Internet), and even operators that are more traditionally under the FCC’s regulatory authority, it’s unclear if routing security is included in that authority.
• Regulation may ‘freeze’ the state of routing security, cause tunnel vision to meet the regulation, and prevent the flexibility needed to address emerging and new security concerns.

In a global network of over 70,000 operators, any single entity has limited ability to affect change. The operators must follow the same rules. Working through standards bodies, primarily the IETF, new technologies are proposed, debated, developed, and adopted. What we see from many of the respondents is (the desire) to allow the process to continue.

However, a joint comment by the Department of Defense and Department of Justice advocated a much more activist role for the FCC: “Carefully constructed rules, issued in concert with other government actions, could far more effectively reduce the risks associated with foreign operators or bad actors exploiting BGP insecurity.”

I would respectfully suggest that the executive branch should lead by example. Few federal networks have RPKI ROAs; few of the top-20 federal sites from analytics.usa.gov are hosted on networks covered by ROAs, even when hosted by CDNs that have ROAs for other network prefixes. Creating ROAs for the large amount of IP space held by the US Government would signal its commitment to routing security in general and RPKI-based ROV specifically. The comment laments the lack of progress by the industry, yet the government’s progress is even more anemic.

Geoff Huston puts it this way-

It would be imprudent to consider the current state of BGP security mechanisms, as encompassed by the sole use of RPKI, Route Origination Validation and BGPSEC as complete and fully ready for broad scale deployment, and the cautious stance taken by many operators of Internet infrastructure with respect to deployment of these tools is reflective of a level of due consideration relating to adoption of new technologies where the risks and vulnerabilities of the technology are still not fully appreciated.

Many “traditional” carriers (or interest groups) frequently cited the past work of the Communications Security, Reliability, and Interoperability Council (CSRIC). CSRICs are called periodically by the Commission to study and develop recommendations on specific areas of interest. Commenters encouraged continued using the FCC as a convener of industry and academic expertise via CSRIC. Most recently, CSRIC VI Working Group 3 released a report titled “Report on Best Practices and Recommendations to Mitigate Security Risks to Current IP-based Protocols.”

There were some good discussions on BGPsec, particularly on the challenges to deployment. Fastly’s comment highlighted the difference between BGPsec and ASPA, which not all filers got right.

However, Fastly wishes to clarify the relationship between BGPsec and other tools, and their relative readiness for widespread use. BGPsec prevents path spoofing, while ASPA can prevent route leaks. These are similar but not identical threats that are often conflated. ASPA and BGPsec should not be thought of as mutually exclusive or incompatible; both of these technologies will support routing security in the long term.

Geoff Huston points out that BGPsec suffers from the first adopter’s problem. AS paths can’t be partly protected with BGPsec. Deploying more expensive hardware and implementing the operational procedures to manage BGPsec won’t result in improved security until there’s much wider adoption.

Verizon indicated it is using peer-locking, MD5, BCP38, and prefix filtering along with maximum prefix limits. Juniper discussed Generalized TTL Security Mechanism (GTSM) and TCP-AO, a more robust replacement for MD5. I recently published an article at RIPE Labs on a production TCP-AO deployment.

Two respondents had an interesting suggestion for the Commission: clarify that the term “BGP hijacking” specifically excludes maintenance or other planned re-routing of traffic. It surprised me that some operators considered normal operational changes “hijacking.” I think we’re seeing the industry becoming more careful with terminology to describe anomalous BGP activity, for example, see RFC 7908.

Despite all the positive statements about MANRS, I was particularly disappointed in two commenters’ views. An industry association noted some members were reluctant to join MANRS because participants and security actions were publicly available, implying that being listed as a MANRS participant might be a liability! Another respondent, representing a group of operators, stressed the cost and operational complexity of deploying the actions specified by MANRS. This is disappointing because the actions are a floor, a minimum, of what network operators should be doing. I understand networks vary greatly in size and complexity, and the operators have varying skill-sets, but all operators should meet the actions specified in MANRS at a minimum.

Christopher Yoo, law professor at the University of Pennsylvania, provides an extensive review of the legal challenges around the adoption of RPKI, updating and expanding previous work on the subject. This is a great resource for any organization, especially one holding “legacy” IP space, to understand the issues around the various ARIN agreements and how they compare to the rest of the world.

Overall, it was encouraging to see the FCC interested in such an important area of communications security and to read the comments from operators and industry experts. It will be interesting to see what the FCC does with this information.