BGP Route Origin Authorization Regulation

October 31, 2024

Recent heightened scrutiny of government regulation surrounding BGP (Border Gateway Protocol) ROA (Route Origin Authorization) has emerged as a critical topic within the internet infrastructure community. As the fundamental routing protocol of the global internet, BGP is essential in ensuring that data reaches its intended destination with efficiency. To put it simply, BGP works like a postal service for the internet, ensuring that data packets are routed through the best possible paths to reach their intended recipients. However, its inherent vulnerabilities have introduced substantial risks, such as route hijacking and misconfigurations, prompting increased regulatory attention from governments worldwide.

A United States Federal Communications Commission (FCC) report¹ that was published in May of 2024, emphasizes the importance of strengthening the security of critical internet infrastructure by encouraging the adoption of secure routing technologies like RPKI (Resource Public Key Infrastructure), which plays a crucial role in supporting BGP ROA by providing the infrastructure for validating route origin authorizations. It underscored the need for coordinated efforts among private entities, standards bodies, and government authorities to mitigate vulnerabilities in BGP routing. The report also highlights the challenges faced by smaller ISPs in achieving compliance, advocating for balanced regulatory approaches that enhance security without imposing undue burdens. Additionally, it recognizes the need for improving resilience while maintaining the openness and flexibility of the internet.

The Internet Society and Cyber Global Alliance’s response² to the FCC report expressed significant concern over the direction of the proposed regulations, highlighting the risk of centralization and government overreach. John Morris and Ryan Polk argued that mandating compliance with BGP ROA and RPKI could compromise the fundamental openness of the internet, especially if regulatory bodies hold excessive control over routing infrastructure. Furthermore, the Internet Society emphasized that such mandates could disproportionately impact smaller ISPs, potentially stifling competition and innovation.³ They called for a more inclusive, community-driven approach to improving BGP security that respects the diverse needs of stakeholders and avoids introducing unnecessary points of control.

Later in June, the FCC sought comments on a proposal⁴ that would require nine major US internet service providers to draft BGP Routing Security Risk Management Plans, and confidentially report them to the federal agency. The FCC would want status updates on the specific efforts made to create and maintain ROAs for at least 90% of the routes under its control. Additionally, measures taken to which each carrier has implemented Route Origin Validation (ROV) filtering at its interconnection points.⁵

In addition to the FCC’s pushes, in September 2024, the White House Office of the National Cyber Director released a press statement⁶ calling for the adoption of BGP ROA as part of a broader roadmap to enhance internet routing security. The press release emphasized the urgency of securing critical internet infrastructure and highlighted the Biden-Harris Administration’s commitment to promoting best practices in routing security. I shared this with a few people and all were surprised such an esoteric networking concept had made it to a White House press release. Yet it does signal to the internet infrastructure community just how top of mind the subject is and how important the internet has become to our normal day to day life.

BGP was originally designed with an emphasis on openness and mutual trust, assuming that network operators would configure routes correctly without the need for stringent security mechanisms. This trust-first model, however, has often led to significant unintended or malicious disruptions of internet connectivity. Incidents of route hijacking and route leaks have precipitated widespread outages, unauthorized interception of network traffic, and even serious security breaches—resulting in substantial financial losses and undermining global connectivity.⁷ In response, numerous countries are advocating for stronger regulatory oversight, focusing on the implementation of technologies such as ROA to enhance BGP routing security.

ROA is a pivotal component within the RPKI framework. It permits network operators to authorize specific IP prefixes to be advertised by designated ASNs (Autonomous System Numbers), thereby providing a mechanism for validation that ensures only legitimate networks can announce routes. This validation mechanism has demonstrated its efficacy in mitigating certain classes of attacks and in reducing the likelihood of route leaks. However, as governments seek to mandate the adoption of ROA, critical questions arise regarding the appropriate methods for regulatory implementation and the potential for unintended negative consequences.

The increased scrutiny of BGP ROA represents a double-edged sword. On the one hand, governmental mandates for BGP ROA compliance could markedly enhance the security of the internet’s routing system by reducing its vulnerability to attacks. On the other hand, there are legitimate concerns about potential overreach, bureaucratic inefficiencies, and the resulting impact to internet service providers. Mandating the use of ROA and RPKI could impose additional compliance burdens on smaller ISPs, which may lack the financial and technical resources to adapt readily to these regulatory demands. Furthermore, the centralization of validation authorities under government-regulated bodies raises concerns about new points of failure and the potential for state-level censorship and control. For instance, China’s implementation of the Great Firewall leverages routing controls to restrict access to certain online content, illustrating how centralized control could be exploited for censorship.

The central challenge lies in achieving an equilibrium between security and the openness that has been fundamental to the internet’s design. While there is widespread consensus within the industry that enhancing BGP security is crucial for maintaining the internet’s reliability, the mechanisms for accomplishing this goal remain subject to ongoing debate. A collaborative approach involving private network operators, standards organizations, and governmental entities will be essential for formulating policies that bolster security without eroding the openness that underpins the internet’s utility and innovation. It is admirable that the FCC chose not to impose direct regulation, instead opting to ask carriers to report on the progress of BGP ROA adoption. This approach not only encourages accountability but also provides flexibility for carriers to adapt their practices while aligning with the overall goal of enhancing internet security.

Ultimately, the growing governmental scrutiny of BGP ROA regulation reflects a broader trend towards bolstering the resilience and security of critical internet infrastructure. This evolving conversation has far-reaching implications, affecting all stakeholders—from major service providers to individual end-users—as the repercussions of routing incidents can be felt universally. The aspiration is that through deliberate, collaborative regulation, the internet will continue to evolve in a manner that preserves both its security and its openness for all.