Secure internet routing - Is BGP safe yet?
Have you ever wondered how your computer, or any IP enabled device, knows the directions to any given destination?
This fundamental part of the internet is down to a protocol called BGP, and it works just like a SATNAV.
BGP (Border Gateway Protocol) is a routing protocol and its how internet traffic navigates the web to its destinations. Routes are advertised to your SATNAV by your ISP who in turn gets their routes by the people they are connected to, and so on.....
The inherent problem with BGP is that it has no trust and when you request a service or simply a website, you are relying on everyone advertising the route to your requested destination telling you the truth on where to go!
The truth can be easily maligned by error, someone makes an honest mistake, or with sinister intentions. Either way you will arrive somewhere, and the SATNAV does not check to say, “you have safely reached your destination”.
The internet has been working on trust solutions and the answer is RPKI. The IETF (Internet Engineering Task Force) created RFC6480 https://tools.ietf.org/html/rfc6480.
Essentially it requires the checking of a route for authenticity through digital signing, think about SSL Certificates on a website. RPKI needs the internet as a whole or rather the networks (Autonomous Systems) that make the internet and the transit providers that carry the traffic to implement it to make it realise its potential.
So, the question is, “Why wouldn’t you implement this even in a partially safe flavor?” You could prefer trusted routes over invalid but with RIPE and Cloudflare offering tools to implement checking then the arguments against weaken.
Whilst we do not want to break our customers experience, we want to offer the ability to leverage beneficial technologies like IPv6 and RPKI routing. We use the biggest networks in the world to provide internet transit (Telia, GTT and Level3/Century Link) some have already done their part as have we now.
You can test VoiceHost or peruse the list at your leisure which is maintained by Cloudflare. https://isbgpsafeyet.com/.
Another RPKI testing tool can also be found on the RIPE Labs site https://www.ripe.net/s/rpki-test
VoiceHost is also a MANRS Member (Mutually Agreed Norms for Routing Security). This means we take routing seriously and adhere to the guidance created my MANRS. https://www.manrs.org/isps/participants/entry/1165/