FCC seeks comments on internet traffic routing risks
The Border Gateway Protocol traffic routing system dates back to an era of high trust between networks on the internet but now poses risks.
The Federal Communications Commission is seeking comment on vulnerabilities in the border gateway protocol (BGP) used to route internet traffic between networks.
The notice, published on March 11 in the Federal Register, makes note of Russia's invasion of Ukraine and describes the risk to global communications potentially posed by the use of BGP.
"BGP's initial design, which remains widely deployed today, does not include security features to ensure trust in the information that it is used to exchange," the FCC states. "BGP was designed at a time when the number of independently managed networks on the internet was low and the trust among them was high."
BGP vulnerabilities have been exploited before, including a 2017 incident in which internet traffic in and out of Google, Microsoft, Apple and Facebook was routed through a Russian internet service provider. Such "BGP hijacking" can lead to traffic failures and enable surveillance if data is not encrypted.
The FCC notice says that risks posed by BGP vulnerabilities include issues with VoIP call completion in addition to degrading email and web traffic. GBP hijacking could end up disrupting emergency 911 services and other public safety operations.
The FCC's Communications Security, Reliability, and Interoperability Council has previously issued recommendations on BGP security, including the use of a specialized public key infrastructure to whitelist ISPs as secure, much the same way site certificates identify websites as safe to web browsers. These recommendations have not been adopted by major, independently managed networks, according to the FCC notice.
"Voluntary adoption and deployment of such measures has been such that many of the independently managed networks that comprise the internet remain vulnerable because they have not taken advantage of these measures," the notice states.
The agency is seeking comment on existing BGP security measures, their efficacy, the extent of their use and obstacles preventing network operators from implementing mitigations.The FCC is also seeking comment on whether additional BGP security implementations would take a toll on internet speeds or raise service costs. The first round of comments closes on April 11. A round of reply comments will close on May 10.