On Monday, February 28, 2022, the Federal Communications (FCC) released a Notice of Inquiry (NOI) asking for comments from the public regarding the sufficiency of the Border Gateway Protocol (BGP) and the steps, if any, the FCC should take to protect and strengthen the nation’s independently managed networks from hijackers. Changes in this area could potentially impose huge burdens on providers — financial and otherwise. Therefore, providers should seriously consider submitting comments or at least monitoring this matter in case increased obligations are imposed.
BGP is the routing protocol for exchanging reachability information among independently managed networks online. As a general matter, BGP does not include security features to certify the information being exchanged. According to the FCC, this allows hijackers to deliberately falsify BGP information in order intercept or otherwise redirect traffic from its intended recipient — exposing U.S. citizens’ personally identifiable information (PII), enabling theft, extortion, and espionage in the process.
To protect U.S. citizens and commerce, the FCC is exploring ways to mitigate the vulnerabilities of BGP. The NOI mentions the possibility of promulgating regulations that may apply to wireline and wireless Internet Service Providers (ISPs), Internet Exchange Providers (IEPs), and interconnected VoIP (I-VoIP) providers, operators of content delivery networks, cloud service providers, and more.
The NOI discusses many possible solutions that, for various reasons, have not yet become widespread. For example, the Commission mentions BGPsec, an extension to BGP that provides a secure path through which reachability information passes. Widespread implementation of BGPsec-compliant routers could cause compatibility issues with existing networks. Additionally, the NOI discusses Resource Public Key Infrastructure (RPKI), a system for providing cryptographically secure registries of Internet resources and routing authorizations. This solution would involve implementation costs as well and could interfere with ISP’s service level agreements. Another potential solution is the widespread implementation of Mutually Agreed Norms for Routing Security (MANRS), an organizational initiative over 700 members strong that aims to reduce hijacking by requiring its members to implement certain tools and best practices stipulated by the Internet Engineering Task Force. The FCC anticipates that compliance with MANRS may involve just an update of policies and practices but may also require equipment replacement and software updates.
The FCC seeks comments in relation to the costs and burdens of improving security. Specifically, the FCC contemplates equipment and software upgrades as well as burdens to the consumer like service cost increases or speed reductions. Many types of providers could be affected by these proposals. Therefore, they are encouraged to weigh in, or at least monitor this development as the FCC develops its record in contemplation of further regulation. Now is the time to raise issues about how these security measures could affect your business. Please contact Linda McReynolds at email@example.com or (703) 714-1318 if you would like to participate in this matter. Comments are due on March 30, 2022.