Is BGP safe yet? - Hacker News

Posted by janandonly 7 hours ago

208 points | 72 comments

surround 3 minutes ago|

The graphic that shows that a hijacker can route traffic to their malicious website is a little misleading. Since the SSL certificate would be invalid, browsers would block the connection and show a warning.

I guess the attack could still be used for denial of service.

maltalex 6 hours ago||

RPKI doesn't make BGP safe, it makes it safer. BGP hijacks can still happen.

RPKI only secures the ownership information of a given prefix, not the path to that prefix. Under RPKI, an attacker can still claim to be on the path to a victim AS, and get the victim's traffic sent to it.

The solution to this was supposed to be BGPSec, but it's widely seen as un-deployable.

rot256 5 hours ago||

I think that way to solve BGPs security problems might be to use a new cryptographic hammer, "Proof-Carraying Data", where messages come with cryptographic proofs that they were produced correctly. This allows you to basically just run BGP, but every AS proves that it ran it correctly. The proofs take constant time to verify, regardless of how large the network is, or how many hops the routing message has taken. Feasibility is helped by latency not being super critical in BGP and BGP being a pretty simple protocol; which makes computing these proofs plausible.

https://rot256.dev/post/bgp-pcd/

Proof-carrying data has come a long way in the last 10 years.

EDIT: you would still need RPKI, but not BGPSec

altairprime 1 hour ago|||

“Safe” the platonic ideal is an impossibility. Any cryptographic solution depends ultimately on handshake agreements between fallible human executives and/or fallible human registries, and there’s no known alternative to that today. Is RPKI “safe”, relative to not RPKI? Yes, obviously, it is. Is it reasonable to interpret “safe” as ‘no further improvement is required’? Never: this is the Internet; one could expect the domain to be repurposed to cover more than RPKI someday. Yes, short-sighted leaders may use “RPKI is safe” as justification to withhold investment forward past it; but that outcome is certain regardless of how they justify it.

heyethan 4 hours ago|||

RPKI makes prefix ownership verifiable, but the path is still largely trust-based.

It feels like we’ve secured the part that’s easiest to validate, not necessarily the part that matters most.

impl 5 hours ago|||

I believe the current attempt at mitigation for this is ASPA[0]. It still has a long way to go, but there are some big names behind it.

[0]: https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-asp...

greyface- 4 hours ago||

It has a long way to go, in the same sense that ROA had a long way to go when Cloudflare first launched this site in 2020. ASPA records are fully supported by both RIPE and ARIN these days.

Retr0id 5 hours ago|||

> and get the victim's traffic sent to it

This sounds "obviously bad" but the intricacies of routing aren't really my field, could you expand on why this is bad? (i.e. what specific bad things does it enable)

maltalex 5 hours ago||

Here are some examples:

The attacker can impersonate the victim, get a valid x509 certificate issued to it, and create a perfect replica of their website/api/whatever.

The attacker can perform a man-in-the-middle attack on the victim - record traffic, inject traffic, manipulate traffic, etc.

The attacker can just deny access to the victim - just drop packets meant for the victim.

hugo1789 2 hours ago|||

I think RPKI is good enough. As we have TLS on top it doesn't need to be perfect.

zymhan 4 minutes ago|||

Those two things address orthogonal issues

maltalex 1 hour ago||||

Only with certificate pinning or something similar. Otherwise, the attacker can get valid TLS certificates for any domain hosted on the hijacked IP addresses.

rot256 1 hour ago|||

For LetsEncrypt, routing is authentication: if packets routed to the IP in the A record end up at your place, you can get a cert for that domain.

diablevv 5 hours ago||

[dead]

Levitating 1 hour ago||

Does not take BGPSec[1] into account, just RPKI.

[1]: https://en.wikipedia.org/wiki/BGPsec

nemomarx 6 hours ago||

This actually shows pretty good coverage for this feature, it seems to me. The big American isps do it, the mobile ones do too...

How many major isps would we want to implement it to be "safe" and what would that look like? Is this a regional thing? They've only listed 4 unsafe ones on the site and that doesn't seem like a major issue, but maybe they're very large somewhere.

toast0 3 hours ago||

> How many major isps would we want to implement it to be "safe" and what would that look like?

It would be "enough" if all the major transit ISPs did it and it would be helpful if all the major residential ISPs did it. If non-RPKI routes can't propagate through transit ISPs, that makes it a much less useful thing to do.

KomoD 6 hours ago|||

We want more than just major isps.

They've listed way more than 4 (and those 4 are also massive), click "Show all".

There's 254 operators marked as unsafe.

chrismustcode 6 hours ago|||

I'm on sky in the UK which is marked as not safe due to no RPKI.

It's not on the list so imagine there is a fair few missing, would be neat to have a table you could filter by country, provider type (cloud/isp etc) based on real results from users.

edit: there's a show all button to expand the table

SCdF 6 hours ago|||

If you're interested, Community Fibre is a yes from this website

badgersnake 6 hours ago|||

I get the same result for A&A, but frankly I trust them more than some random site with (apparently) an axe to grind.

jsty 5 hours ago|||

https://www.aa.net.uk/etc/news/bgp-and-rpki/

OJFord 3 hours ago||

And here we are six years on... I have a lot of respect for A&A, but I do find it hard to sympathise with that page.

tialaramex 5 hours ago|||

My hope would be that A&A have a process manually whitelisting the route that made the test fail because in fact (as of course it would be) it's actually deliberately not signed but it is really their route.

But on some level that's like assuming the reason the guy with the handgun is on your plane is that he's a sky marshal and not that some idiot let a concealed handgun through security. I mean, sure, maybe, but, maybe not.

Without asking it's just a guess and I haven't asked. Maybe I should.

tialaramex 4 hours ago||

And now thanks to jsty's sibling comment I don't have to ask, thanks! It does seem like they've been more than "cautious" enough at this point and should just implement RPKI.

asveikau 5 hours ago|||

I got a fail on T-Mobile USA. It seems in the full list that T-Mobile is listed as both passing and failing.

RyJones 5 hours ago|||

T-Mobile consists of at least five distinct networks depending on when your carrier was purchased, last time I was talking with some of the network security guys in Factoria. It’s been four years - they may have converged some of them.

Melatonic 2 hours ago||

Also failing here in the Los Angeles area. Used to be on Sprint before the acquisition. Probably location dependent

ck2 5 hours ago|||

same

     T-Mobile USA, AS21928 does NOT implement BGP safely

philipwhiuk 6 hours ago||

Click show all.

Major ISPs like British Telecom (core UK telephony), NTT Docomo (Japan), Vodafone Espana (showing that Vodafone isn't doing it globally), Starlink (showing it's not a old tech problem), Rogers (US ISP) are listed unsafe.

I think the 31 is a misleadingly positive picture.

asveikau 5 hours ago|||

I thought Rogers was Canadian.

hrmtst93837 4 hours ago|||

Counting networks passes for journalism, and 31 is noise unless you weight each entry by size and traffic split. A pile of single-homed stubs matters far less than one big transit network, because outages and hijacks bite where traffic concentrates, and that makes the headline number feel brokn rather than reassuring.

dorianmariecom 4 hours ago||

i'm getting:

  Free SAS ISP signed unsafe

but when testing i'm getting a success

Your ISP (Free SAS, AS12322) implements BGP safely. It correctly drops invalid prefixes. Tweet this → Details fetch https://valid.rpki.isbgpsafeyet.com correctly accepted valid prefixes

fetch https://invalid.rpki.isbgpsafeyet.com correctly rejected invalid prefixes

greyface- 5 hours ago||

RPKI isn't just ROAs anymore, and BGP hijacks can happen at other places than just the first/last hop. Why hasn't this site been updated to test ASPA-invalid prefixes in addition to ROA-invalid ones?

commandersaki 6 hours ago||

I think the test for BGP is Safe is when we stop using it and instead use SCION: https://en.wikipedia.org/wiki/SCION_(Internet_architecture).

pigggg 6 hours ago||

SCION is generally considered snake oil within the network operator community. Its weird single vendor for profit company that ships it's software, the fact that no router hw asic fwding supports what they want to do and then the general scummy inclusion of block chain / crypto as well as some "green washing" for PR hype.

Sure the swiss have their toy but no one is taking it seriously.

xyquadrat 5 hours ago||

Hmm, I'd disagree. The fact that Anapaya Systems (the for profit company mentioned) has the only commercial implementation/adjacent software is a problem, yes. But "snake oil" doesn't quite match up with the fact that SCION right now provides the backbone for the Swiss financial network moving 200 billion CHF each day [1], so at least some level of workable technology has to be there. And for no one to be taking it seriously, there's a decently long list of multinational ISPs at the very least taking steps towards offering SCION to customers [2] (e.g. British Telecom has expressed enough interest that they have various recent marketing videos on Anapaya's YouTube channel). Finally, I'm not sure what you mean regarding the "scummy inclusion of block chain / crypto" - as someone who has worked on SCION-based projects I never heard anything about this. Apparently a blockchain company invested in Anapaya, but that doesn't really change anything about the protocol itself, does it?

[1] https://www.scion.org/ssfn-scion/ [2] https://www.scion.org/isps/

pigggg 4 hours ago|||

I don't think the swiss banking network is really the right thing to point to. Folks measure networks in bps/pps, not financial transactions - nevermind the actual control plane bits (num of prefixes, as paths, etc.). Plus it's all within one country where you have the luxury of being able to directly influence and steer those companies into adopting this.

As for BT - they're just one broadband ISP operating primarily in a single country. I don't see that moving the needle - you're missing CDNs, traditional large scale "tier 1s" and cloud or large hosting networks.

RPKI got to where it is today through community engagement by folks like Job S. and others - hitting the conferences, direct engagement with operators and raising the bar from a software quality and standards perspective - which still continues today. That's how you get the internet to adopt something that is considered the new normal.

As for your ISP list - I know there are networks listed there that aren't running scion in a production capacity (perhaps you can run scion in a virtualized environment on top of them which is different than those companies running it on their production network).

As for the block chain - it was all the Sui stuff.

tonetegeatinst 4 hours ago||||

200billion CHF....how big is that in bandwidth?

bo0tzz 4 hours ago||

2.6 million transactions per day [0], which in ISO 20022 XML format messages works out to (rough guess) 20GB per day for an average of 1.8Mbps...

[0]: https://www.scion.org/ssfn-scion/

BadBadJellyBean 2 hours ago||

So ... nothing. At least in comparison.

tptacek 2 hours ago||||

IIRC, UBS used to use IRC (yes, that IRC) as a messaging "backbone", so I'm not sure this really counts as a POC.

q3k 3 hours ago|||

> SCION right now provides the backbone for the Swiss financial network moving 200 billion CHF each day

This is a meaningless benchmark - for a small group of trusted big enterprises with insurance policies and mutually signed contracts you could've just as well used OSPF with zero filters.

The benchmark would be adoption by an actual large number of parties that don't/can't talk to eachother spread across the world. With a large chunk of them being malicious or incompetent to the point of being effectively malicious.

xyquadrat 1 hour ago||

I'm not claiming that this shows SCION can replace the respective parts of the network stack right now, and you're right that at a global scale this is still an unproven technology. But I would argue that a technology needs a certain level of matureness / is not "snake oil" if it is deployed in a heavily regulated and comparatively conservative sector such as banking.

wussboy 6 hours ago||

Why hasn't this happened?

benjojo12 6 hours ago|||

Because SCION is mostly said as a joke in the more serious carrier world.

SCION is practically speaking proprietary, and has 1 and maybe a half implementations. I have a laundry list of real problems with SCION but SCION feels like one of those entities that would get quite legal-ey if discussed publicly.

genuineDSD 5 hours ago||

[flagged]

dsr_ 6 hours ago|||

Because BGP works, is understood, and has been debugged by thousands of people and billions of sessions between dozens or hundreds of implementations.

So the benefit of changing out all that infrastucture needs to be much higher than the cost.

olivier5199 6 hours ago||

An ISP is marked as unsafe in the table, yet running the test says it is. (same ASN)

john_strinlai 6 hours ago|

the last update on the table was feb 3. presumably rpki was implemented between then and now

arnorhs 5 hours ago||

ISP's often have different infrastructure for different sets of customers (regional, mobile/landline differences etc) - often due to legacy M&As etc..

collabs 6 hours ago||

Looks like Verizon does it correctly.

> Your ISP (Verizon, AS701) implements BGP safely. It correctly drops invalid prefixes.

lucasay 5 hours ago|

RPKI makes BGP safer, not safe. It helps prevent some hijacks, but attackers can still mess with routing paths. Feels like we’re patching a trust-based system rather than fixing it.

More comments...