The Internet Governance Project (IGP) has submitted comments in response to the Federal Communications Commission (FCC) Notice of Proposed Rulemaking (NPRM) in the Matter of Reporting on Border Gateway Protocol Risk Mitigation Progress, FCC 24-146 and Secure Internet Routing, FCC-24-62. Internet routing was for many years left network operators to work out among themselves. Though there were well-known flaws in BGP that allowed routes to be diverted or hijacked, a variety of methods and technologies evolved to authenticate route announcements and to monitor route hijacks.
The NPRM wants to enhance the security and integrity of Internet routing, which it correctly recognizes as a critical part of global digital communications. The main emphasis of the FCC’s proposed rulemaking is to require ISPs to “prepare and maintain BGP Routing Security Risk Management Plans (BGP Plans).” These plans are supposed to “describ[e] and attest to the specific efforts they have made, and further plan to undertake, to create and maintain Route Origin Authorizations in the RPKI.” (para 37) In other words, the FCC’s response to the BGP security problems it characterizes as dire and even a national security threat is to impose additional reporting requirements on ISPs in US jurisdiction. The FCC apparently believes that reporting requirements (BGP plans) will nudge ISPs into creating and properly maintaining ROAs.
We believe that the FCC proceeding needs a much better analysis of the incentive structure of network operators regarding routing security. The proceeding is not based on a clear analysis of what practices and incentives prevent some network operators from fully implementing valid ROAs, and what makes other network operators fully implement ROAs. We do not see much engagement in the NPRM with the question of how these bureaucratic reporting requirements would incentivize better adoption and substantially improve upon existing monitoring efforts such as NIST’s RPKI monitor, MANRS, or other commercial services used to detect unauthorized use of resources. As noted in Kuerbis and Mueller (2017), the fact that the network operator is paying for the monitoring service strengthens its incentive to provide accurate, complete, and up-to-date information about its resource use to the monitors. We see no analysis of what is driving the growing use of RPKI-ROAs evident in the NIST data and how reporting requirements would accelerate it.
We also find it troubling that after receiving evidence in the proceeding that “36% of traffic originating from non-U.S. Federal Government networks was covered by a valid ROA, but less than 1% of traffic originating from U.S. Federal Government networks was covered by a valid ROA,” (para 35) the proceeding does not put more emphasis on getting the federal government’s own house in order. What is the plan for government agencies to implement RPKI in their own networks?
Furthermore, the FCC’s policy response may be focused on the wrong target. As several experts have pointed out, the specific configuration of RoAs can make or break the protection afforded by RPKI; BGP security is also fostered by constant DNS and BGP monitoring. Are there more direct ways of incentivizing network operators to perform effective BGP monitoring and risk reduction, e.g. by holding them liable for damages caused to third parties by avoidable BGP hijacks? Why is reporting considered the solution?
We think what the FCC frames as a BGP insecurity problem is also an inaccurate and outdated registry records problem. There is a need to improve the authentication of critical Internet resource holders (ASNs, IP address blocks). Many ASNs were issued 30 or more years ago and have changed hands many times due to corporate acquisitions, mergers, and failures. The official RIR Whois records often do not reflect the organizational name of the actual owner. Thousands of the ISPs’ records of IPv4 allocations point to customers who are no longer active. Many organizations do not even know that they formally hold address blocks. Some of these phantom IPv4 number blocks are as large as /16s.
This inaccuracy of the registry data, first at the ISP level and also at the RIR level, makes it possible for bad actors on the internet to utilize address space for malign purposes for an hour or two. If properly implemented and monitored, RPKI implementation could help this, but RPKI cannot be implemented unless the ISPs know what address blocks they hold and can authenticate which customers are using them.
ISPs should be required to authenticate their critical identifier holdings with the RIR. ARIN should be encouraged to pass a policy similar to the one passed by APNIC a year ago, known as Prop 147, which required historical IPv4 resources to be justified and claimed, otherwise, they would be made available to other organizations. To further encourage better registration data, ARIN should also be encouraged to allow registration of legacy critical Internet resources without the holder having to enter into a formal agreement with ARIN, similar to the RPKI arrangement provided by RIPE.
Focusing the FCC’s proposed rulemaking on narrowly defined, fixable problems of critical Internet resource record keeping and the registration process(es) of ISPs and the RIRs, instead of general reporting requirements concerning RPKI implementation would provide tangible, achievable improvements to the Internet’s security.
I think there is a typo in the sentence “We see no analysis of what is driving the growing use of RPKI-ROVs evident in the NIST data and how reporting requirements would accelerate it.” I think you meant RPKI-ROAs not ROV. Or if you really mean ROV, be aware that the NIST RPKI Monitor does not measure the level of deployment of ROV filtering. It only measures the ROA coverage of announced routes.
You’re correct! Fixed. Thanks for the heads up!