FCC Pressures ISPs to Fix Internet Routing Security Flaws

Fake images | Yuichiro Chino

The Federal Communications Commission wants to verify that Internet service providers are hardening their networks against attacks that exploit Border Gateway Protocol (BGP) vulnerabilities.

The FCC today unanimously approved a Notice of Proposed Rulemaking that would require ISPs to prepare confidential “detailed” reports.[ing] their progress and plans to implement BGP security measures that utilize Resource Public Key Infrastructure (RPKI), a critical component of BGP security.”

“Today we began crafting rules to help make our Internet routing more secure,” said FCC Chairwoman Jessica Rosenworcel. “We propose that all broadband Internet access service providers prepare and update confidential BGP security risk management plans. These plans would describe and attest to their efforts to follow existing best practices regarding origin authorizations and route origin validation using the resource public key. Additionally, we propose quarterly reporting for larger providers to ensure we are making progress in addressing this known vulnerability.”

The FCC said the initial design of BGP that remains widely deployed today “does not include intrinsic security features to ensure trust in the information underlying the exchange of traffic between independently managed networks on the Internet.” Hackers can “deliberately falsify BGP accessibility information to redirect traffic” in BGP hijacks that “can expose Americans’ personal information; enable state-level theft, extortion, and espionage; and disrupt services on which the public or critical infrastructure sectors depend,” the report says. the FCC said.

In a 2022 incident, hackers used BGP hijacking to take control of more than 250 IP addresses used by Amazon for its cloud service. Hackers reportedly stole $235,000 in cryptocurrency.

A draft proposal released ahead of today’s meeting explains that “RPKI helps build trust in reachability information by enabling cryptographically verifiable associations between specific IP address blocks, or autonomous systems numbers (ASNs), and the holders.” ‘ of those Internet numerical resources.”

Stricter rules for larger ISPs

The FCC will take public comments on its proposed rulemaking for 45 days after it is published in the Federal Register, and could finalize the regulations in the coming months. Under the proposal, ISPs must “prepare and update confidential BGP security risk management plans at least annually,” the FCC said.

The nine largest broadband providers would also be required to “submit their BGP plans confidentially to the Commission, as well as submit publicly available quarterly data that would allow the Commission to measure progress in implementing RPKI-based security measures and evaluate the reasonableness of BGP’s plans,” the FCC said. Quarterly reports would include data on ROA. [Route Origin Authorization] registrations.

The draft said the stricter reporting requirements would apply to AT&T, Altice, Charter, Comcast, Cox, Lumen (also known as CenturyLink), T-Mobile, TDS (including its US Cellular subsidiary) and Verizon. “These major providers are likely to originate routes covering a large proportion of the IP address space in the United States and will play critical roles in ensuring effective ROV deployment. [Route Origin Validation] leaked,” the draft proposal said.

Large providers would be allowed to stop submitting annual plans once they “certify that they maintain ROAs that cover at least 90 percent of routes originated for IP address prefixes under their control.” Smaller ISPs may be asked to submit their plans on a case-by-case basis. “Smaller broadband providers would not be required to file their plans with the Commission, but rather make them available to the Commission upon request,” the FCC said.

Cable lobbying group NCTA-The Internet & Television Association argued that “prescriptive rules are not needed in this area” but said it supports the FCC’s “proposal to eliminate an ISP’s annual RPKI reporting requirement once credit that it covers 90 percent of your originating Internet traffic. routes with EER.” The NCTA urged the FCC to also eliminate the quarterly data submission requirement for ISPs that reached the 90 percent mark.

Leave a Comment