Home
 » ISP News » 
Sponsored

Cloudflare Ignite Consumer ISP Confusion with BGP Safety Test

Monday, April 20th, 2020 (11:14 am) - Score 4,472

Over the past few days we’ve had a small but growing stream of Tweets and Emails from people who have run Cloudflare’s new ‘Is BGP Safe Yet‘ tool and are worried that their UK broadband ISP is “unsafe” because it uses the Border Gateway Protocol (BGP) and not RPKI. Aside from poor timing with COVID-19, the result can be misleading.

The Border Gateway Protocol (BGP) system is a protocol that helps to link the internet together by exchanging routing information with Autonomous Systems (AS), such as those run by your ISP (each provider will have many peers and routes to send data). Networks around the world need to talk to each other in order to do peering and determine which routes are the best ones for them to send their data, which is what BGP facilitates.

BGP is normally one of those things that works seamlessly in the background and there are a lot of very technical aspects to it, which is just one of many reasons why launching an oversimplified checking tool – seemingly aimed at ordinary non-tech savvy consumers – could be counter-productive. Likewise doing this during a global pandemic, when network operators have much bigger problems to focus on, doesn’t seem terribly helpful.

The risk is that some people may assume that what the website is telling them is the only truth and become concerned for their online security (a fact born out by the messages we’ve recieved). Indeed at present most ISPs will probably return results like the ones below from UK providers, which Cloudflare then asks you to spam spread via social media as part of their marketing campaign.

FAILURE

Your ISP (Sky Broadband, AS5607) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.

FAILURE

Your ISP (THREE UK, AS206067, AS206067) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.

FAILURE

Your ISP (Virgin Media Business, AS5089) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.

Sadly it is indeed true to say that BGP does have its problems, not least because it relies upon a degree of trust between networks. Sometimes network operators can make mistakes (e.g. human error), which may result in them announcing incorrect routes and that can send a lot of traffic off in the wrong direction, causing all sorts of problems. Similarly other networks may abuse this trust to hijack traffic for malicious purposes.

Over the years various changes and attempts have been made in order to tackle such challenges. One of the most recent is Resource Public Key Infrastructure (RPKI), which as Cloudflare says is a “security framework method that associates a route with an autonomous system. It uses cryptography in order to validate the information before being passed onto the routers.”

Louis Poinsignon, Cloudfare, said:

“BGP leaks and hijacks have been accepted as an unavoidable part of the Internet for far too long. We relied on protection at the upper layers like TLS and DNSSEC to ensure an untampered delivery of packets, but a hijacked route often results in an unreachable IP address. Which results in an Internet outage.

The Internet is too vital to allow this known problem to continue any longer. It’s time networks prevented leaks and hijacks from having any impact. It’s time to make BGP safe. No more excuses.

Border Gateway Protocol (BGP), a protocol to exchange routes has existed and evolved since the 1980s. Over the years it has had security features. The most notable security addition is Resource Public Key Infrastructure (RPKI), a security framework for routing. It has been the subject of a few blog posts following our deployment in mid-2018.

Today, the industry considers RPKI mature enough for widespread use, with a sufficient ecosystem of software and tools, including tools we’ve written and open sourced. We have fully deployed Origin Validation on all our BGP sessions with our peers and signed our prefixes.

However, the Internet can only be safe if the major network operators deploy RPKI. Those networks have the ability to spread a leak or hijack far and wide and it’s vital that they take a part in stamping out the scourge of BGP problems whether inadvertent or deliberate.”

The intention of Cloudflare’s tool, which is to make BGP more secure by encouraging adoption of RPKI, is a noble one but it does seem to be causing some unnecessary panic. Firstly, just to clear up one confusion that has surfaced as a result of this tool, RPKI is a complement to BGP and NOT a replacement (RPKI is effectively a cryptographic wrapper for BGP). BGPv4 remains the primary routing protocol, which even Cloudflare uses.

NOTE: The tool itself doesn’t actually check for RPKI directly, instead it broadcasts an invalid route and tests to see if the ISP blocks it. Obviously an ISP could still correctly block an invalid route manually (as you’d expect them to do), which would give a “safe” result (i.e. the tool needs work).

The next issue is that implementing RPKI is a very complicated task and not the sort of thing a network operator would take on during the COVID-19 pandemic, when the risk of mistakes causing wider problems is one best avoided. A risk assessment and a lot of planning would be needed first because if you haven’t got all your ducks in a row (including peers downstream from you) then blackholing internet traffic becomes a real possibility.

In the meantime it’s probably the wrong time to loudly proclaim that most ISPs are “not secure” simply because they haven’t adopted RPKI yet. Good networks will already filter BGP announcements to ensure that the information they share is correct, although sadly some parts of the world and networks don’t do this, hence how hijacks can become a problem (these are usually rectified quite quickly).

Nevertheless for the most part BGP does its job and major problems are uncommon, if not as rare as we’d all like. As things stand the list of providers who do not yet fully implement RPKI, as shown on Cloudflare’s site, is still far larger than the list of those who do. Major players like Google, Zayo, Level3 (CenturyLink), Vodafone and Comcast have yet to do so.

Otherwise, please don’t panic if your ISP, like most providers, doesn’t yet support RPKI. We suspect that they’ll almost all get around to adopting it eventually but changing such core pieces of a network can take time and a huge amount of care. Right now, when it comes to internet security, the vanilla malware stuff like viruses, phishing, DNS hijacks and SPAM are still a much bigger threat to individual internet users.

The MD of UK ISP Andrews and Arnold (AAISP), Andrian Kennard, has a good blog up on all this (here). “If the major transit providers start filtering routes checking RPKI then that alone will solve the problem of rouge routes – but if they all filter what they receive anyway from customers, that would avoid the issue without RPKI,” said Adrian.

UPDATE 22nd April 2020

We note that Hyperoptic is one of several UK ISPs to have issued brief statements on this after receiving some of the same messages of concern from customers, usually following use of the tool.

HO’s Statement

“We would like to thank everyone for bringing this website to our attention. We understand your concern, but firstly, let us reassure you it is safe to use our network.

Your online security is of the utmost importance to us and we employ industry best practices to ensure BGP security is enforced.

BGP hijacking is a relatively rare security risk which has recently been publicised by companies selling solutions for it, in order to promote their own technologies (in this case RPKI).

RPKI has, as far as we know, not yet been implemented by any ISP in the UK, and by only a handful of ISPs globally. It is currently only supported by a couple of hardware vendors for network routers, and not by the majority.

In line with other ISPs, we are closely following industry developments to ensure BGP security in the future, and we will continue to use best practices.

So please rest assured that you can continue to use your Hyperoptic service as normal.”

Leave a Comment
21 Responses
  1. Avatar Buggerlugz

    Your ISP (Hutchison 3G UK, AS60339) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.

    If a hijacked route often results in an unreachable IP address, could this be the reason Three’s customers are complaining in the forums about the high number of webpages not loading??

  2. Avatar Jack

    Here’s BT’s BGP Result

    Your ISP (BTnet (BT’s UK IP Network – AS2856), AS2856) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.

    • Avatar Occasionally Factual

      Plusnet:

      Your ISP (Plusnet plc, AS6871) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks

  3. Avatar jack

    As expected A&A pass,

    Your ISP (Andrews & Arnold Ltd, AS20712) implements BGP safely. It correctly drops invalid prefixes.

    • Avatar Pip

      A&A pass because. “In the mean time, having been made aware of an invalid route deliberately announced by Cloudflare, we have blocked that route manually.”
      The other ISP’s should do the same.

    • Avatar Matthew Skipsey

      Yeah, AAISP have hacked the Cloudflare test by manually dropping the invalid prefix Cloudflare announce on their routers.
      AAISP’s MD has stated on Twitter that they are looking to develop in RPKI in their core routers, but as yet, they don’t support this.

      It’s all an interesting debate!
      However, until such time that the entire world – both ISPs on on-side, and the content providers on the other all support RPKI, set ROAs/route objects in a RIR, then there will still be glaring gaps in RPKI being effective at stopping prefix hijacking, (and until the next weakness is found)!

  4. Avatar Ferrocene Cloud

    As the article points out, any ISP worth their salt filters routes by verifying it against public records that prove ownership or the right to announce and manage the prefixes in question.

    Customers tend to get a bit annoyed when they wonder why we won’t accept their prefixes but other providers will. At least until they have it pointed out that it’s for everyone’s protection.

    Now if every ISP was competent enough to stop route hijacking it would be much less of a problem to begin with.

    • Avatar CarlT

      Indeed. Yes, there are tier 1 transit providers that advertise basically the entire Internet, however as long as they are doing their job and properly filtering the prefixes coming from their customers all is well.

      Random Russian ASN has no business advertising a /24 from Google’s ASN. If Google’s ASN doesn’t feature in the path it shouldn’t be there.

      RPKI removes the need to trust that peers higher up the chain than yourselves are doing their job, too.

      Seems a while ago that people used to love when someone at a public peering exchange messed up their advertisements and advertised a supernet or even a default route. It used to be considered free transit!

    • Avatar Ferrocene Cloud

      Don’t forget ISPs that don’t properly limit the number of prefixes either, so that if someone else does something stupid upstream and accidentally leaks a bunch of routes then that will be caught.

  5. Avatar boggits

    The problem with RPKI is that it’s got a few issues (especially in certain parts of the world), here’s some explanation from an African operator

    https://www.linkedin.com/pulse/rpki-things-being-considered-andrew-alston/

    • Avatar CarlT

      I am not entirely clear why Cloudflare are going out of their way to annoy so many.

      Naming, shaming and providing people who haven’t a clue what they are reading an automated way to harass their ISPs isn’t great.

      ISPs have enough to do with capacity upgrades and ensuring stability right now. The engineering and, indeed, onsite resources to carry out such a program aren’t really there right now.

  6. Avatar Bjorns

    Don’t blame covid for everything how long ago was bgp rpki introduce 2012 or so? At least 10 incidents of bgp hijacking have happened since. How ever complicated something is not implementating security improvements are unacceptable. The June 2019 indicated for example is very disturbing to me.

  7. Avatar Phil

    Interest Virgin Media home is ok but Virgin Media Business is not:

    Your ISP (Virgin Media, AS5089) implements BGP safely. It correctly drops invalid prefixes.

  8. Avatar bongobongo

    virgin media will get to it at the same time as IPv6.
    nextyeardecade

  9. Avatar gerarda

    Is this the same Cloudfare that when I had a flaky FTTC could not distinguish between errors caused by pocket loss and unsafe connections?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Hyperoptic £19.95 (*22.00)
    Avg. Speed 50Mbps, Unlimited
    Gift: Promo Code: HYPER20
  • Plusnet £21.99 (*35.98)
    Avg. Speed 36Mbps, Unlimited
    Gift: £50 Reward Card
  • SSE £22.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • xln telecom £22.74 (*47.94)
    Avg. Speed 66Mbps, Unlimited
    Gift: None
  • TalkTalk £22.95 (*29.95)
    Avg. Speed 38Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. BT (2717)
  2. FTTP (2604)
  3. FTTC (1756)
  4. Building Digital UK (1701)
  5. Politics (1605)
  6. Openreach (1565)
  7. Business (1389)
  8. FTTH (1311)
  9. Statistics (1207)
  10. Mobile Broadband (1177)
  11. Fibre Optic (1044)
  12. 4G (1013)
  13. Wireless Internet (997)
  14. Ofcom Regulation (993)
  15. Virgin Media (977)
  16. EE (671)
  17. Sky Broadband (655)
  18. TalkTalk (644)
  19. Vodafone (641)
  20. 5G (472)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact