BGP and Resource Public Key Infrastructure (RPKI)

The routing infrastructure that routes a client request to the nearest DNS server is typically the Border Gateway Protocol (BGP) routing protocol. BGP is the protocol that is used to exchange routing information between different Internet Service Providers (ISPs) and networks. It is a dynamic and scalable protocol that can adapt to changes in the network topology, link cost, and congestion levels.

The BGP routing table is used by a router to determine the best path for forwarding the packet based on several factors, such as network topology, link cost, and congestion levels. The routing table is continuously updated based on changes in the network conditions, which ensures that the client request is directed to the nearest and most responsive DNS server.

BGP is vulnerable to several types of attacks, including the advertisement of incorrect or malicious routes by a malicious actor. This type of attack is known as a BGP hijack, and it can result in traffic being redirected to an unintended destination or being dropped altogether. A list of BGP hijack attacks – here.

There are several mechanisms that can help prevent or mitigate BGP hijacks and other types of BGP attacks:

  1. Route origin validation (ROV): ROV is a technique that allows routers to verify the authenticity of a BGP route advertisement by checking the Autonomous System (AS) number of the originator against a trusted database. If the AS number matches the expected value, the route is considered valid; otherwise, it is rejected.
  2. Resource Public Key Infrastructure (RPKI): RPKI is a system that uses digital certificates to authenticate the ownership and authorization of IP address blocks and AS numbers. Routers can use RPKI to verify the authenticity of BGP route advertisements and reject invalid or unauthorized routes.
  3. BGPSEC: BGPSEC is an extension to BGP that provides a cryptographic mechanism for verifying the authenticity and integrity of BGP route advertisements. BGPSEC uses digital signatures to ensure that the route advertisement has not been tampered with or modified by a malicious actor.
  4. Route filtering: Network operators can use route filtering to limit the propagation of BGP route advertisements based on certain criteria, such as the origin AS number or the geographic location of the route.

A cloudflare blog on implementing RPKI is here. An AWS blog on implementing RPKI is here.

These require the cooperation and coordination of network operators and ISPs. BGP security is an ongoing challenge, and new threats and vulnerabilities may emerge over time, which requires constant vigilance and updates to the security mechanisms.

A historical and insightful article looking at how BGP came about on as sketches on 3 napkins to solve the problem of connecting multiple networks –

The underlying concepts of Autonomous Systems, Gateways, neighbor acquisition, reachability and network route determination are well described in (1982), which is the RFC for EGP, a precursor of BGP.

BGP was designed to be more scalable than EGP. It achieved greater scalability by 1) supporting CIDR instead of classful IP addressing, 2) by summarizing or aggregating multiple IP network prefixes into a single prefix, 3) by supporting multiple paths to a destination and 4) by supporting path attributes that let the recipient determine the best path.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s