A New Way to Exploit the Border Gateway Protocol (BGP)

This protocol is _the_ way to route traffic over the Internet, (think DNS, but for IP addresses). This protocol was established to deal with a pressing problem present on the early ‘net: how can you tell which route a packet should take to reach a host in the fastest most efficient way?
Indeed, how do you find out there is a route in the first place?

The solution found was disappointingly simple: since most addresses are allocated in bulk (blocks), those who sit at the “gateway” of such blocks (called autonomous systems or AS) can maintain and publish tables of all the networks (prefixes) they route packets to (and any additional routes existing between them).

However, the de-centralized and inherently trusting nature of this arrangement (most anyone can publish a BGP table), a number of problems have arisen in practice.

The most recent is the one found and demonstrated by Anton Kapela and Alex Pilosov – a random AS on the Internet can falsely advertise routes so as to be selected as part of the best route between two arbitrary points (be they hosts or sub-networks) by every other AS. This amounts to push-button eavesdropping.

Solving such issues is, again, a matter of switching from an implicit trust model, such as the one used currently, to some other, more robust one. Additions to the protocol are proposed that would have routers cryptographically sign their routing tables, as well as sign for any tables published by routers “living” within their sub-net.

This would have the benefit of creating trust chains and making routing information about routes easily attributable – those who try to lie about routes  not in their network would be outed in a matter of seconds
– literally.

The rub, as always, is in the economic side of the equation: the existence of problems with BGP is known since at least Y2K, but the fix is very expensive (think replacing every border router at every ISP and more).

Moreover, unless and until everyone uses the new protocols, no-one is protected, because everyone must still accept unauthenticated routing info, to prevent the ‘net from falling to pieces. In other words, the first guy to buy the new hardware and implement the new software takes a financial hit for nothing, so does the second, and everyone keeps spending money for nothing until the one who’s the biggest cheapskate of them all finally decides that yes, it’s time to fix some glaring holes that have been there since time began.

There is only one way out of this conundrum, but it ain’t pretty: unless and until the cost of NOT implementing the fix are bigger than the costs of implementing it, nothing will happen.

We look forward to the inevitable eavesdropping lawsuits where spied-upon companies and individuals demand compensation from their ISPs for not implementing the features that would have made eavesdropping impossible. <obligatory_car_analogy>There’s precedent – motorists have won suits against city councils and road companies for damages in accidents caused by potholes. </obligatory_car_analogy>