The Federal Communications Commission (FCC) issued a Notice of Proposed Rulemaking (NPRM) earlier this month. This notice is aimed at addressing some of the more significant security vulnerabilities in the Border Gateway Protocol (BGP), the foundational technology that routes internet traffic between networks.

This proposal pushes for retail broadband internet providers to develop and maintain comprehensive plans to mitigate any vulnerabilities. Doing this will enhance the overall security of internet traffic routing.

The FCC is the authority in charge of regulating this aspect of internet infrastructure and to make sure it is rooted in its recent classification of retail broadband internet access as a "telecommunications service,". This classification brings it within the scope of the FCCs regulatory jurisdiction.

Background on BGP and Its Vulnerabilities

The modern internet architecture available consists of numerous interconnected networks known as Autonomous Systems (ASes). These systems are designed to rely on routers to direct traffic, using routing tables to determine the optimal paths for data to travel.

Here is where BGP comes in, as it facilitates this process by enabling ASes to advertise routes they can handle, which other ASes then incorporate into their routing tables.

This decentralized and trust-based system, however, is vulnerable to misconfigurations and malicious attacks, such as BGP hijacking. If any attack is successful, there are significant disruptions, unauthorized surveillance, and data breaches, highlighting the need for robust security measures.

BGP Risk Management Plans

The NPRM requires large broadband providers to file detailed BGP Risk Management Plans with the FCC. To do this, broadband providers need to outline their strategies for implementing Resource Public Key Infrastructure (RPKI). RPKI is a cryptographic system designed to secure internet routing by verifying the legitimacy of route advertisements. The proposed BGP Plans must include:

• Processes for creating and maintaining Route Origin Authorizations (ROAs)

• Factors influencing the creation and maintenance of ROAs

• Goals and timelines for ROA registrations

• Criteria for measuring progress

• Implementation of Route Origin Validation (ROV) filtering at interconnection points

• Contractual requirements for upstream third parties to provide ROV filtering

While smaller providers may not be required to file these plans with the FCC, they must keep them available for inspection upon request. All BGP Plans will be treated as confidential, safeguarding the sensitive nature of the information.

Detailed Quarterly Reporting

In addition to the BGP Plans, large broadband providers must submit quarterly reports to the FCC, detailing their progress in securing internet routing. These reports will include:

• Lists of Registry Org IDs and Autonomous System Numbers (ASNs)

• Details of address holdings and reassignments

• Information on IP prefixes in originated routes, including those covered by ROAs

• The extent of ROV filtering performed for peers and customers

The FCC aims to gather data that is difficult to aggregate from public sources, ensuring comprehensive monitoring of the providers' efforts to secure internet routing.

Additional Measures and Implementation Timeline

With the risk management in check and the reports done, the NPRM is also seeking comments on: 

• Imposing conditions on address space assignment contracts to ensure compliance with RPKI reporting

• Setting deployment goals for RPKI implementation, proposing one year for large providers and two years for others

• Requiring outreach and education efforts to support downstream providers

The first BGP plans are to be filed 90 days after the effective date of the rules, with quarterly reports starting 30 days after the necessary steps are concluded for the rule to take effect.

The FCC's Justification and Authority

The FCC asserts its regulatory authority based on several statutory grounds:

• Title II and Title III of the Communications Act: These provisions empower the FCC to regulate telecommunications services, ensuring secure routing as part of a "just and reasonable" service.

• Section 706 of the Telecommunications Act of 1996: This section authorizes the FCC to promote broadband deployment, which includes enhancing the security of internet routing.

• Communications for Law Enforcement Act (CALEA): CALEA mandates that broadband providers prevent unauthorized interception of communications, providing a basis for requiring measures against BGP hijacking.

The FCC underscores the critical importance of BGP security for both public safety and national security, justifying its regulatory intervention in this area.

Next Steps

The proposed rules are set to affect all retail broadband service providers, with specific reporting obligations for the large providers identified in the NPRM. However, there is a 30-day window after the FCC's publication in the Federal Register for the providers to comment on the rules and a 45-day window for them to issue replies.

The NPRM proposed rules highlight the necessary steps being taken when it comes to the outing of internet traffic by addressing vulnerabilities in BGP. By requiring detailed risk management plans and regular reporting, the FCC aims to mitigate the risks associated with BGP misconfigurations and hijacking, ensuring a more secure and reliable internet infrastructure.