BGP: What is border gateway protocol, and how does it work?

Finding the best way to get from Point A to Point B is easy if you’re drawing a straight line on a piece of paper, but when Point A is your computer and Point B is a website halfway around the world, things get a bit trickier.

In the latter case, Border Gateway Protocol (BGP), the routing protocol used by the global internet, is used to find the best path by weighing the latest network conditions based on reachability and routing information. BGP manages how data packets get delivered between the large networks that make up the internet and makes it possible for the internet as we know it to operate efficiently.

The US Cybersecurity Infrastructure Security Agency (CISA) describes BGP as “the most important part of the internet you’ve probably never heard of.”

What is Border Gateway Protocol?

BGP has been called the glue of the Internet and the postal service of the internet. One comparison likens BGP to GPS applications on mobile phones. If you were driving from Boston to Los Angeles, the GPS app decides the best route possible using existing knowledge of road conditions, traffic jams, and whether you want to travel on a toll road. Sometimes, the shortest path is not always the best path. BGP is like having a continuously updated map of the internet from which routers choose the best path at the time.

The definition of BGP from the IETF states that its primary function “is to exchange network reachability information with other BGP systems.” When it’s working smoothly, BGP makes these separate systems work in harmony to create the internet.

What does BGP have to do with autonomous systems?

The internet has been called a network of networks, in which groups of individual networks managed by a large organization connect with other groups of networks managed by other large organizations. These network groups are known as autonomous systems (AS), and the large organizations with AS status include ISPs, large government agencies, universities, and scientific institutions.

Each AS creates rules and policies for how traffic moves within its network. Your home computer may be part of the AS being managed by your ISP, and it handles the traffic to and from any other nodes within their AS. But if you are trying to access a site beyond the AS, then BGP gets involved.

AS organizations arrange peering agreements among themselves that allow traffic to travel between their networks. BGP routers at the edge of AS networks advertise to their peers the prefixes of IP addresses that they can deliver traffic to. These advertisements are made regularly through network-prefix announcements that are used to update each router’s routing table.

Autonomous-system peering agreements

BGP routers use decision-making algorithms and policies established in AS-peering agreements to analyze the data they gather via the prefix announcements and choose which peer is best to send each packet stream to at any given time. For the most part, the path with the fewest number of network hops is selected, but due to congestion and delay, another, longer route may actually be faster. Once the traffic moves across an AS and reaches another BGP router connected to a different AS, the process repeats itself until the data reaches the AS where the destination site is located.

In most cases, in order to connect to the internet, computers, phones, and other devices use ISPs. The networks of these access providers connect to progressively larger ISP networks until they finally have access to the internet backbone. Traffic from a starting point goes up through the network hierarch to the backbone and then back down again to the destination IP address.

(BGP can also be used for routing within an AS, but it’s not necessary because there are other routing protocols that serve just as well. When it is used, it is called Interior Border Gateway Protocol, internal BGP (iBGP).)

In order for network operators to control routing within their own networks and to exchange routing information with other ISPs, autonomous system numbers (ASN) are used. These numbers are assigned by the Internet Assigned Numbers Authority (IANA) and distributed through regional internet registries to ISPs and other network operators. Like an IP address, an ASN includes both 16-bit (two-byte) and 32-bit (four-byte) numbers. As of May 2024, there are nearly 117,000 ASNs worldwide, with about 26% of them located in the U.S.

Is BGP insecure?

With ASNs continually joining the Internet and providing new routes for traffic, the number of BGP advertisements increases, creating a larger and larger attack surface. Because BGP assumes that each AS is telling the truth about the IP addresses it owns and the routing information it shares, this has led to vulnerabilities. The absence of security and authentication controls, particularly in early drafts of BGP, makes it challenging to verify the legitimacy of route operations, leaving networks vulnerable to unauthorized route advertisements. Exploits of BGP have been around for years. 

Federal agencies and internet standards bodies worked to create the Resource Public Key Infrastructure (RPKI) system in the wake of the 2010 China Telecom Internet traffic hijacking incident. RPKI helps improve routing security by adding a layer of encryption to the communications between Internet registries and network operators. With RPKI, network operators can verify that they have the authority to route traffic for a block of IP addresses or routing prefixes known as Autonomous System Numbers.

Industry groups have championed the adoption of route origin validation (ROV) and RPKI, which could enable cryptographic verification of route origins and associations between IP address blocks and network holders, but adoption has lagged. In May 2024, however, a pair of industry experts noted a significant milestone related to RPKI ROV deployment metrics:

As of today, May 1, 2024, internet routing security passed an important milestone. For the first time in the history of RPKI (Resource Public Key Infrastructure), the majority of IPv4 routes in the global routing table are covered by Route Origin Authorizations (ROAs), according to the NIST RPKI Monitor. IPv6 crossed this milestone late last year.

Blog post by BGP experts Doug Madory of Kentik and Job Snijders of Fastly

What is BGP hijacking?

In a BGP hijacking attack, adversaries manipulate BGP routing tables to have a compromised router advertise prefixes that have not been assigned to it. If those false advertisements indicate that a better path is available than the legitimate path, traffic may be directed that way—only the path leads to malicious servers that could steal credentials, download malware, and execute other damaging activities. And all the while end users think they are visiting legitimate sites.

A high-profile case of BGP hijacking occurred in 2018 when a Russian ISP falsely announced a number of IP prefixes that actually belonged to a group of Amazon DNS servers. Users attempting to login to a cryptocurrency site were redirected to a counterfeit site where hackers were able to steal about $152,000 in cryptocurrency.

In another well-documented incident, Pakistan Telecom, in its role as an ISP, attempted in 2008 to censor YouTube by advertising its own BGP routes to the site so users attempting to reach it would be blocked. However, the new routes were also announced to the ISP’s upstream providers, which then got broadcast to the rest of the Internet. As a result, Web requests for YouTube were directed to Pakistan Telecom, which not only resulted in a massive outage for the site and but also overwhelmed the ISP.

Increased government interest in BGP vulnerabilities

In March 2022, in response to the threat posed by Russian hackers following the invasion of Ukraine, the US Federal Communications Commission began taking a closer interest in BGP security. The move was issued in response to “Russia’s escalating actions inside of Ukraine,” according to the commission’s notice of inquiry:

Russian network operators have been suspected of exploiting BGP’s vulnerability to hijacking, including instances in which traffic has been redirected through Russia without explanation. In late 2017, for example, traffic sent to and from Google, Facebook, Apple and Microsoft was briefly routed through an Internet service provider in Russia. That same year, traffic from a number of financial institutions, including MasterCard, Visa, and others was also routed through a Russian government-controlled telecommunications company under “unexplained” circumstances.

Most recently, the FCC in May 2024 proposed requiring large broadband service providers to submit confidential reports on their plans to manage security risks associated with their use of BGP “so the FCC and its national security partners can for the first time collect more up-to-date information about this critical internet routing intersection,” according to the FCC’s statement.

Under the proposal, broadband internet access service (BIAS) providers will have to develop BGP Routing Security Risk Management Plans (BGP Plans) detailing their efforts to implement BGP security measures using RPKI. In addition, the nine largest broadband providers will have to submit their plans confidentially to the Commission, and file public quarterly reports on their progress in securing BGP.

The proposal aims to protect against bad actors who could pose a threat to national security and disrupt critical Internet infrastructure by exploiting BGP vulnerabilities, the FCC said. “Russian network operators have been suspected of exploiting BGP’s vulnerability for hijacking in the past,” the FCC statement said, adding, “BGP hijacks can expose Americans’ personal information, enable theft, extortion, state-level espionage, and disrupt otherwise-secure transactions.”

“It is vital that communication over the internet remains secure,” Chairwoman Rosenworcel said in the statement. “Although there have been efforts to help mitigate BGP’s security risks since its original design, more work needs to be done. With this proposal, we would require broadband providers to report to the FCC on their efforts to implement industry standards and best practices that address BGP security.”

How to fight BGP hijacking

There are several strategies for defending against BGP hijacking, including using IP address-prefix filtering that blocks inbound network traffic from networks known to be controlled by malicious actors. Another is BGP hijack-detection monitoring, which looks for suspiciously increased latency, degraded network performance or misdirected Internet traffic that could flag hijacking attempts.

In September 2020, a group known as Mutually Agreed Norms for Routing Security (MANRS) created a task force to help content-delivery networks and other cloud services adopt filters and cryptography to secure BGP. The group, which was formed in 2014, aims to “commit to the baseline of routing security defined by a set of six security-enhancing actions, of which five are mandatory to implement.”

The actions:

• Prevent propagation of incorrect routing information
• Prevent traffic with illegitimate source IP addresses
• Facilitate global operational communication and coordination
• Facilitate validation of routing information on a global scale
• Encourage MANRS adoption
• Provide monitoring and debugging tools to peering partners (optional).

MANRS is promoting the use of routing public key infrastructure (RPKI), a public database of routes that have been cryptographically signed to prove their trustworthiness. While users of RPKI publish the routes they offer and check the database to confirm others’ routes, the system can only eliminate leaks and outages if everyone is using it. Otherwise, in order to keep the internet moving, BGP routers will be forced to accept advertisements that are not validated.

Another company is going the public-shaming route to try to convince companies to support RPKI. At the website “Is BGP Safe Yet?”, launched by Cloudflare, users can get updates on ISPs that are implementing RPKI and read an FAQ on the situation. More importantly, they can click a button to see whether their ISP is safe or not. While this site may come off as a publicity stunt, its existence points up the ongoing seriousness of the problem.

(Keith Shaw is a freelance technology journalist who has been writing for more than 20 years on a variety of technology topics, including networking, consumer electronics, robotics and the future of work.)