Is regulated BGP security coming?

Original Article ↗ Hacker News Discussion ↗

Perceived Severity of BGP Risk

  • One view: operators have largely self-organized; BGP hijacking is rare compared to other attack vectors and often not impactful on well-run networks.
  • Counterview: incidents still cause large, global outages and are exploited for censorship, crypto theft, and abuse; thus BGP hijack must be in any realistic threat model for internet-reliant operations.
  • Some argue “least likely” vectors become more attractive once others are hardened.

Self-Regulation vs Government Regulation

  • Some see FCC action as a justified response to slow industry uptake of protections like RPKI (e.g., low US deployment decades after introduction).
  • Others call it a dangerous power grab, preferring multistakeholder internet governance and warning against nationalizing or politicizing routing (e.g., “Great Firewall of the USA” concerns).
  • Debate over whether states are ultimate authorities or merely delegating to RIRs and multistakeholder bodies; skeptics note states can always reclaim authority.

RPKI, ASPA, and Technical Limits

  • RPKI is viewed by some as the natural cryptographic ownership mechanism; others note it doesn’t fully stop hijacks and needs extensions like ASPA.
  • Confusion and criticism around how exactly RPKI prevents specific attack modes; some claim it “stops nothing” without additional mechanisms.
  • Concerns about RPKI trust anchors being long-lived and high-value single points of failure.

Deployment, Legacy Space, and Incentives

  • Legacy IPv4 holders resist RPKI due to ARIN contracts/fees, arguing they never agreed to new terms.
  • Others argue reachability is a privilege; if you won’t participate in RPKI/IRR, you shouldn’t expect global routing guarantees.
  • Suggestion of financial bonding or penalties for false announcements to create accountability, especially for chronically misbehaving regions.

Analogies to TLS/PKI and Centralization

  • Some compare BGP regulation and RPKI to the transition to mandatory HTTPS/TLS: initially seen as a power grab but later accepted as necessary.
  • Others see the TLS/CA ecosystem as a cautionary tale: central CAs (and now Let’s Encrypt) as single points of failure and gatekeepers, harmful for small “human” websites.

Related Security Measures and Threat Models

  • Comparisons to SS7, which is regulated yet still lacks strong cryptography.
  • Debates over DNSSEC, CAA, and Let’s Encrypt’s handling of BGP-hijack-based certificate misissuance.
  • Calls for mandatory IP source validation (strict uRPF) at edge ISPs; noted as infeasible in the core due to asymmetric routing.