BGP secure routing experiment ends in online row

An experiment to make the internet safer ended up breaking parts of it last week.

Researchers were testing a way to make the Border Gateway Protocol (BGP) more secure. BGP is the language that routes traffic between autonomous system networks (ASNs), which are the large networks that make up the internet. However, BGP is vulnerable to multiple attacks including route hijacking, in which someone corrupts BGP routing tables to change the way that traffic travels between autonomous systems.

The researchers were testing a concept called Decentralized Infrastructure for Securing and Certifying Origins (DISCO). This anti-route hijacking system is supposed to solve the problems associated with the existing approach, which manually assigns digital certificates to IP address blocks. The problem with the manual method, according to the researchers, is that it takes work, meaning that few people do it. When they do it the records are often wrong, adds the DISCO research paper. This can cause routing problems of its own.

DISCO takes an alternative approach by watching traffic over time to verify that it’s going to the right destination. Its inventors say that this eliminates the need to change BGP routers, and tested it out on the public internet to see how it worked.

Crashing routers

Not all routers handled the experiment well. It crashed routers running Free Range Routing (FRR), which is an IP routing protocol suite that began developing in March 2017. That project, forked from an existing routing suite called Quaggo, is now part of the Linux Foundation and is gaining significant traction.

DISCO researcher Italo Cunha explained what happened in a post to the North American Network Operators Group (NANOG):

Despite the announcement being compliant with BGP standards, FRR routers reset their sessions upon receiving it. Upon notice of the problem, we halted the experiments. The FRR developers confirmed that this issue is specific to an unintended consequence of how FRR handles the attribute 0xFF (reserved for development) we used. The FRR devs already merged a fix and notified users.

The FRR project updated its software to solve the issue and the DISCO team ran the experiment again. This time, another problem emerged.

An angry Ben Cooper, CEO of Australian colocation data centre provider PacketGG, fired back a message on the NANOG list:

Can you stop this?

You caused again a massive prefix spike/flap, and as the internet is not centered around NA (shock horror!) a number of operators in Asia and Australia go effected by your “expirment” and had no idea what was happening or why.

Get a sandbox like every other researcher, as of now we have black holed and filtered your whole ASN, and have reccomended others do the same.

Others were more sympathetic, arguing that the problem appeared to be PacketGG’s BGP routing software. It hadn’t been updated to support the latest version of the BGP routing protocol, they implied:

“Get a sandbox like every other researcher” is not a fair statement, one can also posit “Get a compliant BGP-4 implementation like every other network operator”.

The disagreement was all for nothing, though, as the DISCO team had already announced that the project was to be permanently cancelled.

The failure leaves the internet still vulnerable to BGP hijacking attacks. In one of the most recent reported attacks, China allegedly routed traffic from Western countries through its own infrastructure to spy on their communications.