Cloudflare publishes a website 'Is BGP safe yet?' Where you can check whether your communication is safely passing through the Internet



The Internet is composed of a set of IP networks and routers called

Autonomous System (AS), and the protocol called BGP is used for the routing that determines the communication route between ASs. However, BGP has a problem that the communication route is hijacked by an attack called BGP hijacking, and a website `` Is BGP safe yet '' that you can check whether your Internet provider (ISP) is dealing with this problem ? 'Is published by Cloudflare.

Is BGP Safe Yet? No. But we are tracking it carefully
https://blog.cloudflare.com/is-bgp-safe-yet-rpki-routing-security-initiative/

Is BGP safe yet? Cloudflare
https://isbgpsafeyet.com/

BGP is a protocol established in 1989 that is responsible for routing between ASs such as Internet providers (ISPs). BGP cannot be said to be very secure, and in the past, network hijacking damage could have occurred due to BGP hijacking.



In order to solve such problems, '

RPKI ' was developed as a security function of BGP. RPKI compares ROA that shows the correct combination of AS number and IP address, which is a unique number assigned to each AS, with the route information that is actually advertised from the router, and detects misuse of IP address and BGP hijacking. is.



In order to realize a secure Internet with RPKI, each ISP must support RPKI.

You can use the website ' Is BGP safe yet? ' Published by Cloudflare to check whether your provider supports RPKI. Go to the website and click 'Test your ISP' ...



The results were displayed immediately. The ISP I tested this time doesn't seem to support RPKI.



Below is an image showing the correspondence status of RPKI published by Cloudflare on the IP address space. Yellow shows the IP address space that supports RPKI, and blue shows the unsupported IP address space. You can see that the unsupported IP address space is still large.



The operation of 'Is BGP safe yet?' Is simple, 'valid.rpki.cloudflare.com' that can be accessed regardless of RPKI correspondence, and 'invalid.rpki.cloudflare.com' that cannot be accessed when RPKI is supported. I tried to access these two websites, and if they both respond, I judge that they do not support RPKI.



Cloudflare commented, 'We look forward to a day when we can say that the leaking of route information due to a BGP problem and the hijacking of networks were a thing of the past.'

in Web Service, Posted by darkhorse_log