Explainer: US Government Activity and BGP Security

US map from NASA

This post is part of our MANRS Basics series. It is intended for non-experts who are interested in learning more about routing security terms and events with reasonably simple explanations.

Several high-profile Internet routing incidents have caused some governments to investigate how they can clean up their networks and the global routing system, including in the United States. As covered in this MANRS blog post in April 2023, overall deployment of RPKI in the US has started to catch up with the global average, but US Government networks are still lagging behind, as shown in Figure 1: 

April 2023 image of US non-federal networks with 29.8% RPKI valid prefixes versus US Federal networks with only 0.50% RPKI valid prefixes.
Figure 1: US Federal Networks lag behind US Non-federal networks on RPKI valid prefixes.

This is why it’s such good news that the US Department of Commerce’s National Telecommunications and Information Administration (NTIA) alongside several other bureaus within Commerce including the Bureau of Economic Analysis (BEA), the Bureau of Industry and Security (BIS), the National Oceanic and Atmospheric Administration (NOAA) and the International Trade Administration (ITA), began implementing RPKI. This should cause a huge spike in the orange line above in Figure 1 to bring more US Federal networks in line with the private sector. 

Where does regulation fit into all of this? 

While the US Department of Commerce is making great strides in routing security, the US Federal Communications Commission (FCC) is suggesting that regulation might be more of an incentive to clean up routing security. 

A quick timeline of the US government’s most recent involvement with BGP security:

We recently outlined five reasons regulating BGP is a bad idea

What is the alternative?

Instead of regulation, we fully believe in the ability of the global technical community of routing security experts to work in a coordinated and collaborative way to continue improving routing security practices. Just this month, we reached a major milestone: For the first time in the history of RPKI, the majority of IPv4 routes in the global routing table are covered by ROAs, according to the NIST RPKI Monitor. The drive for collective action by the telecommunications industry, without regulation, is already moving the needle significantly. 

We are thrilled to see the US Department of Commerce taking key steps to prioritize routing security, and encourage everyone else who runs a network to do the same. If you operate a network, you should look at the Actions called for in the MANRS Programs for Network Operators, Internet Exchange Points (IXPs), CDN and Cloud Providers, and Equipment Vendors, and join the community of security-minded organizations that make the Internet better for us all. 

Leave a Comment