back to article FCC takes some action against notorious BGP

US broadband providers will soon have to provide proof to Uncle Sam that they are taking steps to prevent Border Gateway Protocol (BGP) hijacking and locking down internet routing in general. The FCC has unanimously approved a notice of proposed rulemaking that will require internet service providers to prepare, and annually …

  1. Yorick Hunt Silver badge
    FAIL

    "... will require internet service providers to prepare, and annually update, a confidential BGP security risk management plan."

    IOW, a document detailing how they'll react when the excrement hits the ventilator. Nothing to prevent that from happening, just a document declaring what they'll do when it happens.

    Evidently the acronym "FCC" stands for "eFfing Completely Clueless."

    1. that one in the corner Silver badge

      A "security risk management plan" is a plan about how you are managing the risk before something bad happens.

      You appear to be confusing this with an "incident response plan" - which should be part of you overall risk plan, but not the whole of it.

      Whether all the players do as they've been asked, and do so usefully, is another matter, but you have mischaracterised what they are being told to do.

      As to the overall efficacy of the FCC, you clearly have an opinion.

  2. sitta_europea Silver badge

    Well it's a start.

    1. Snake Silver badge

      Re: it's a start

      Ha! You don't think that the pro-business politicians will poke their [lobbyist-paid] noses into the regulation and try to claim that the FCC is 'overreaching'??

      I've got a bridge over the Thames for sale if you don't believe it.

  3. Anonymous Coward
    Anonymous Coward

    A wannabe tier 1 called cogent also likes to muck around with bgp announcements, when trying to coerce more beneficial peering agreements out of other isps. At least when it isn't resorting to plain old lawfare.

    That's the sort of behaviour that this rule should address. I wonder if it will?

  4. BigShaq

    So I'm a developer and I have a pretty basic understanding of how BGP protocol works... what are we hoping to accomplish here? Are there known risk mitigation techniques/policies/etc some ISPs have just neglected to implement (or chose not to implement because "muh profits") ? Is this essentially going to standardize that?

    Furthermore what's the deal with:

    "In proposing to measure RPKI deployment, we will help inform both the private and public sectors about what more needs to be done to secure our networks. It is also consistent with Initiative 4.1.5... which tasks the Office of the National Cyber Director, along with stakeholders and government agencies, to develop a roadmap to increase adoption of secure Internet routing techniques including BGP security."

    If the FCC has the power to mandate new reporting (and I'm absolutely not saying it doesn't), then why not mandate RPKI? Or is that what "roadmap to increase adoption" means? Because I'm not getting a "do this by 2026 or you'll be fined $10,000 per day" vibe from that kind of language.

    1. JessicaRabbit

      Perhaps they're concerned that if they push too hard they'll just be met with an army of lawyers.

      1. Tom Chiverton 1 Silver badge

        Well, it is the US...

    2. Jellied Eel Silver badge

      So I'm a developer and I have a pretty basic understanding of how BGP protocol works... what are we hoping to accomplish here?

      Being seen to be doing something.

      Are there known risk mitigation techniques/policies/etc some ISPs have just neglected to implement (or chose not to implement because "muh profits") ? Is this essentially going to standardize that?

      Well, we stole the breath interlock out of the CFO's car and howired that into the only terminal authorised to do push BGP configs, so that went some way to dealing with people being drunk in charge of an autonomous system.

      Otherwise.. Risk mitigation is mostly trying to ensure people have clue. RPKI goes some way to preventing route hijacking, but only if there's an ROA for the route that's being modified. So much the same challenge as it was trying to use route objects when a lot of providers didn't bother with route objects.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like