Secure BGP

One of the decades-long grudges most people have with BGP is that it’s so easy to insert bogus routing information into the Internet if your upstream ISP happens to be a careless idiot (as Google discovered when Pakistan decided to use blackhole routing for Youtube and leaked the routes). There are two potential solutions that use X.509 certificates to authenticate BGP information: Secure BGP (which uses optional transitive attributes) authenticates the originator as well as the whole AS-path (using AS-by-AS certificates), while the significantly simpler Secure Origin BGP (which uses new BGP messages) authenticates only the originator of the routing information.

However, even though the Secure BGP project got DARPA funding and some of the required tools and a proof-of-concept router code were demonstrated, the interest amongst the Service Providers was nonexistent. To understand this sad fact, consider the two questions Yakov Rekhter asked in his GoogleTechTalk (around 39:00): Who is going to bear the cost and who is going to benefit?

The only Internet participants benefitting from the Secure BGP would be the content providers, while the majority of the cost would fall on the ISPs all around the world. No wonder they were not interested.


  1. I'm with Yakov on this one - it ain't gonna happen.
Add comment