HN

Need help?
<- Back
Is BGP safe yet?

Is BGP safe yet?

janandonly

Comments (69)

  • maltalex
    RPKI doesn't make BGP safe, it makes it safer. BGP hijacks can still happen.RPKI only secures the ownership information of a given prefix, not the path to that prefix. Under RPKI, an attacker can still claim to be on the path to a victim AS, and get the victim's traffic sent to it.The solution to this was supposed to be BGPSec, but it's widely seen as un-deployable.
  • Levitating
    Does not take BGPSec[1] into account, just RPKI.[1]: https://en.wikipedia.org/wiki/BGPsec
  • nemomarx
    This actually shows pretty good coverage for this feature, it seems to me. The big American isps do it, the mobile ones do too...How many major isps would we want to implement it to be "safe" and what would that look like? Is this a regional thing? They've only listed 4 unsafe ones on the site and that doesn't seem like a major issue, but maybe they're very large somewhere.
  • dorianmariecom
    i'm getting: Free SAS ISP signed unsafe but when testing i'm getting a successYour ISP (Free SAS, AS12322) implements BGP safely. It correctly drops invalid prefixes. Tweet this → Details fetch https://valid.rpki.isbgpsafeyet.com correctly accepted valid prefixesfetch https://invalid.rpki.isbgpsafeyet.com correctly rejected invalid prefixes
  • greyface-
    RPKI isn't just ROAs anymore, and BGP hijacks can happen at other places than just the first/last hop. Why hasn't this site been updated to test ASPA-invalid prefixes in addition to ROA-invalid ones?
  • commandersaki
    I think the test for BGP is Safe is when we stop using it and instead use SCION: https://en.wikipedia.org/wiki/SCION_(Internet_architecture).
  • olivier5199
    An ISP is marked as unsafe in the table, yet running the test says it is. (same ASN)
  • lucasay
    RPKI makes BGP safer, not safe. It helps prevent some hijacks, but attackers can still mess with routing paths. Feels like we’re patching a trust-based system rather than fixing it.
  • bilekas
    Google And digital ocean are huge players here but is there a reason they would only have partial coverage?TIM is listed as insecure yet my test is successful.> Your ISP (Telecom Italia S.p.a., AS3269) implements BGP safely. It correctly drops invalid prefixes
  • NetOpWibby
    When was the last time this site was updated? It mentions Sprint, which hasn't existed for years.
  • elashri
    Any reasons on why an ISP would not implement it other than effort/cost? Just for someone like me whose networks knowledge is very naive.
  • collabs
    Looks like Verizon does it correctly.> Your ISP (Verizon, AS701) implements BGP safely. It correctly drops invalid prefixes.
  • RRRA
    Google being shown as unsafe makes me think they have some internal methods for filtering?
  • kevincloudsec
    rpki adoption is the new ipv6 adoption. it looks great until you realize it only validates who owns the prefix, not the path to get there lol
  • NewsaHackO
    > A BGP hijack occurs when a malicious node deceives another node, lying about what the routes are for its neighbors. Without any security protocols, this misinformation can propagate from node to node, until a large number of nodes now know about, and attempt to use these incorrect, nonexistent, or malicious routes.But with HTTPS, they wouldn't be able to actually pose as another website, just delay/black hole the request so it doesn't reach its goal target, right? From the figure, it makes it seem like a person can use BGP to spoof a website and make a user visit a phished website, but that's not right, correct?
  • volemo
    Wikimedia is an ISP?
  • anon
    undefined
  • nareyko
    [dead]