Find out if your ISP implements BGP safely
Cloudflare launched Is BGP safe yet recently that provides Internet users with a test to find out whether their Internet Service Provider (ISP) has implemented a certification system to make BGP safer to use.
All it takes is to open the website and click on the "test your ISP" button to run a quick test that determines whether the ISP has implemented the certification system RPKI.
Border Gateway Protocol (BGP) is a core Internet protocol that is used to determine the route that data takes on the Internet. One of the issues associated with the protocol is that the possibility of hijacking exists. A basic example would be that traffic from a user in the United States would go through servers in Asia to access the New York Times website.
While that is usually caused by server misconfigurations, it is sometimes used on purpose to redirect traffic for malicious or privacy-invading purposes, e.g. to record data.
Cloudflare's test checks if the ISP has implemented Resource Public Key Infrastructure (RPKI) by announcing a legitimate route and making sure the route is invalid. If the site is loaded, the invalid route was accepted by the ISP which in turn means that the ISP has not implemented RPKI.
Only a few ISPs, transite or cloud companies have implemented the security feature already. Cloudflare lists Telia and NTT on the test page, and several more, e.g. Amazon, AT&T or Cogent, that have started the implementation or implemented it partially already.
Internet users cannot really do much about it other than share the results of the test on Twitter (implemented on the test site) or elsewhere. An email, letter, or message to the ISP in question might also help get the ball rolling. Those who use different ISPs, e.g. one for the Internet connection at home and another for mobile, may find that one provider supports the safer standard already while another does not.
Now You: Has your ISP implemented RPKI already?
OK; I passed the BGP security test.
https://imgur.com/xeslkv1.png
One reason more to use a VPN.
Mine failed as well..does anyone’s passes is the question XD
I ran the test using my ISP (KPN) and that resulted in a clean bill of health.
However, when I ran it again using my VPN (Mullvad) the message: “Incorrectly accepted invalid prefixes” appears which is a bit disconcerting.
based on the comments, most of the commenters ISPs don’t implement BGP
I clicked “Test Your ISP”. Nothing happens at all. Nothing.
Good to know i am protected from Cloudflare ! LOL !
Honestly, home customers can do anything about it. There have been BGP hijacks in the past. Some done by scammers, some done by state-level groups. I a few hours they were solved, no matter how damage they did in the meanwhile. State-level alliances look for this kind of hijacks (USA, EU…).
I would love for that tool to embarrass someone into fixing their bgp…. but it won’t happen. If being embarrassed at doing a bad job made people fix things, then Comcast wouldn’t be continuously the worst customer service company for more than a decade.
My ISP failed also (videotron.com). I guess ISPs have some way to go before this feature is properly implemented. Crap, let’s hope they do it and do it fast.
Thanks Martin for this most valuable information.
Is this a marketing campaign of network hardware manufacturers?
I guessed that my ISP would fail, and it did. What I found interesting is that Amazon partially failed, and Google cloud completely failed.
Spectrum – Your ISP (AS12271) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.
it doesn’t, should I be surprised
Spectrum also failed the test. As poster Jonns astutely noted, “How much is this going to raise my bill when the ISP pass the cost on to their customers like they do with everything else?” Indeed!
I tested this yesterday and as expected, my ISP failed. The question to me is how high a priority should an ISP place on this problem? Is the problem there due to ignorance or are there other areas more important to an ISP and their customers?
>An error occured trying to conduct the test. Please try again.
https://i.imgur.com/poCOwYS.png
I’m probably blocking something they need ¯\_(ツ)_/¯
I did the test.
My ISP failed.
So, Martin,
what can an individual user do (proactively)
while the ISPs don’t get their act together?.
I’m not Martin, but you can report it on your ISP’s support forum if they have one, or if you have a twitter account you can click/tap the “tweet this” link that appears after you perform the test, just make sure your ISP’s name is picked up as a tag (not sure about the exact nomenclature since I don’t use twitter) in the tweet, that way if enough people tweet it’ll appear at the top of your ISP’s twitter feed, to their embarrassment.
oh crap…Comcast Failed.
Your ISP (Comcast, AS7922) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.
Yah, I expected that. Comcastic is a very big network and will take their sweet time, like increasing the percent of bandwidth for uploads. Not holding my breath ….
Interesting. Cloudflare’s BGP test shows that my ‘ISP Bouygues Telecom ISP, AS5410) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.’
I’ll be on standby with my ISP concerning this security feature.
This is done at software level, ISP AS (Autonomous Systems) must enable it. As long as Juniper, Cisco and others allow RPKI implemented, there’s no reason to pay more for this.
How much is this going to cost the ISPs to implement throughout their networks? Or, to put it another way: How much is this going to raise my bill when the ISP pass the cost on to their customers like they do with everything else?
Better question: How much does it cost your ISP to fix BGP misconfigurations or hijacks and how much to the resulting disruptions in service cost customers. BGP is critical to the operation of the Internet and it needs to be done right.
@Timothy Daniels
Probably a lot less than implementing it, so the original question is a good one.