Find out if your ISP implements BGP safely

Martin Brinkmann
Apr 19, 2020
Internet
|
24

Cloudflare launched Is BGP safe yet recently that provides Internet users with a test to find out whether their Internet Service Provider (ISP) has implemented a certification system to make BGP safer to use.

All it takes is to open the website and click on the "test your ISP" button to run a quick test that determines whether the ISP has implemented the certification system RPKI.

cloudflare bgp check tool

Border Gateway Protocol (BGP) is a core Internet protocol that is used to determine the route that data takes on the Internet. One of the issues associated with the protocol is that the possibility of hijacking exists. A basic example would be that traffic from a user in the United States would go through servers in Asia to access the New York Times website.

While that is usually caused by server misconfigurations, it is sometimes used on purpose to redirect traffic for malicious or privacy-invading purposes, e.g. to record data.

Cloudflare's test checks if the ISP has implemented Resource Public Key Infrastructure (RPKI) by announcing a legitimate route and making sure the route is invalid. If the site is loaded, the invalid route was accepted by the ISP which in turn means that the ISP has not implemented RPKI.

Only a few ISPs, transite or cloud companies have implemented the security feature already. Cloudflare lists Telia and NTT on the test page, and several more, e.g. Amazon, AT&T or Cogent, that have started the implementation or implemented it partially already.

Internet users cannot really do much about it other than share the results of the test on Twitter (implemented on the test site) or elsewhere. An email, letter, or message to the ISP in question might also help get the ball rolling. Those who use different ISPs, e.g. one for the Internet connection at home and another for mobile, may find that one provider supports the safer standard already while another does not.

Now You: Has your ISP implemented RPKI already?

Summary
Find out if your ISP implements BGP safely
Article Name
Find out if your ISP implements BGP safely
Description
Cloudflare launched Is BGP safe yet recently that provides Internet users with a test to find out whether their Internet Service Provider (ISP) has implemented a certification system to make BGP safer to use.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Anonymous said on May 4, 2020 at 10:30 pm
    Reply

    OK; I passed the BGP security test.

    https://imgur.com/xeslkv1.png

    One reason more to use a VPN.

  2. TnF said on April 25, 2020 at 1:02 pm
    Reply

    Mine failed as well..does anyone’s passes is the question XD

  3. TelV said on April 23, 2020 at 3:28 pm
    Reply

    I ran the test using my ISP (KPN) and that resulted in a clean bill of health.

    However, when I ran it again using my VPN (Mullvad) the message: “Incorrectly accepted invalid prefixes” appears which is a bit disconcerting.

  4. empirefall said on April 23, 2020 at 1:06 am
    Reply

    based on the comments, most of the commenters ISPs don’t implement BGP

  5. stefann said on April 20, 2020 at 3:14 pm
    Reply

    I clicked “Test Your ISP”. Nothing happens at all. Nothing.

    Good to know i am protected from Cloudflare ! LOL !

  6. Commander Canoe said on April 20, 2020 at 2:53 pm
    Reply

    Honestly, home customers can do anything about it. There have been BGP hijacks in the past. Some done by scammers, some done by state-level groups. I a few hours they were solved, no matter how damage they did in the meanwhile. State-level alliances look for this kind of hijacks (USA, EU…).

  7. Maelish said on April 20, 2020 at 2:41 pm
    Reply

    I would love for that tool to embarrass someone into fixing their bgp…. but it won’t happen. If being embarrassed at doing a bad job made people fix things, then Comcast wouldn’t be continuously the worst customer service company for more than a decade.

  8. Martin P. said on April 20, 2020 at 12:21 pm
    Reply

    My ISP failed also (videotron.com). I guess ISPs have some way to go before this feature is properly implemented. Crap, let’s hope they do it and do it fast.

    Thanks Martin for this most valuable information.

  9. Ivan said on April 20, 2020 at 10:54 am
    Reply

    Is this a marketing campaign of network hardware manufacturers?

  10. Coriy said on April 20, 2020 at 6:22 am
    Reply

    I guessed that my ISP would fail, and it did. What I found interesting is that Amazon partially failed, and Google cloud completely failed.

  11. WO2020060606 said on April 20, 2020 at 6:02 am
    Reply

    Spectrum – Your ISP (AS12271) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.

  12. empirefall said on April 20, 2020 at 4:25 am
    Reply

    it doesn’t, should I be surprised

  13. Quick Brown Fox said on April 20, 2020 at 12:31 am
    Reply

    Spectrum also failed the test. As poster Jonns astutely noted, “How much is this going to raise my bill when the ISP pass the cost on to their customers like they do with everything else?” Indeed!

  14. chesscanoe said on April 19, 2020 at 9:16 pm
    Reply

    I tested this yesterday and as expected, my ISP failed. The question to me is how high a priority should an ISP place on this problem? Is the problem there due to ignorance or are there other areas more important to an ISP and their customers?

  15. Yuliya said on April 19, 2020 at 9:05 pm
    Reply

    >An error occured trying to conduct the test. Please try again.
    https://i.imgur.com/poCOwYS.png
    I’m probably blocking something they need ¯\_(ツ)_/¯

  16. tester said on April 19, 2020 at 8:24 pm
    Reply

    I did the test.
    My ISP failed.

    So, Martin,
    what can an individual user do (proactively)
    while the ISPs don’t get their act together?.

    1. Matti said on April 20, 2020 at 5:31 pm
      Reply

      I’m not Martin, but you can report it on your ISP’s support forum if they have one, or if you have a twitter account you can click/tap the “tweet this” link that appears after you perform the test, just make sure your ISP’s name is picked up as a tag (not sure about the exact nomenclature since I don’t use twitter) in the tweet, that way if enough people tweet it’ll appear at the top of your ISP’s twitter feed, to their embarrassment.

  17. Dave said on April 19, 2020 at 8:19 pm
    Reply

    oh crap…Comcast Failed.

    Your ISP (Comcast, AS7922) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.

    1. mikef90000 said on April 20, 2020 at 9:17 pm
      Reply

      Yah, I expected that. Comcastic is a very big network and will take their sweet time, like increasing the percent of bandwidth for uploads. Not holding my breath ….

  18. Tom Hawack said on April 19, 2020 at 6:40 pm
    Reply

    Interesting. Cloudflare’s BGP test shows that my ‘ISP Bouygues Telecom ISP, AS5410) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.’

    I’ll be on standby with my ISP concerning this security feature.

  19. Johann Best Hammer said on April 19, 2020 at 6:40 pm
    Reply

    This is done at software level, ISP AS (Autonomous Systems) must enable it. As long as Juniper, Cisco and others allow RPKI implemented, there’s no reason to pay more for this.

  20. Jonns said on April 19, 2020 at 5:57 pm
    Reply

    How much is this going to cost the ISPs to implement throughout their networks? Or, to put it another way: How much is this going to raise my bill when the ISP pass the cost on to their customers like they do with everything else?

    1. Timothy Daniels said on April 19, 2020 at 8:52 pm
      Reply

      Better question: How much does it cost your ISP to fix BGP misconfigurations or hijacks and how much to the resulting disruptions in service cost customers. BGP is critical to the operation of the Internet and it needs to be done right.

      1. Trey said on April 20, 2020 at 10:13 pm
        Reply

        @Timothy Daniels

        Probably a lot less than implementing it, so the original question is a good one.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.