To better understand why BGP’s lack of security is so problematic, let’s look at a simplified model of how BGP is used to route Internet packets.
The Internet is not run by just one company. It’s made up of thousands of autonomous systems with nodes located all around the world, connected to each other in a massive graph.
In essence, the way BGP works is that each node must determine how to route packets using only what it knows from the nodes it connects with directly.
For example, in the simple network A–B–C–D–E, the node A only knows how to reach E based on information it received from B. The node B knows about the network from A and C. And so forth.
A BGP hijack occurs when a malicious node deceives another node, lying about what the routes are for its neighbors. Without any security protocols, this misinformation can propagate from node to node, until a large number of nodes now know about, and attempt to use these incorrect, nonexistent, or malicious routes.
Click “Hijack the request” to visualize how packets are re-routed:
In order to make BGP safe, we need some way of preventing the spread of this misinformation. Since the Internet is so open and distributed, we can’t prevent malicious nodes from attempting to deceive other nodes in the first place. So instead we need to give nodes the ability to validate the information they receive, so they can reject these undesired routes on their own.
Enter Resource Public Key Infrastructure (RPKI), a security framework method that associates a route with an autonomous system. It gets a little technical, but the basic idea is that RPKI uses cryptography to provide nodes with a way of doing this validation.
With RPKI enabled, let’s see what happens to packets after an attempted BGP hijack. Click “Attempt to hijack” to visualize how RPKI allows the network to protect itself by invalidating the malicious routes: