The Internet's Postal Service

Ā· 4 min read

When Your GPS Sends You Through a War Zone

Imagine if your GPS could be hacked by anyone, anywhere, to redirect your car through dangerous neighborhoods instead of the safest route home. Thatā€™s essentially what happens every day with internet traffic, thanks to a 30-year-old protocol that powers the entire web.

Border Gateway Protocol (BGP) is the standardized protocol that routes traffic between different networks on the internet. Think of it as the internetā€™s postal service - it figures out the best path for your data to travel from your computer to websites around the world.

The problem? BGP wasnā€™t designed with security in mind and remains vulnerable to attacks where malicious actors can hijack traffic.

How BGP Actually Works

The internet isnā€™t one giant network - itā€™s thousands of smaller networks called autonomous systems (AS) that connect to each other. Each autonomous system has a unique number assigned by the Internet Assigned Numbers Authority (IANA).

When you visit a website, your request bounces through multiple autonomous systems before reaching its destination. BGP makes routing decisions based on paths, network policies, or rule-sets configured by network administrators.

Hereā€™s the simplified process:

Your Computer ā†’ Your ISP ā†’ Transit Network ā†’ Destination ISP ā†’ Website

Each network along this path uses BGP to decide where to send your data next. BGP creates network stability by guaranteeing that routers can adapt to route failures - when one path goes down, BGP quickly finds a new path.

The Trust Problem That Breaks Everything

BGP operates on a fundamental assumption: everyone tells the truth about which routes they control. BGP assumes all participants provide accurate routing information, adhering to established rules. This inherent trust is where vulnerabilities emerge.

Itā€™s like having a postal system where anyone can put up a sign saying ā€œAll mail for Main Street comes through meā€ - and everyone just believes them.

Recent BGP Disasters You Probably Felt

Cloudflareā€™s 1.1.1.1 Goes Dark (June 2024)

On June 27, 2024, a Brazilian ISP improperly announced Cloudflareā€™s 1.1.1.1 DNS resolver as if it were its own. Over 300 networks in 70 countries were affected, rendering Cloudflareā€™s DNS service unreachable.

The Facebook Blackout (2021)

Facebook, Instagram and WhatsApp went offline for six hours when BGP routes into the social media sites went missing, disconnecting the apps from the internet.

These werenā€™t sophisticated cyber attacks - they were configuration mistakes that had global consequences.

RPKI: The Internetā€™s ID System

The solution is called Resource Public Key Infrastructure (RPKI) - think of it as an ID verification system for internet routes.

RPKI allows organizations to sign Route Origin Authorization records, which contain prefixes associated with their organization using a unique cryptographic key, much like getting a public certificate for your organizationā€™s website.

Hereā€™s how it works:

  1. Route Origin Authorization (ROA): Network owners create digital certificates proving they control specific IP addresses
  2. Route Origin Validation (ROV): Routers check these certificates before accepting route announcements
  3. Invalid routes get rejected: If someone tries to hijack your traffic, RPKI-enabled routers ignore the fake announcement

The Security Catch-22

While RPKI sounds great in theory, as of 2024, about 50% of global IP prefixes were covered by ROAs - a major milestone, but that still leaves half the internet unprotected.

Even worse, researchers found that RPKI has ā€œsoftware vulnerabilities, inconsistent specifications, and operational challenges,ā€ with 41.2 percent of RPKI users vulnerable to at least one long-disclosed attack.

Itā€™s like having a security system that only works half the time and occasionally lets burglars walk right through.

Why BGP Still Matters in 2025

Despite its flaws, BGP continues to grow, with IPv4 routing tables growing by 53,000 entries (6%) in 2024. The protocol that started as a simple way to connect networks has become the backbone of global digital infrastructure.

The White House recently made BGP security a national priority, pushing for widespread RPKI adoption to address routing vulnerabilities that could impact critical infrastructure.

The Reality Check

BGP hijacking isnā€™t going away anytime soon. Recent studies found that most alleged serial hijackers are still active on the internet, indicating the routing community is still looking for a common approach to deal with malicious behavior.

The internetā€™s postal service will keep delivering your data - it just might occasionally take a detour through someone elseā€™s neighborhood first.

Bottom line: BGP makes the internet work, but its trust-based design means your traffic can be redirected by anyone willing to lie about routes. RPKI helps, but adoption is slow and the technology itself has security issues. For now, weā€™re all trusting that most people play nice with the internetā€™s routing system.

For the Networking Pros šŸ§‘ā€šŸ’»

If youā€™re already comfortable with BGP and routing, here are some finer points behind the issues mentioned above:

  1. Who can hijack routes? In practice, only networks that participate in BGP (ISPs, IXPs, large organizations with AS numbers) can originate false announcements. Itā€™s not that ā€œanyone with a laptopā€ can hijack routes ā€” but misconfigurations at the AS level can propagate worldwide if upstream providers accept them.

  2. RPKIā€™s actual scope RPKI validates the origin of a route (i.e., whether an AS is authorized to announce a prefix). It does not secure the full AS-PATH, meaning path manipulation attacks (like route leaks or path prepending abuse) remain possible.

  3. Why misconfigurations spread Route leaks and hijacks persist because upstreams often fail to filter customer routes properly. Efforts like MANRS (Mutually Agreed Norms for Routing Security) encourage ISPs to implement route filtering, RPKI validation, and prefix-limit checks.

  4. IPv6 growth While IPv4 routing tables grew ~6% in 2024, IPv6 tables are growing faster (~10% YoY). Both increase global BGP complexity and the burden on routers.

  5. RPKI vulnerabilities The cryptographic design of RPKI is sound, but validator software and operational deployments have weaknesses. Examples include ROAs with incorrect prefix lengths, expired certificates, and validator implementation bugs.

  6. Policy momentum Governments and large cloud providers are pushing RPKI and secure routing policies into critical infrastructure discussions. The U.S. National Cybersecurity Strategy (2023ā€“24) explicitly mentions BGP security.