-
Notifications
You must be signed in to change notification settings - Fork 347
Expand file tree
/
Copy pathindex.html
More file actions
440 lines (359 loc) · 36.4 KB
/
index.html
File metadata and controls
440 lines (359 loc) · 36.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
<!doctype html>
<html lang="en" with-selection-styled>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge, chrome=1">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Is BGP safe yet? · Cloudflare</title>
<meta name="description" content="On the Internet, network devices exchange routes via a protocol called BGP (Border Gateway Protocol). Unfortunately, issues with BGP have led to malicious actors being able to hijack and misconfigure devices leading to security problems which have the potential to cause widespread problems. BGP security can be greatly improved by using technologies such as RPKI to sign Internet routes. This page attempts to track the progress of major Internet players (ISPs, transit operators, and content providers) in their progress to adopt RPKI and other technologies.">
<meta name="keywords" content="BGP, RPKI, Cloudflare">
<meta name="author" content="Cloudflare">
<meta name="generator" content="Cloudflare">
<meta property="og:type" content="website">
<meta property="og:title" content="Is BGP safe yet? · Cloudflare">
<meta property="og:description" content="On the Internet, network devices exchange routes via a protocol called BGP (Border Gateway Protocol). Unfortunately, issues with BGP have led to malicious actors being able to hijack and misconfigure devices leading to security problems which have the potential to cause widespread problems. BGP security can be greatly improved by using technologies such as RPKI to sign Internet routes. This page attempts to track the progress of major Internet players (ISPs, transit operators, and content providers) in their progress to adopt RPKI and other technologies.">
<meta property="og:url" content="https://isbgpsafeyet.com">
<meta property="og:image" content="https://isbgpsafeyet.com/resources/open-graph.png">
<meta property="og:video" content="https://isbgpsafeyet.com/resources/open-graph.mp4">
<meta property="og:video:type" content="video/mp4">
<meta property="og:video:width" content="1948">
<meta property="og:video:height" content="1180">
<meta name="twitter:site" content="@Cloudflare">
<meta name="twitter:creator" content="@Cloudflare">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:title" content="Is BGP safe yet? · Cloudflare">
<meta name="twitter:description" content="On the Internet, network devices exchange routes via a protocol called BGP (Border Gateway Protocol). Unfortunately, issues with BGP have led to malicious actors being able to hijack and misconfigure devices leading to security problems which have the potential to cause widespread problems. BGP security can be greatly improved by using technologies such as RPKI to sign Internet routes. This page attempts to track the progress of major Internet players (ISPs, transit operators, and content providers) in their progress to adopt RPKI and other technologies.">
<meta name="twitter:url" content="https://isbgpsafeyet.com">
<link href="/resources/favicon.ico" rel="icon" type="image/x-icon">
<link href="https://ui.components.workers.dev/?helpers=with-selection-styled,is-smooth-scrolling&components=Link,Button,Stack,Row,Markdown" rel="stylesheet">
</head>
<body>
<div class="Hero">
<div class="Spacer"></div>
<div class="Column">
<h1>Is BGP <span class="InlineSafeHighlight">safe</span> yet? <em data-is-bgp-safe-yet></em></h1>
<div class="Stack">
<div class="Markdown">
<p><a href="https://www.cloudflare.com/learning/security/glossary/what-is-bgp/">Border Gateway Protocol (BGP)</a> is the postal service of the Internet. It’s responsible for looking at all of the available paths that data could travel and picking the best route.</p>
<p>Unfortunately, it isn’t secure, and there have been some <a href="https://blog.cloudflare.com/how-verizon-and-a-bgp-optimizer-knocked-large-parts-of-the-internet-offline-today/">major Internet disruptions</a> as a result. But fortunately there is a way to make it secure.</p>
<p>ISPs and other major Internet players (Sprint and others) would need to implement a certification system, called <a href="#what-is-rpki">RPKI</a>.</p>
</div>
<div class="Hero--actions">
<div class="Row Row-is-centered">
<button class="Button Button-is-primary Button-is-elevated" data-js-test><span>Test your ISP</span></button>
<a class="Button Button-is-bordered Button-has-depth" href="#faq"><span>Read FAQ</span></a>
</div>
</div>
<div class="Test" data-js-test-results></div>
</div>
</div>
<div class="Spacer"></div>
</div>
<div class="Column">
<div class="Spacer"></div>
<div class="Markdown">
<h2 class="Markdown--h2-as-h3">Latest updates</h2>
<ul id="updates" class="Updates" data-js-updates>
<li>February 3, 2026 - Sparkle (AS6762), a global Tier-1 transit provider, now rejects RPKI-invalid prefixes (<a href="https://www.tisparkle.com/seabone-BGP-Policy-for-Customers">source</a>).</li>
<li>October 1, 2025 - Energotel (AS31117), major transit operator in Slovakia, now filters RPKI invalid routes (<a href="https://github.com/cloudflare/isbgpsafeyet.com/issues/818">source</a>).</li>
<li>August 28, 2025 - Bell Canada (AS577) One of the largest ISPs in Canada, now filters RPKI invalid routes received by its network (<a href="https://github.com/cloudflare/isbgpsafeyet.com/pull/808">source</a>)
<li>Febrary 22, 2024 - Deutsche Telekom (AS3320) One of the largest ISPs in Europe, now filters RPKI invalid routes received by its global network. (<a href="https://globalcarrier.telekom.com/newsroom/news/news-pages/deutsche-telekom-global-carrier-enhances-global-internet-security">source</a>)
<li>January 24, 2024 - Verizon (AS701) one of the largest ISPs in the US, has fully deployed RPKI Origin Validation across their network.</li>
<li>April 5, 2023 - Liberty Global (AS6830) One of the largest ISPs in Europe, now filters RPKI-OV invalid routes on its EBGP edge. (<a href="https://twitter.com/libertyglobal/status/1643542432573800451?s=20">source</a>)
<li>October 19, 2022 - Microsoft (AS8075) has deployed RPKI Origin Validation on all their peers. (<a href="https://storage.googleapis.com/site-media-prod/meetings/NANOG86/4602/20221017_Robachevsky_Internet_Routing_And_v1.pdf">source</a>)
<li>June 27, 2022 - Orange International Carrier (AS5511) has fully deployed RPKI Origin Validation on their global worldwide network. (<a href="https://twitter.com/OrangeIC/status/1541436188241891328">source</a>)
<li>March 15, 2022 - KPN (AS1136), the largest Internet provider in the Netherlands, now rejects RPKI-invalid BGP routes on its EBGP edge. (<a href="https://twitter.com/JobSnijders/status/1503649158422487040">source</a>)
<li>June 3, 2021 - NOS Communicações (AS2860), a leading Internet Service Provider in Portugal, has signed its prefixes and is dropping invalids.
<li>May 20, 2021 - Comcast (AS7922), one of the largest Internet Service Providers in the US, has signed its prefixes and is now dropping invalids over all BGP sessions. (<a href="https://corporate.comcast.com/stories/improved-bgp-routing-security-adds-another-layer-of-protection-to-network">source</a>)
<li>March 26, 2021 - Lumen (AS3356), <a href="https://asrank.caida.org/asns/3356/as-core">the largest worldwide transit backbone</a>, is now dropping invalids over all BGP sessions. (<a href="https://blog.lumen.com/lumen-enhances-routing-security-with-resource-public-key-infrastructure-rpki/">source</a>)
<li>March 15, 2021 - Vocus (AS4826), a leading Australian ISP, has signed its prefixes with RPKI and is now dropping invalids. (<a href="https://twitter.com/pmawson/status/1371642968512237569">source</a>)
<li>March 1, 2021 - HEANet (AS1213) Ireland's National Research & Education Network deploys the RPKI Infrastructure on its IP Network. (<a href="https://twitter.com/natural20/status/1366385420360155144">source</a>)
<li>February 26, 2021 - TDC (AS3292) the main operator in Denmark has implemented RPKI Origin Validation and is signing its prefixes. (<a href="https://github.com/cloudflare/isbgpsafeyet.com/pull/523">source</a>)
<li>February 1, 2021 - Sprint / T-Mobile (AS1239) now filters all RPKI Invalid routes from settlement-free peers. (<a href="https://www.sprint.net/policies/bgp-aggregation-and-filtering">source</a>)
<li>January 14, 2021 - Amazon Web Services (AS16509) has signed their prefixes and deployed RPKI Origin Validation. (<a href="https://aws.amazon.com/blogs/networking-and-content-delivery/how-aws-is-helping-to-secure-internet-routing/">source</a>)
<li>December 14, 2020 - Belnet (AS2611) NREN and first Belgian ISP to implement RPKI and drop invalid routes. (<a href="https://belnet.be/en/belnet-has-successfully-implemented-rpki">source</a>)
<li>December 1, 2020 - RETN (AS9002) has deployed RPKI-based BGP route origin validation. (<a href="https://twitter.com/RETNnet/status/1333735456408793089">source</a>)
<li>September 14, 2020 - HOPUS (AS44530) is now filtering all eBGP sessions using RPKI ROV. (<a href="https://twitter.com/afenioux/status/1305430383345971201">source</a>)
<li>September 2, 2020 - Netflix has deployed RPKI globally and is dropping invalid prefixes. (<a href="https://openconnect.zendesk.com/hc/en-us/articles/360039673152">source</a>)
<li>September 1, 2020 - Swisscom is fully dropping RPKI invalids since the end of July. (<a href="https://twitter.com/swisscom_csirt/status/1300666695959244800">source</a>)
<li>August 26, 2020 - Google is currently deploying RPKI. The network operator signed more than 90% of its prefixes.
<li>August 7, 2020 - HKIX, an Internet Exchange in Hong Kong deployed RPKI validation on all its member sessions and is now dropping RPKI invalids on their route servers. (<a href="https://www.hkix.net/hkix/route-policy.htm">source</a>)
<li>July 24, 2020 - Telstra AS1221, Australia’s leading telecommunications and technology company, now filters RPKI invalids. (<a href="http://lists.ausnog.net/pipermail/ausnog/2020-July/044367.html">source</a>)
<li>July 13, 2020 - Chilean Government Network (Red de Conectividad del Estado) at AS17147 successfully deployed RPKI filtering and drops invalid prefixes. (<a href="https://twitter.com/BenjaMatias/status/1278565243136942081">source</a>)
<li>July 6, 2020 – GR-IX, the Greek Internet Exchange, is now dropping RPKI invalids on their route servers (<a href="https://www.ripe.net/ripe/mail/archives/connect-wg/2020-July/000109.html">source</a>)
<li>June 16, 2020 – Hurricane Electric AS6939, a major transit provider deployed RPKI filters (<a href="https://mailman.nanog.org/pipermail/nanog/2020-June/108277.html">source</a>)
<li>June 16, 2020 - AnacondaWeb AS265656, an ISP and hosting provider from Temuco (Chile), successfully deployed RPKI signing and filtering. (<a href="https://twitter.com/pcolomes/status/1271336495400574977">source</a>)
<li>June 5, 2020 – Cogent AS174, the 3rd largest transit provider, now filters all RPKI invalids
<li>June 1, 2020 – Mobicom, the main transit provider in Mongolia, deployed RPKI (<a href="https://twitter.com/Ulsbold1125/status/1266435596194418689">source</a>)
<li>May 18, 2020 – Dhiraagu, a Maldivian ISP deployed RPKI (<a href="https://twitter.com/isseykun/status/1261758917467668481">source</a>)
<li>May 10, 2020 – Terrahost, a Norwegian dedicated and cloud server provider deployed RPKI (<a href="https://twitter.com/TerraHost/status/1259311449073168384">source</a>)
<li>May 7, 2020 – LINX, an Internet Exchange based in the United Kingdom drops RPKI invalids (<a href="https://twitter.com/JobSnijders/status/1258546615838621696">source</a>)
<li>May 7, 2020 – MIXP, an Internet Exchange based in Mauritius signed and drops RPKI invalids (<a href="https://twitter.com/IXP_Mu/status/1258414385480863744">source</a>)
<li>May 6, 2020 – Asergo, a Danish cloud provider deployed RPKI (<a href="https://twitter.com/asergogroup/status/1258377169526546432">source</a>)
<li>May 5, 2020 – GTT is now filtering all their sessions (<a href="https://twitter.com/JobSnijders/status/1257737268565073921">source</a>)
<li>May 5, 2020 - WorldStream, a cloud provider is working on RPKI implementation (<a href="https://twitter.com/WorldstreamBV/status/1257670396461166593">source</a>)
<li>May 4, 2020 – Cablenet Cyprus deployed RPKI
<li>April 27, 2020 – Acorus/Volterra is deploying RPKI (<a href="https://twitter.com/CorsoAlexandre/status/1254772078588227586">source</a>)
<li>April 24, 2020 – Kapsi, a Finnish ISP, deployed RPKI (<a href="https://twitter.com/atonkyra/status/1253609926221496322">source</a>)
<li>April 24, 2020 – Cyta, a Cyprus ISP, deployed RPKI
<li>April 23, 2020 – Jaguar Networks, deployed RPKI (<a href="https://twitter.com/JDescoux/status/1253344721201696768">source</a>)
<li>April 22, 2020 – Scaleway, a cloud provider, deployed RPKI in March 2020 (<a href="https://twitter.com/Scaleway_fr/status/1252941792850382849">source</a>)
<li>April 20, 2020 – Gigabit ApS, a Danish ISP, deployed RPKI (<a href="https://mailman.nanog.org/pipermail/nanog/2020-April/107295.html">source</a>)
<li>April 20, 2020 – USI Fiber currently working on RPKI implementation (<a href="https://twitter.com/usifiber/status/1252272488979091457">source</a>)
<li>April 19, 2020 – Aussie Broadband plans to support RPKI “shortly” (<a href="https://twitter.com/Aussie_BB/status/1252067879358361600">source</a>)
</ul>
<div class="Updates--actions">
<button class="Button Button-is-secondary Button-is-slim" data-js-toggle-show-all-updates>+ Show all</button>
</div>
</div>
<div class="Spacer"></div>
<div class="TableHeader">
<div class="Markdown">
<h2 class="Markdown--h2-as-h3">Status</h2>
</div>
<div class="TableHeader--subheader">
<div class="TableHeader--info">
<div class="Markdown">
<p data-js-table-summary>Displaying <span data-major-operators-count></span> major operators</p>
</div>
</div>
<div class="TableHeader--actions">
<button class="Button Button-is-slim" data-js-toggle-show-all-rows>+ Show all</button>
<button class="Button Button-is-slim" data-js-toggle-asn-column large-desktop-only>+ Show ASN column</button>
</div>
</div>
</div>
</div>
<table class="BGPSafetyTable" data-js-table data-sortable data-show-all-rows="false" data-hide-asn-column="true">
<thead>
<tr>
<th data-column="name"><span>Name</span></th>
<th data-column="type"><span>Type</span></th>
<th data-column="details"><span>Details</span></th>
<th data-column="status" data-sortable-type="numeric" data-sorted="true" data-sorted-direction="ascending"><span>Status</span></th>
<th data-column="asn" data-sortable="false" data-sortable-type="numeric"><span>ASN <a class="Button Button-is-bordered Button-is-question-mark" href="https://en.wikipedia.org/wiki/Autonomous_system_(Internet)" title="Autonomous system number" data-tooltip>?</a></span></th>
</tr>
</thead>
</table>
<div class="Column">
<div class="BGPSafetyTable---footer">
<div class="Markdown">
<p>Last updated on February 3, 2026 – <a href="https://github.com/cloudflare/isbgpsafeyet.com/tree/master/data">Edit on GitHub</a></p>
</div>
</div>
<div class="Spacer"></div>
</div>
<div class="BodyWithDiagrams">
<div class="Spacer"></div>
<div class="Column">
<div class="Markdown">
<h2 id="whats-a-bgp-hijack">What’s a BGP hijack?</h2>
<p>To better understand why BGP’s lack of security is so problematic, let’s look at a simplified model of how BGP is used to route Internet packets.</p>
<p>The Internet is not run by just <em>one</em> company. It’s made up of thousands of autonomous systems with nodes located all around the world, connected to each other in a massive graph.</p>
<p>In essence, the way BGP works is that each node must determine how to route packets using only what it knows from <strong>the nodes it connects with directly</strong>.</p>
<p>For example, in the simple network A–B–C–D–E, the node A only knows how to reach E based on information it received from B. The node B knows about the network from A and C. And so forth.</p>
<p>A <strong>BGP hijack</strong> occurs when a malicious node deceives another node, lying about what the routes are for its neighbors. Without any security protocols, this misinformation can propagate from node to node, until a large number of nodes now know about, and attempt to use these incorrect, nonexistent, or malicious routes.</p>
<p>Click “<strong>Hijack the request</strong>” to visualize how packets are re-routed:</p>
</div>
</div>
<div class="Diagram" data-js-diagram="unsafe" path="happy">
<div class="Diagram--surface">
<h3 class="Diagram--header"><span unsafe>Unsafe</span> BGP: <span data-js-diagram-header>Normal request</span></h3>
<div class="Diagram--edge" position="1" path="both">
<div class="Diagram--edge-line"></div>
<div class="Diagram--edge-data"></div>
</div>
<div class="Diagram--edge" position="2" path="switch">
<div class="Diagram--edge-line"></div>
<div class="Diagram--edge-data"></div>
</div>
<div class="Diagram--edge" position="2" path="switch" with-status-color>
<div class="Diagram--edge-line"></div>
<div class="Diagram--edge-data"></div>
</div>
<div class="Diagram--edge" position="3" path="sad">
<div class="Diagram--edge-line"></div>
<div class="Diagram--edge-data"></div>
</div>
<div class="Diagram--edge" position="3" path="happy">
<div class="Diagram--edge-line"></div>
<div class="Diagram--edge-data"></div>
</div>
<div class="Diagram--edge" position="4" path="happy">
<div class="Diagram--edge-line"></div>
<div class="Diagram--edge-data"></div>
</div>
<div class="Diagram--node" position="1" path="both">
<div class="Diagram--node-icon"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 73 50"><path fill="var(--background)" d="M17 11h39v26H17z"/><path fill="var(--color)" d="M60 37h5a6 6 0 01-6 6H14a6 6 0 01-6-6h5V11.56c0-1.11.13-1.78.5-2.48.36-.67.9-1.22 1.58-1.58a4.8 4.8 0 012.48-.5h37.88a4.8 4.8 0 012.48.5c.67.36 1.22.9 1.58 1.58.37.7.5 1.37.5 2.48V37zM17 11v26h39V11H17z"/></svg></div>
<div class="Diagram--node-circle"></div>
<div class="Diagram--node-label">Laptop</div>
</div>
<div class="Diagram--node" position="2" path="both">
<div class="Diagram--node-icon"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 73 50"><path fill="var(--background)" d="M17 11h39v28H17z"/><path fill="var(--color)" fill-rule="evenodd" d="M42 31h10v4H42v-4zm14-8H17V11h39v12zm0 4v12H17V27h39zM42 15h10v4H42v-4zM13 43V7h47v36H13z"/></svg></div>
<div class="Diagram--node-circle"></div>
<div class="Diagram--node-label">ISP</div>
</div>
<div class="Diagram--node" position="3" path="sad">
<div class="Diagram--node-circle"></div>
<div class="Diagram--node-label">Hijacker</div>
</div>
<div class="Diagram--node" position="3" path="happy">
<div class="Diagram--node-icon"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 73 50"><path fill="var(--background)" d="M17 11h39v28H17z"/><path fill="var(--color)" fill-rule="evenodd" d="M42 31h10v4H42v-4zm14-8H17V11h39v12zm0 4v12H17V27h39zM42 15h10v4H42v-4zM13 43V7h47v36H13z"/></svg></div>
<div class="Diagram--node-circle"></div>
<div class="Diagram--node-label">Transit</div>
</div>
<div class="Diagram--node" position="4" path="sad">
<div class="Diagram--node-circle"></div>
<div class="Diagram--node-label">Malicious website</div>
</div>
<div class="Diagram--node" position="4" path="happy">
<div class="Diagram--node-icon"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 73 50"><path fill="var(--background)" d="M22.64 39A9.65 9.65 0 0113 29.33a9.65 9.65 0 0111.6-9.46 14.47 14.47 0 0128.17 4.63 7.24 7.24 0 010 14.5H22.64zm0 0A9.65 9.65 0 0113 29.33a9.65 9.65 0 0111.6-9.46 14.47 14.47 0 0128.17 4.63 7.24 7.24 0 010 14.5H22.64zm0 0A9.65 9.65 0 0113 29.33a9.65 9.65 0 0111.6-9.46 14.47 14.47 0 0128.17 4.63 7.24 7.24 0 010 14.5H22.64z"/><path fill="var(--color)" d="M22.64 37h30.13a5.24 5.24 0 000-10.5h-2v-2a12.47 12.47 0 00-24.27-4l-.57 1.68-1.74-.36A7.66 7.66 0 1022.64 37zM62 31.75c0 5.1-4.13 9.25-9.23 9.25H22.64A11.65 11.65 0 0111 29.33 11.65 11.65 0 0123.31 17.7a16.47 16.47 0 0131.36 5A9.25 9.25 0 0162 31.76z"/></svg></div>
<div class="Diagram--node-circle"></div>
<div class="Diagram--node-label">Cloud</div>
</div>
<div class="Diagram--node" position="5" path="both">
<div class="Diagram--node-icon"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 73 50"><path fill="var(--background)" d="M22.64 39A9.65 9.65 0 0113 29.33a9.65 9.65 0 0111.6-9.46 14.47 14.47 0 0128.17 4.63 7.24 7.24 0 010 14.5H22.64zm0 0A9.65 9.65 0 0113 29.33a9.65 9.65 0 0111.6-9.46 14.47 14.47 0 0128.17 4.63 7.24 7.24 0 010 14.5H22.64zm0 0A9.65 9.65 0 0113 29.33a9.65 9.65 0 0111.6-9.46 14.47 14.47 0 0128.17 4.63 7.24 7.24 0 010 14.5H22.64z"/><path fill="var(--color)" d="M22.64 37h30.13a5.24 5.24 0 000-10.5h-2v-2a12.47 12.47 0 00-24.27-4l-.57 1.68-1.74-.36A7.66 7.66 0 1022.64 37zM62 31.75c0 5.1-4.13 9.25-9.23 9.25H22.64A11.65 11.65 0 0111 29.33 11.65 11.65 0 0123.31 17.7a16.47 16.47 0 0131.36 5A9.25 9.25 0 0162 31.76z"/></svg></div>
<div class="Diagram--node-circle"></div>
<div class="Diagram--node-label">Web resource</div>
</div>
</div>
</div>
<div class="Diagram---footer">
<button class="Button Button-is-primary Button-is-elevated" data-js-diagram-toggle-for="unsafe">Hijack the request</button>
</div>
<div class="Spacer"></div>
<div class="Column">
<div class="Markdown">
<p>In order to make BGP safe, we need some way of preventing the spread of this misinformation. Since the Internet is so open and distributed, we can’t prevent malicious nodes from attempting to deceive other nodes in the first place. So instead we need to give nodes the ability to validate the information they receive, so they can reject these undesired routes on their own.</p>
<p>Enter <a href="https://blog.cloudflare.com/rpki/">Resource Public Key Infrastructure (RPKI)</a>, a security framework method that associates a route with an autonomous system. It gets a little technical, but the basic idea is that RPKI uses cryptography to provide nodes with a way of doing this validation.</p>
<p>With RPKI enabled, let’s see what happens to packets after an <em>attempted</em> BGP hijack. Click “<strong>Attempt to hijack</strong>” to visualize how RPKI allows the network to protect itself by invalidating the malicious routes:</p>
</div>
</div>
<div class="Diagram" data-js-diagram="safe" path="happy">
<div class="Diagram--surface">
<h3 class="Diagram--header"><span safe>Safe</span> <span data-js-diagram-header>BGP with RPKI</span></h3>
<div class="Diagram--edge" position="1" path="both">
<div class="Diagram--edge-line"></div>
<div class="Diagram--edge-data"></div>
</div>
<div class="Diagram--edge" position="2" path="switch">
<div class="Diagram--edge-line"></div>
<div class="Diagram--edge-data"></div>
</div>
<div class="Diagram--edge" position="2" path="switch" with-status-color>
<div class="Diagram--edge-line"></div>
<div class="Diagram--edge-data"></div>
</div>
<div class="Diagram--edge" position="3" path="sad">
<div class="Diagram--edge-line"></div>
<div class="Diagram--edge-data"></div>
</div>
<div class="Diagram--edge" position="3" path="happy">
<div class="Diagram--edge-line"></div>
<div class="Diagram--edge-data"></div>
</div>
<div class="Diagram--edge" position="4" path="happy">
<div class="Diagram--edge-line"></div>
<div class="Diagram--edge-data"></div>
</div>
<div class="Diagram--node" position="1" path="both">
<div class="Diagram--node-icon"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 73 50"><path fill="var(--background)" d="M17 11h39v26H17z"/><path fill="var(--color)" d="M60 37h5a6 6 0 01-6 6H14a6 6 0 01-6-6h5V11.56c0-1.11.13-1.78.5-2.48.36-.67.9-1.22 1.58-1.58a4.8 4.8 0 012.48-.5h37.88a4.8 4.8 0 012.48.5c.67.36 1.22.9 1.58 1.58.37.7.5 1.37.5 2.48V37zM17 11v26h39V11H17z"/></svg></div>
<div class="Diagram--node-circle"></div>
<div class="Diagram--node-label">Laptop</div>
</div>
<div class="Diagram--node" position="2" path="both">
<div class="Diagram--node-icon"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 73 50"><path fill="var(--background)" d="M17 11h39v28H17z"/><path fill="var(--color)" fill-rule="evenodd" d="M42 31h10v4H42v-4zm14-8H17V11h39v12zm0 4v12H17V27h39zM42 15h10v4H42v-4zM13 43V7h47v36H13z"/></svg></div>
<div class="Diagram--node-circle"></div>
<div class="Diagram--node-label">ISP</div>
</div>
<div class="Diagram--node" position="3" path="sad">
<div class="Diagram--node-circle"></div>
<div class="Diagram--node-label">Hijacker</div>
</div>
<div class="Diagram--node" position="3" path="happy">
<div class="Diagram--node-icon"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 73 50"><path fill="var(--background)" d="M17 11h39v28H17z"/><path fill="var(--color)" fill-rule="evenodd" d="M42 31h10v4H42v-4zm14-8H17V11h39v12zm0 4v12H17V27h39zM42 15h10v4H42v-4zM13 43V7h47v36H13z"/></svg></div>
<div class="Diagram--node-circle"></div>
<div class="Diagram--node-label">Transit</div>
</div>
<div class="Diagram--node" position="4" path="sad">
<div class="Diagram--node-circle"></div>
<div class="Diagram--node-label">Malicious website</div>
</div>
<div class="Diagram--node" position="4" path="happy">
<div class="Diagram--node-icon"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 73 50"><path fill="var(--background)" d="M22.64 39A9.65 9.65 0 0113 29.33a9.65 9.65 0 0111.6-9.46 14.47 14.47 0 0128.17 4.63 7.24 7.24 0 010 14.5H22.64zm0 0A9.65 9.65 0 0113 29.33a9.65 9.65 0 0111.6-9.46 14.47 14.47 0 0128.17 4.63 7.24 7.24 0 010 14.5H22.64zm0 0A9.65 9.65 0 0113 29.33a9.65 9.65 0 0111.6-9.46 14.47 14.47 0 0128.17 4.63 7.24 7.24 0 010 14.5H22.64z"/><path fill="var(--color)" d="M22.64 37h30.13a5.24 5.24 0 000-10.5h-2v-2a12.47 12.47 0 00-24.27-4l-.57 1.68-1.74-.36A7.66 7.66 0 1022.64 37zM62 31.75c0 5.1-4.13 9.25-9.23 9.25H22.64A11.65 11.65 0 0111 29.33 11.65 11.65 0 0123.31 17.7a16.47 16.47 0 0131.36 5A9.25 9.25 0 0162 31.76z"/></svg></div>
<div class="Diagram--node-circle"></div>
<div class="Diagram--node-label">Cloud</div>
</div>
<div class="Diagram--node" position="5" path="both">
<div class="Diagram--node-icon"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 73 50"><path fill="var(--background)" d="M22.64 39A9.65 9.65 0 0113 29.33a9.65 9.65 0 0111.6-9.46 14.47 14.47 0 0128.17 4.63 7.24 7.24 0 010 14.5H22.64zm0 0A9.65 9.65 0 0113 29.33a9.65 9.65 0 0111.6-9.46 14.47 14.47 0 0128.17 4.63 7.24 7.24 0 010 14.5H22.64zm0 0A9.65 9.65 0 0113 29.33a9.65 9.65 0 0111.6-9.46 14.47 14.47 0 0128.17 4.63 7.24 7.24 0 010 14.5H22.64z"/><path fill="var(--color)" d="M22.64 37h30.13a5.24 5.24 0 000-10.5h-2v-2a12.47 12.47 0 00-24.27-4l-.57 1.68-1.74-.36A7.66 7.66 0 1022.64 37zM62 31.75c0 5.1-4.13 9.25-9.23 9.25H22.64A11.65 11.65 0 0111 29.33 11.65 11.65 0 0123.31 17.7a16.47 16.47 0 0131.36 5A9.25 9.25 0 0162 31.76z"/></svg></div>
<div class="Diagram--node-circle"></div>
<div class="Diagram--node-label">Web resource</div>
</div>
</div>
</div>
<div class="Diagram---footer">
<button class="Button Button-is-primary Button-is-elevated" data-js-diagram-toggle-for="safe">Attempt to hijack</button>
</div>
<div class="Spacer"></div>
<div class="Spacer"></div>
</div>
<div class="Column">
<div class="Stack">
<div class="Markdown">
<h2 id="faq">FAQ</h2>
<details class="FAQItem" id="what-is-bgp" open>
<summary><span>What is BGP?</span></summary>
<p><a href="https://www.cloudflare.com/learning/security/glossary/what-is-bgp/">Border Gateway Protocol (BGP)</a> is the postal service of the Internet. When someone drops a letter into a mailbox, the postal service processes that piece of mail and chooses a fast, efficient route to deliver that letter to its recipient. Similarly, when someone submits data across the Internet, BGP is responsible for looking at all of the available paths that data could travel and picking the best route, which usually means hopping between autonomous systems. <a href="https://www.cloudflare.com/learning/security/glossary/what-is-bgp/">Learn more →</a></p>
</details>
<details class="FAQItem" id="why-is-bgp-unsafe">
<summary><span>Why is BGP unsafe?</span></summary>
<p>By default, BGP does not embed any security protocols. It is up to every autonomous system to implement filtering of “wrong routes”. Leaking routes can break parts of the Internet by making them unreachable. It is commonly the result of misconfigurations. Although, it is not always accidental. A practice called BGP hijack consists of redirecting traffic to another autonomous system to steal information (via phishing, or passive listening for instance).</p>
<p>BGP can be made safe if all autonomous systems (AS) only announce legitimate routes. A route is defined as legitimate when the owner of the resource allows its announcement. Filters need to be built in order to make sure only legitimate routes are accepted. There are a few approaches for BGP route validation which vary in degrees of trustability and efficiency. A mature implementation is RPKI.</p>
</details>
<details class="FAQItem" id="what-is-rpki">
<summary><span>What is RPKI?</span></summary>
<p>With 800k+ routes on the Internet, it is impossible to check them manually. <a href="https://blog.cloudflare.com/rpki/">Resource Public Key Infrastructure (RPKI)</a> is a security framework method that associates a route with an autonomous system. It uses cryptography in order to validate the information before being passed onto the routers. You can <a href="https://blog.cloudflare.com/rpki/">read more about RPKI</a> on the Cloudflare blog.</p>
<p>On May 14th 2020, Job Snijders from NTT presented a free <a href="https://www.brighttalk.com/webcast/5648/396013/rpki-101-with-job-snijders">RPKI 101</a> webinar.</p>
</details>
<details class="FAQItem" id="how-does-the-test-work">
<summary><span>How does the test work?</span></summary>
<p>In order to test if your ISP is implementing BGP safely, we announce a legitimate route but we make sure the announcement is <em>invalid</em>. If you can load the website we host on that route, that means the invalid route was accepted by your ISP. A leaked or a hijacked route would likely be accepted too.</p>
</details>
<details class="FAQItem" id="can-even-more-be-done">
<summary><span>Can even more be done?</span></summary>
<p>Over the years, network operators and developers started working groups to design and deploy standards to overcome unsafe routing protocols. <a href="https://cloudflare.com">Cloudflare</a> recently joined a global initiative called <a href="https://www.manrs.org/2020/03/new-category-of-cdns-and-cloud-providers-join-manrs-to-improve-routing-security/">Mutually Agreed Norms for Routing Security (MANRS)</a>. It’s a community of security-minded organizations committed to making routing infrastructure more robust and secure, and members agree to implement filtering mechanisms. New voices are always appreciated.</p>
</details>
<details class="FAQItem" id="what-can-you-do" open>
<summary><span>What can you do?</span></summary>
<p><a href="https://twitter.com/intent/tweet/?text=Check%20out%20isbgpsafeyet.com%20to%20see%20if%20your%20Internet%20Service%20Provider%20implements%20BGP%20in%20a%20safe%20way%20or%20if%20it%20leaves%20the%20Internet%20vulnerable%20to%20route%20leaks.&url=http%3A%2F%2Fisbgpsafeyet.com&via=Cloudflare">Share this page</a> For BGP to be safe, all of the major ISPs will need to embrace RPKI. Sharing this page will increase awareness of the problem which can ultimately pressure ISPs into implementing RPKI for the good of themselves and the general public. You can also reach out to your service provider or hosting company directly and ask them to deploy RPKI and join MANRS. When the Internet is safe, everybody wins.</p>
</details>
</div>
<div>
<div class="Row Row-is-centered">
<a class="Button Button-is-primary" href="https://twitter.com/intent/tweet/?text=Check%20out%20isbgpsafeyet.com%20to%20see%20if%20your%20Internet%20Service%20Provider%20implements%20BGP%20in%20a%20safe%20way%20or%20if%20it%20leaves%20the%20Internet%20vulnerable%20to%20route%20leaks.&url=http%3A%2F%2Fisbgpsafeyet.com&via=Cloudflare">Share on Twitter →</a>
</div>
</div>
</div>
</div>
<div class="Spacer"></div>
<div class="Spacer"></div>
<div class="Footer">
<div class="Spacer"></div>
<div class="Column">
<div class="Footer--content">
<a class="Footer--logo-link Link Link-without-underline" href="https://cloudflare.com">
<svg class="Footer--logo" id="CloudflareDocsLogomark" xmlns="http://www.w3.org/2000/svg" viewBox="2 12 44 20" role="img" aria-labelledby="CloudflareDocsLogomark--title CloudflareDocsLogomark--desc" fill="currentColor">
<defs>
<title id="CloudflareDocsLogomark--title">Cloudflare docs logomark</title>
<desc id="CloudflareDocsLogomark--desc">The logo for Cloudflare used in Cloudflare’s developer documentation.</desc>
</defs>
<path d="M31.236 28.717c-.373-.548-1.003-.864-1.76-.9l-14.353-.195a.262.262 0 01-.221-.122.348.348 0 01-.035-.267.396.396 0 01.338-.268l14.48-.195c1.714-.085 3.58-1.533 4.232-3.309l.828-2.25a.503.503 0 00.023-.292c-.932-4.404-4.698-7.689-9.198-7.689-4.15 0-7.672 2.798-8.931 6.679a4.156 4.156 0 00-2.973-.864c-1.994.207-3.59 1.874-3.789 3.954a4.84 4.84 0 00.105 1.545c-3.253.097-5.853 2.871-5.853 6.29 0 .304.024.608.059.912.023.146.14.256.28.256h26.488c.151 0 .291-.11.338-.268l.198-.742c.245-.876.152-1.68-.256-2.275zM36.062 21.39c-.128 0-.268 0-.396.012-.093 0-.175.073-.21.17l-.56 2.032c-.244.876-.151 1.679.257 2.275.373.548 1.003.864 1.76.9l3.055.195c.093 0 .175.049.222.122a.356.356 0 01.035.267.396.396 0 01-.339.268l-3.182.195c-1.726.085-3.58 1.532-4.232 3.309l-.234.62c-.046.122.035.243.164.243h10.935a.289.289 0 00.28-.219 8.654 8.654 0 00.292-2.214c0-4.501-3.521-8.175-7.847-8.175"></path>
</svg>
</a>
<div class="Footer--legal">© <script>document.write(new Date().getFullYear() + ' ');</script>Cloudflare, Inc. · <a class="Link Link-without-underline" href="https://www.cloudflare.com/privacypolicy/">Privacy</a> · <a class="Link Link-without-underline" href="https://www.cloudflare.com/website-terms/">Terms</a></div>
</div>
</div>
<div class="Spacer"></div>
</div>
</body>
</html>