FCC Proposes Reporting and Other Obligations To Secure Routing of Internet Traffic

On June 7, 2024, the Federal Communications Commission ("FCC") issued a Notice of Proposed Rulemaking ("NPRM") that would require providers of retail broadband internet access service to create detailed plans to address and provide detailed reports on their progress addressing long-standing security vulnerabilities in the Border Gateway Protocol ("BGP"), the industry standard for routing internet traffic between networks. The FCC claims authority to regulate in the area of internet protocols and security principally based on its recent ruling that retail broadband internet access is a "telecommunications service" within its regulatory jurisdiction.

The NPRM proposes that broadband providers prepare and maintain BGP risk management plans for implementing an industry-standard cryptographically secure system for verifying routing information, known as Resource Public Key Infrastructure, or RPKI. The largest providers would have to file those plans with the FCC, along with periodic updates and reports on progress toward RPKI implementation. Smaller providers would not have to file their plans but would have to make them available for agency inspection on request. The NPRM also seeks comment on setting deployment milestones for large providers' deployment of RPKI, as well as on other steps beyond RPKI that could enhance the security of internetwork routing on the internet.

Background: Internetwork Routing, BGP Hijacking, and Cryptographic Assurance of Legitimate Routes

The internet is a collection of thousands of interconnected networks, called Autonomous Systems, or "ASes." Many of the largest ASes directly connect with each other (called "peering"). However, no AS is connected to all the others, and most smaller ASes are only connected to a few others. This means that an enormous amount of internet traffic must transit multiple networks to reach its destination.

Routers are the devices that direct internet traffic to its proper destination. Routers contain "routing tables" (sometimes called "routing information databases") that indicate which network to send outbound traffic to. If there is a direct connection with the destination network, the routing table tells the router to send the traffic there directly. But where there is no direct connection, the routing table tells the router to send the traffic to an intermediate network; the intermediate network, in turn, will forward the traffic onward—either to another intermediate network or, if a connection exists, to the destination network. This system permits traffic on the internet to reach any destination by means of a series of "hops" from one router to another.

BGP lets providers figure out the best routes between networks. It specifies (among other things) how a network "advertises" to the internet at large which other networks it can and will route traffic to. As these advertisements propagate throughout the internet, BGP updates and optimizes the routing tables in each AS's routers.

This decentralized process—each AS independently advertising the routes it will handle and independently using BGP to update its own routers' routing tables—makes BGP highly scalable and efficient. Indeed, BGP is known as the "'glue' that enables the modern Internet." It plays a critical role in internet routing and is essential for enabling global connectivity.[1]

However, BGP was developed decades ago, and, like some other early internet standards, security was not a key consideration. Instead, BGP operates on a trust-based model: if one AS advertises that it can get traffic to another AS, BGP—and thus the internet as a whole—trusts that claim.

This trust-by-default approach makes BGP vulnerable to routing configuration errors and route hijacking, which can significantly disrupt internet connectivity. For example, the NPRM notes that in 2021, an inadvertent BGP configuration error made it impossible for five hours for anyone on the internet to reach a major social network.[2]

But BGP misconfiguration can be done maliciously as well. For example, a network controlled by foreign actors can advertise that it will efficiently get traffic to popular networks (such as those providing email and social networking services). This will cause traffic bound for those networks to traverse the maliciously controlled network, allowing the foreign actor to surveil and analyze the hijacked traffic. This "BGP hijacking" can result in seizure of IP addresses, theft, exposure of personal information, or disruption of transactions. Before voting on the NPRM, FCC Chairwoman Jessica Rosenworcel remarked that "China Telecom used BGP vulnerabilities to misroute United States internet traffic on at least six occasions."

Resource Public Key Infrastructure (RPKI) secures internet routing by verifying the associations between entities that announce routes to particular ASes and the specific routes those entities announce. RPKI uses digital certificates and cryptographic signatures to ensure that a router can trust that an AS that advertises a route to a particular network actually is authorized to route traffic to that network—thus preventing BGP hijacking.

RKPI is broadly analogous to the "STIR-SHAKEN" system for dealing with spam calls on the traditional telephone network. Indeed, the two systems use similar underlying authentication architecture. Under STIR-SHAKEN, a network receiving traffic gets cryptographic assurance that the inbound call is coming from a legitimate source. Under RPKI, the network sending the traffic gets cryptographic assurance that the traffic is being sent onto a legitimate route. In each case, the system prevents problematic traffic routing.

Proposed BGP Routing Security Risk Management Plans

The FCC proposes to require nine large broadband providers to file BGP Routing Security Risk Management Plans ("BGP Plans") with the FCC. Other providers would be required to prepare BGP Plans but would make them available to FCC staff upon request rather than filing them. All BGP Plans would be treated as confidential which, at a minimum, would allow providers an opportunity to oppose any requested disclosure of their BGP Plans.[3]

Internet traffic routing has been unregulated (other than informally by industry standards), so several different scenarios have arisen that affect which entity (generally, an AS or an entity to which the AS has contractually assigned a range of IP addresses) is in a position to implement RPKI. While noting those different scenarios, NPRM proposes that BGP Plans be required to include:

• Detailed descriptions of providers' processes for assessing and prioritizing the creation and maintenance of Route Origin Authorizations ("ROAs") in the RPKI;
• Detailed descriptions of factors affecting providers' ability to create and maintain ROAs;
• Specific goals for ROA registrations and estimated timetables to meet those goals;
• Criteria for measuring progress;
• Progress toward implementing Route Origin Validation ("ROV") filtering at interconnection points using the ROA repositories to validate routes; and
• Contractual requirements for upstream third parties to provide ROV filtering.[4]

The large service providers would be required to file their initial BGP Plans 90 days after the effective date of the rules contemplated by the NPRM[5] and then annually thereafter.[6] However, providers who attest that they have registered and maintained ROAs "covering at least 90% of originated routes for IP address prefixes under their control" would not have to file subsequent BGP Plans (though such providers would still need to make their BGP Plans available to the FCC upon request).[7]

Quarterly Reports

The nine large service providers would also have to file publicly available quarterly reports starting 30 days after the necessary steps are concluded to allow the rule to take effect and not from the date of publication of the adopted rule in the Federal Register. Quarterly Reports would include the following information concerning both IP address resources allocated by the American Registry for Internet Numbers (ARIN), as well as legacy IP address resources obtained prior to ARIN being established:[8]

• List of all Registry Org_IDs for all ASes, and address allocations to the provider (obtained from WHOIS);
• List of all Autonomous System Numbers (ASNs) held by a provider;
• List of ASNs held by a provider that it uses to originate routes;
• List of address holdings that have been reassigned or reallocated;
• List of IP prefixes in originated routes that are covered by ROAs;
• List of IP prefixes in originated routes that are not covered by an ROA; and
• (Possibly) the extent to which ROV filtering is performed for peers and customers.[9]

Providers other than the nine identified in the NPRM would be excluded from the quarterly reporting requirement.[10]

The Commission suggested that these reporting obligations would provide data that is difficult to reliably aggregate from public sources and that the quarterly reporting cycle and the relatively static nature of the data would keep the reporting obligation from becoming burdensome. In this connection, the FCC noted that a number of repositories of routing data are updated far more frequently (e.g., every five minutes, or every six hours).

The FCC also seeks comment on requiring the submission of information that is presently not available from any public source, including:

• Number of invalid routes received from peers and customers;
• Proportion of invalid routes received relative to the total routes received per peer and customer;
• Number of routes filtered in cases where the provider itself implements RPKI-ROV;
• Number of observed instances, if any, where RPKI-ROV processes were shown to incorrectly deem routes invalid due to inaccurate ROAs or other reasons; and
• Number of origin hijack instances pertinent to routes for the provider's address space that were (a) detected and (b) undetected during the reporting period.[11]

Other Proposed Measures

The NPRM proposes and seeks comment on other measures related to RPKI implementation including:

• Imposing conditions on providers' current and future address space assignment contracts that would ensure that either the provider or the contracting party will report on progress in implementing RPKI;[12]
• Setting certain RPKI deployment goals, such as one year for large network providers and two years for other providers;[13] and
• Requiring large providers to undertake outreach and education efforts to support downstream providers.[14]

The FCC also asks for comments on additional standards and tools it should consider to improve routing security.[15]

The FCC's Authority To Regulate Internet Routing

The FCC emphasizes throughout the NPRM that "the security of BGP is not only critical to public safety but is also critical to national security."[16] While this is undoubtedly true, that does not mean that the FCC has authority to address the issue.

To justify what amounts to the agency's first regulatory foray into internet addressing and routing matters, the NPRM relies on several statutory grounds. First, as noted above, the agency recently reclassified retail broadband internet access as a telecommunications service, subject to its regulatory authority under Title II and, for wireless services, Title III. Ensuring that the routing of end user traffic is handled in a secure manner is, according to the agency, an aspect requiring the providers to act in a "just and reasonable" manner. As it did in extending its regulatory authority to cover retail broadband, the FCC also cites section 706 of the Telecommunications Act of 1996, which the FCC understands authorizes it to use its regulatory tools to encourage the deployment of broadband.

Finally, the FCC claims authority to take steps to avoid BGP hijacking under the Communications for Law Enforcement Act (CALEA).[17] Among other things, CALEA requires covered entities (which include broadband providers) not only to facilitate legally authorized interception of communications by law enforcement, but also to prevent unauthorized interception of communications. Because BGP hijacking could entail unauthorized interception, CALEA, arguably, provides the agency with authority to require providers to take steps to help prevent the unlawful interception of communications.

Next Steps

The proposed rules would affect all retail broadband service providers. Specifically, the nine large providers named in the NPRM would be required to file annual BGP Plans and to submit quarterly reports, while all other providers would be required to prepare BGP Plans to be available on request. Initial BGP Plans would be filed 90 days after the effective date.[18] Quarterly data would be filed 30 days after any approved rule takes effect.[19]

The FCC currently seeks comment on the proposed reporting obligations and related issues noted above. Comments are due 30 days after publication in the Federal Register; replies are due 45 days after publication.

DWT will continue to monitor and advise on this proceeding. Entities that would be subject to the new proposed rules should feel free to reach out to discuss how those rules might affect their provision of broadband services and whether filing comments would be useful.