Border Gateway Protocol (BGP) is not about showing your passport when you come from Mexico into the United States.  It’s about the internet.  It’s about the very core of the internet and how billions of randomly placed computers can somehow all communicate together.

When your typical every day web surfer types in the name of the website they want to go to (like InsanIT.net) what happens is that a Domain Name System (DNS) server looks up the name of the website that you want to go to, and returns back to you the actual IP address for that website.  Because the internet doesn’t connect to other computers by names.  It connects to other computers by specific IP address numbers.  But people don’t want to type in 127.000.000.001 to go to a website.  They want to type in InsanIT.net.  So a DNS server is just a big lookup table that automatically tells your computer that InsanIT.net is actually address 127.0.0.1.  (For those who aren’t aware of this, 127.0.0.1 is not actually InsanIT.net’s IP address.)

How does that relate to BCP?  I’m getting there.

The shortest distance between two points is a straight line.  But the fastest distance between two points takes a complicated look-up procedure.  Because you don’t want the loading of the webpage data to have to go from here to Shanghai and back just to get to you,you want the fastest possible route between your network and the computer that holds the web page you want.  So what happens is that when your request for the address 127.0.0.1 (to continue the above example) comes to your Internet Service Provider (ISP) to hit the great wide internet, the ISP’s typically has a router that consults a BGP table for the fastest route from you to the webpage that you want.

Now that BGP table is like any train station or bus route table in that it shows the best way for you to get from Point A to Point B.  But how is that table made?  It’s “easy”.  The table is made from “advertisements” of Autonomous Systems (AS).  Say I’m a big internet pipeline layer.  I have a BGP router.  I tell my BGP router to advertise to ISPs that my great wide internet pipe can deliver to Address A through Address C at a blazing speed.  ISPs pick up my announcements (in a completely automated way) and build their tables.

Now, here’s the kicker.  Here is where Wired has an interesting if not scary point.  Who says that I’m telling the truth?  Who says that my BGP router really can deliver the fastest route?  Well?  No one does.  It’s just assumed that all BGP routers are honest.  That’s how the BGP is flawed.  By design it figures that every BGP router tells the truth.

Why is this so important?  What is the worst that could happen then if my BGP router is intentionally lying?  So it just takes a little longer for my web page to load?

No.

What Pakistan semi-accidentally proved is that such a simple trick can be used not just to slow down the flow of information on the internet, but to completely block a website from being accessed by potentially  anyone.

That’s bad enough.

But at the recent DEFCON 16 “Tony” Kapela (data center and network director at 5Nines Data) and Alex Pilosov (CEO of Pilosoft) showed to us that it’s much much worse than that.

It turns out that you don’t have to break the internet when you do something like this.  You can actually engineer it to make the web page request go through, to keep the data truckin’ on.  But you still get to read all of that data as it passes on by.  You can snoop to your little heart’s content, with no one the wiser.  This isn’t just web pages we’re talking about.  It’s “secure” internet shopping and all of your credit card data.  It’s every last email.  It’s corporate espionage.  For any unencrypted data it’s a complete breakdown of all security.  The only potentially safe data is encrypted data.  And even that’s not 100% guaranteed as encryptions can be broken.

But, in fact, it can be even more malicious than that.  You can theoretically alter the data as it passes through.  You could, say, change what loads on a webpage.  Or what comes through in an email.  You could literally control what people see, and all without anyone’s knowing.

THAT is what has Wired (and so many security-conscious people) in an uproar.  The Border Gateway Protocol is inherently unsafe.  It takes a little more knowledge than usual to perform this kind of hack, and requires you to buy a BGP router and put yourself into the system, but it isn’t beyond the realm of possibility.  And once you’re in, you’re golden, because there are no errors.  Everything looks completely legit.  All because the BGP architecture is completely based on trust.

Stephen Kent (chief scientist for information security at BBN Technologies) has been working on solutions to fix this very issue for years.  He has even privately demonstrated a similar BGP interception for the Departments of Defense and Homeland Security.

So rest assured that this issue is not being ignored.  There are several possible solutions.  One day the BGP system will be based less on trust and more on security.

But until then, don’t ever assume that the internet is safe.  Your best approach is still the most simple approach: encrypt your important data.  Security doesn’t just happen.  You have to make it happen.