Internet2 and The Quilt File BGP Routing Security Comments

Estimated reading time: 3 minutes

Internet2 and The Quilt File Joint Comments

On July 17, 2024, Internet2 and The Quilt filed joint comments in response to a Notice of Proposed Rulemaking on Reporting on Border Gateway Protocol (BGP) Risk Mitigation Progress and Secure Internet Routing (BGP NPRM) at the Federal Communications Commission (FCC). The goal of this filing was to inform the FCC of the steps R&E networks have already taken to improve routing integrity across the community. Although this proceeding applied to mass-market Broadband Internet Access Service (BIAS) providers and not to private R&E networks, Internet2 and The Quilt felt that it was a valuable opportunity to share best practices and lessons learned from the R&E community. Internet2 and The Quilt argue that, ultimately, it is best for the FCC to support “voluntary and consensus-based approaches to improving BGP practices across disparate networks” and that the FCC should “continue to exclude specialized R&E networks from the proposed scope of BGP regulations under consideration.” The comments also recommend not imposing any new technology mandates, which could cause routing integrity efforts to freeze in place as best practices and technologies continue to evolve.

Background

In recent years, the federal government has been increasingly involved in shaping new policy frameworks to enhance the nation’s cybersecurity infrastructure. This includes incorporating best practices and new standards into internal federal networks as well as exploring new tools, guidance, and even requirements for commercial systems. This effort has been formalized in the past year by the introduction of the Biden Administration’s National Cybersecurity Strategy. Released in March 2023, this document laid out a comprehensive plan to promote collaboration across the federal government, outlining how federal agencies should work together to address threats to critical infrastructure, have agencies lead by example through the adoption of best practices, and aid commercial actors struggling against malicious foreign entities.

The Strategy led to two Implementation Plans, one in July 2023 and an updated version in May 2024. One pillar of the original strategy calls for the federal government to “invest in a resilient future.” Both versions of the Implementation Plan direct several agencies, including the FCC, to work under the direction of the Office of the National Cyber Director to “collaborate with key stakeholders to drive secure Internet routing.” As part of this effort, the FCC adopted the NPRM that Internet2 and The Quilt responded to in this filing.

BGP NPRM

The FCC’s proposed rules would require the nine largest service providers to develop BGP Routing Security Risk Management Plans and file them with the FCC. These plans would outline the current status and future plan of action for each service provider to create and maintain Route Origin Authorizations (ROAs) in the Resource Public Key Infrastructure (RPKI). The FCC proposed follow-up reporting from these service providers on the progress made in implementing the filed plans. Smaller providers would also be required to create their own plans under these rules but would not need to file them with the FCC.

Looking Ahead

While the FCC continues to explore its part in implementing the Biden Administration’s National Cybersecurity Strategy, Internet2 and The Quilt will continue to advocate on behalf of the R&E community to ensure that the unique role of R&E networks is understood and accounted for in future federal rulemakings. We support the federal government’s more active role in addressing the ever-evolving threats to our nation’s cyberinfrastructure. However, it is important that any proposed solutions factor in the diverse landscape of interconnected networks that make up the internet. If care is not taken to account for smaller actors who are already addressing routing security issues voluntarily, like R&E networks, the federal government may inadvertently cause harm or impose an undue burden on organizations outside the intended scope of new rules.