Network and Engineering
Improved BGP Routing Security Adds Another Important Layer of Protection to Online Networks
As part of our ongoing efforts to improve the robust security of our network and protection of our customers, we recently improved our Border Gateway Protocol (BGP) security by deploying Resource Public Key Infrastructure (RPKI) validation and signing across our network. These are important steps to ensure the security and reliability of the routing infrastructure of our network and other networks around the world that exchange packets with the Comcast network.
BGP is an important Internet protocol that determines how packets are routed between networks. One issue with BGP, is that it can be susceptible to so-called route “leaks” and route “hijacks” that can cause connectivity problems or lead to potential security issues (either through configuration errors or malicious attacks). For example, an attacker could try to hijack the IP addresses for a financial institution and redirect global traffic intended for those addresses to a network or site that the attacker controls.
Fortunately, the technical community has collaborated over the past few years to develop solutions that can mitigate such security and reliability risks. Using RPKI data with BGP is among those measures. In practical terms, it means that Comcast now both cryptographically signs route information and validates the cryptographic signatures of other networks’ route information. This helps to ensure that packets get to their intended destinations intact and cannot be hijacked or leaked to other destinations, making the network – and Internet traffic more generally – more secure and resilient for all users.
Given the size and technical diversity of our network, deploying RPKI represented a significant effort, yet we were able to implement the update without disrupting performance for our customers. We greatly appreciated the close collaboration with our network operator colleagues as we jointly tested our deployment, as well as the helpful insights we obtained from their deployment experiences.
We started our work on this effort in 2014 as original signers of the Routing Resilience Manifesto and later as founding members of the Internet Society’s Mutually Assured Norms in Routing Security (MANRS). In addition, since 2015, we’ve made grants from the Comcast Innovation Fund to support the development of critical open-source software used by many networks to deploy and monitor RPKI. We have also worked with the National Cybersecurity Center of Excellence (NCCOE) and National Institute of Standards and Technology (NIST) on industry best practices for protecting the integrity of Internet routing.
There’s nothing more important than keeping our customers and their information safe and secure, and we protect them and our technology with multiple layers of security from the core of our network all the way down to our customers’ homes. We’re pleased to be able to add upgraded BGP security as yet another layer along with 24/7 security monitoring, advanced network-level defenses, and powerful customer tools like xFi Advanced Security to ensure our continued ability to achieve these key goals.
Jason Livingood, is Vice President, Technology Policy & Standards at Comcast Cable.