Border Gateway Protocol: Why securing routing remains unfinished work
How do you secure the Border Gateway Protocol — a system born when the internet was a collegial research network and trust was implicit? That question drives current efforts to harden the routing fabric that tells packets where to go. After decades of research, standards work, and operational improvements, the fixes are meaningful but incomplete. Deployment is patchy, incentives are misaligned, and complexity and cost slow progress.
BGP functions like the postal service of the internet: autonomous systems (ASes) — the networks run by carriers, cloud providers, universities, and enterprises — announce which IP prefixes they reach, and BGP propagates that information so routers can forward traffic. The original protocol assumes announcements are truthful. That assumption was tolerable when relationships were mostly bilateral and well understood; today, misconfigurations and malicious route announcements can reroute, intercept, or blackhole traffic across continents in minutes.
Visible incidents have exposed the stakes. Accidental announcements have knocked major content providers offline. Deliberate hijacks have been used to steal cryptocurrency and intercept credentials. Nation-states have manipulated routing for espionage. These events show routing insecurity is practical and exploitable, not merely theoretical. To respond, the community has advanced two broad families of mitigations: cryptographic validation of routing data, and operational best practices supported by monitoring.
Cryptography: RPKI and BGPsec
Resource Public Key Infrastructure (RPKI) and BGPsec are the headline cryptographic approaches. RPKI lets prefix holders state which AS is authorized to originate routes for their address space. Those declarations yield Route Origin Authorizations (ROAs) that validators use to classify announcements as valid, invalid, or unknown. Where validators and policy are properly configured, RPKI reduces obvious origin-based hijacks.
BGPsec goes further by proposing cryptographic signatures that vouch for the AS path itself, preventing intermediate ASes from tampering with advertised paths. In theory, BGPsec would make path manipulation far harder, but its practical hurdles are substantial: cryptographic operations impose computational overhead, routers and vendors must adopt protocol extensions, and key management and interoperability create real deployment friction.
Operational defenses: MANRS, filtering, and monitoring
Operational mitigations are pragmatic and, when applied consistently, effective. The Mutually Agreed Norms for Routing Security (MANRS) initiative encourages best practices such as route filtering, prefix limits, and broad use of monitoring and automated alerting. These controls reduce accidental leaks and make malicious hijacks easier to detect and remediate.
Yet operational controls depend on disciplined, ongoing maintenance. Smaller operators with limited staff struggle to keep filters and limits current. Incentives are uneven: tightening your own routing hygiene often benefits the wider ecosystem more than the tightening operator, creating a classic collective-action problem.
Where things stand
Progress is real but partial. RPKI adoption has grown: large cloud providers, content delivery networks, and many Tier 1/2 networks publish ROAs and validate incoming routes. Operators report fewer clear origin-based hijacks where invalidity is obvious. Still, adoption is far from universal. Many networks continue to accept unvalidated announcements, and some avoid strict reject invalid policies because the global RPKI dataset has been perceived as incomplete or brittle.
BGPsec largely remains on paper. Although vendors have improved hardware performance and prototyping, the cost of transition, protocol changes, and the need for broad adoption mean BGPsec is a long-term project rather than a near-term fix.
Operational mitigations deliver when consistently applied. MANRS membership and better filtering at peering points prevent common mistakes. But human error and maintenance burdens remain persistent problems, and smaller operators often lack the resources to sustain rigorous route hygiene.
Why routing security matters
Routing insecurity threatens confidentiality, integrity, and availability. Hijacks have been used for espionage, credential theft, and theft of cryptocurrency; they can take services offline or divert traffic through surveillance infrastructure. Because routing is decentralized, an announcement in one region can have global effects. The economic and reputational consequences for providers and customers can be severe and long-lasting.
Diverse perspectives shape the debate
Technologists favor layered defenses: measurement studies and operational experience show that RPKI combined with vigilant route filtering reduces incidents. They also warn about half measures — for example, publishing ROAs without widespread validator deployment can create unpredictable behavior and a false sense of security.
Policymakers wrestle with trade-offs. RPKI creates authoritative records of address ownership that many find attractive, but others worry about centralizing trust or political influence over certificate repositories. Cross-border routing complicates national policies; actions in one jurisdiction can ripple internationally.
Users and businesses want reliable, private service, but most do not understand routing protocols. That disconnect makes it harder to generate market pressure for upstream security investments. Adversaries, meanwhile, exploit weak routing because low-cost, high-reward attacks like short-lived hijacks can yield credentials or intercept traffic stealthily.
Paths forward: technical, operational, and policy convergence
Real progress will come from a combination of technical innovation, operational tooling, and policy measures:
– Broader RPKI adoption alongside widespread validator deployment and sensible reject invalid policies where safe.
– Incremental or hybrid path-validation approaches that balance security, performance, and interoperability instead of an all-or-nothing leap to BGPsec.
– Improved tooling, automation, and shared playbooks to reduce the operational burden on smaller networks.
– International cooperation on governance, clearer transparency around RPKI trust anchors, and accountability to reduce fears of centralization.
The social dimension
The internet’s routing system is not governed by a single authority; it emerges from thousands of independent networks making bilateral choices. Incentives must align: operators need low-cost, low-risk tools; vendors must bake validation into gear without crippling performance; policymakers must craft frameworks that encourage trust without concentrating control. As researcher Geoff Huston emphasizes, securing infrastructure requires a systems approach—protocol design alone is insufficient if operators don’t adopt it.
Conclusion: Border Gateway Protocol security will be incremental
We have better tools, clearer operational playbooks, and a growing community committed to routing security. Yet the Border Gateway Protocol’s deep legacy, economic frictions, and motivated adversaries mean progress will be steady and incremental rather than a one-time fix. The question is not whether we can secure BGP in theory; it is whether the many stewards of the internet can act together, at speed and scale, aligning incentives and practices to meet today’s threats.




