Is BGP safe yet?

nemomarx

This actually shows pretty good coverage for this feature, it seems to me. The big American isps do it, the mobile ones do too... How many major isps would we want to implement it to be "safe" and what would that look like? Is this a regional thing? They've only listed 4 unsafe ones on the site and that doesn't seem like a major issue, but maybe they're very large somewhere.

RRRA

Google being shown as unsafe makes me think they have some internal methods for filtering?

bilekas

Google And digital ocean are huge players here but is there a reason they would only have partial coverage? TIM is listed as insecure yet my test is successful. > Your ISP (Telecom Italia S.p.a., AS3269) implements BGP safely. It correctly drops invalid prefixes

commandersaki

I think the test for BGP is Safe is when we stop using it and instead use SCION: https://en.wikipedia.org/wiki/SCION_(Internet_architecture) .

olivier5199

An ISP is marked as unsafe in the table, yet running the test says it is. (same ASN)

NewsaHackO

> A BGP hijack occurs when a malicious node deceives another node, lying about what the routes are for its neighbors. Without any security protocols, this misinformation can propagate from node to node, until a large number of nodes now know about, and attempt to use these incorrect, nonexistent, or malicious routes. But with HTTPS, they wouldn't be able to actually pose as another website, just delay/black hole the request so it doesn't reach its goal target, right? From the figure, it makes it seem like a person can use BGP to spoof a website and make a user visit a phished website, but that's not right, correct?

maltalex

RPKI doesn't make BGP safe, it makes it safer . BGP hijacks can still happen. RPKI only secures the ownership information of a given prefix, not the path to that prefix. Under RPKI, an attacker can still claim to be on the path to a victim AS, and get the victim's traffic sent to it. The solution to this was supposed to be BGPSec, but it's widely seen as un-deployable.

collabs

Looks like Verizon does it correctly. > Your ISP (Verizon, AS701) implements BGP safely. It correctly drops invalid prefixes.

elashri

Any reasons on why an ISP would not implement it other than effort/cost? Just for someone like me whose networks knowledge is very naive.

kevincloudsec

rpki adoption is the new ipv6 adoption. it looks great until you realize it only validates who owns the prefix, not the path to get there lol

greyface-

RPKI isn't just ROAs anymore, and BGP hijacks can happen at other places than just the first/last hop. Why hasn't this site been updated to test ASPA-invalid prefixes in addition to ROA-invalid ones?

lucasay

RPKI makes BGP safer, not safe. It helps prevent some hijacks, but attackers can still mess with routing paths. Feels like we’re patching a trust-based system rather than fixing it.

volemo

Wikimedia is an ISP?

NetOpWibby

When was the last time this site was updated? It mentions Sprint, which hasn't existed for years.

dorianmariecom

i'm getting: Free SAS ISP signed unsafe but when testing i'm getting a success Your ISP (Free SAS, AS12322) implements BGP safely. It correctly drops invalid prefixes. Tweet this → Details fetch https://valid.rpki.isbgpsafeyet.com correctly accepted valid prefixes fetch https://invalid.rpki.isbgpsafeyet.com correctly rejected invalid prefixes

Levitating

Does not take BGPSec[1] into account, just RPKI. [1]: https://en.wikipedia.org/wiki/BGPsec

surround

The graphic that shows that a hijacker can route traffic to their malicious website is a little misleading. Since the SSL certificate would be invalid, browsers would block the connection and show a warning. I guess the attack could still be used for denial of service.

ifwinterco

Ironic this is from Cloudfare, probably the single entity most likely to be responsible for breaking the internet in 2026