What is the impact level of this intelligence?

This intelligence is assessed as having Major impact on enterprise technology decisions.

Cloudflare 2026-06-03

Industry Signal Impact: Major Conf: 95%

Cloudflare Reveals Half of Tier 1 Networks Fail to Enforce BGP First AS Check

Summary

Cloudflare tested Tier 1 networks by advertising prefixes with a deliberately violated First AS rule. Half of them (Verizon, NTT, Lumen, etc.) accepted the malformed routes, exposing a critical BGP security gap. Juniper routers default to not enforcing First AS, enabling path forgery attacks.

Key Takeaways

Cloudflare tested Tier 1 providers by advertising test prefixes with a deliberately malformed AS_PATH (prepending AS402542 before its own AS13335). Comparing normal anycast propagation of 1.1.1.0/24 vs. the violated prefix 162.159.82.0/24, they found that Verizon (AS701), NTT (AS2914), Lumen/Colt/Cirion (AS3356), Zayo (AS6461), Sparkle (AS6762), Liberty Global (AS6830), and Telefonica (AS12956) accepted the malformed routes. Arelion (AS1299), GTT (AS3257), Orange (AS5511) and others correctly dropped them.

Most failing Tier 1 networks ran Juniper routers. The blog lists vendor defaults: Cisco, Arista, Huawei, OpenBGPD, FRR (since Oct 2023) enable First AS enforcement by default; Juniper, Nokia, Extreme, RouterOS, BIRD do not.

The article explains that ASPA cannot prevent attacks where the hijacker completely forges the AS_PATH (e.g., AS64505 stripping its own ASN). Only enforcing First AS matching the peer AS can stop such hijacks. RFC 7606 mandates treat-as-withdraw for malformed AS_PATHs to avoid session resets.

Why It Matters

Cloudflare's blog is a public audit pressuring Juniper and Nokia by highlighting their default insecure BGP configuration. Competitors like Cisco and Arista can exploit this to gain market share. Enterprises using Juniper must manually enable enforce-first-as, risking misconfiguration with IXP route servers, adding operational complexity.

The report downplays the risk of false positives: enabling First AS enforcement can break legitimate IXP sessions if not properly excluded. The test only covers Tier 1; smaller ISPs are even more vulnerable, widening the attack surface.

This shifts the security control point from centralized RPKI/ASPA to distributed per-peer validation, lowering the barrier to entry for route hijack prevention but increasing edge device policy management costs.

PRO Decision

【Vendors (Competitors)】

Cisco and Arista should immediately publish whitepapers contrasting their default bgp enforce-first-as with Juniper/Nokia's insecure defaults. Include Cloudflare's test data in RFP requirements for network equipment.
FRR and OpenBGPD can promote their default secure configurations and collaborate with cloud providers to push First AS checking as a BGP security baseline.

【Enterprises (CIOs/Architects)】

Audit all border routers for enforce-first-as configuration. For Juniper, add set protocols bgp group <name> enforce-first-as;. Exclude IXP peers with no enforce-first-as.
Implement multi-layer BGP security: RPKI + ASPA + First AS check. Add inbound policies for AS_PATH integrity (max length, AS_SET filtering).
Demand upstream providers prove First AS enforcement compliance; consider switching if not enforced.

【Investors】

Monitor Juniper and Nokia for reputational damage from this disclosure; expect Cisco/Arista to gain share in security-conscious segments.
Cloudflare strengthens its internet security brand, potentially boosting adoption of its BGP security services.
Routing security startups (Noction, BGPMon) may see increased demand for audit tools.

Source: blog

View Original →

Get 3-5 key AI infrastructure signals weekly →

Summary

Key Takeaways

Why It Matters

PRO Decision

💬 Comments (0)