RPKI - Resource Public Key Infrastructure

At 22:00 on Monday 9 December REANNZ will enable Resource Public Key Infrastructure (RPKI) validation and begin rejecting invalid routes on all our non-member connections. These are the international transit, NREN and R&E connections and peering exchanges.

RPKI can be seen as two main functions, the creating of Route Origin Authority (ROA) records, and routing policy that acts on the information contained in these records. REANNZ will be enabling the second half of RPKI, a routing policy that acts on the ROA records. This means we will start rejecting routes from third parties where those routes fail the RPKI checks.

RPKI is a collection of tools and standards (RFC 6480 published in 2012) designed to improve routing security. RPKI is a community-driven system supported by open source software developers, router vendors and all five Regional Internet Registries (RIRs) i.e. ARIN, APNIC, AFRINIC, LACNIC and RIPE NCC.[1]  RPKI has been supported by these groups and major network vendors since 2011 but has only been recently gaining traction in the industry. Where HTTPS and DNSSEC use public key cryptography and certificates to create trust while browsing the web, RPKI uses those same technologies to establish authoritative information about the routing our networks rely on.

The internet is a network of many independent networks that are known as Autonomous Systems (AS). Each AS is assigned a large chunk of IP addresses that connect smaller networks or computers to each other. The Autonomous Systems then use the Border Gateway Control (BGP) to determine the shortest route to each other. RPKI is currently used to enable these holders of IP addresses to make an authoriative statement about which AS is authorised to use their prefix in the BGP.[2] Other network operators can download and validate these statements and use this information to influence their routing decisions. This process if referred to as Route Origin Validation (ROV).[3]

The RPKI is designed to authenticate route origins via cryptographic certificate chains. This certification is a security framework that proves the association between specific IP address blocks or AS numbers and the holders of those internet number resources. In RPKI resources are initially distributed by the IANA to the Regional Internet Registries (RIRs), that distribute them to National or Local Internet registries, who in turn distribute the resources to their customers.[4]

A benefit of resource certification is that routing information corresponds to the resources of the delegated IP address, providing proof that they hold these resources and have the right to use the IP address. Resource holders can also provide clear evidence of their resources when distributing them to customers and users. This information can then be protected with a digital signature. Any attempt to alter the information causes the signature to be invalidated. Only resource holders are delegated ‘right of use’ that can generate these signatures that link to their authorised AS number. Implementing RPKI can be a good step towards better BGP route security as RPKI provides another level of security to route origin.[5]

Enabling RPKI is part of a larger piece of work to ensure that the REANNZ network is MANRS (Mutually Agreed Norms for Routing Security) compliant. MANRS is a set of best practice guidelines and recommendations for network operators and internet exchange operators to improve the security of their networks and the internet as a whole. It creates a baseline of expectations for routing security using simple but concrete actions, which are designed to reduce the most common routing threats including BGP hijacking.[6] These actions include filtering, anti-spoofing, coordination and global validation.[7] Filtering false announcements prevents distorting the internet roadmap, anti-spoofing enables source address validation to prevent spoofed packets from entering or leaving a network. Coordination and global validation maintain globally accessible contact information in common places, and the publishing of that data and IPS routing policies and prefixes means that prefixes can be validated by third parties.[8]

Network operators have a responsibility to take steps to contribute to a globally robust and secure routing infrastructure. Routing security depends on collaborative actions to help secure the global routing system as a whole. REANNZ has recently completed the Resource Public Key Infrastructure process for our address space, so should you have any questions please contact help@reannz.co.nz. For more information or any other questions not listed in the FAQs below please contact info@reannz.co.nz.

FAQ

Does this mean I don't need my firewall or anti-virus anymore?

Sadly not. Security in any modern enterprise consists of many layers, each of which improve your overall security. RPKI is another layer, but it's certainly not a replacement for your existing security measures.

Will there be any impact to my users when REANNZ deploys RPKI?

Possibly. When we deploy RPKI we will start dropping a small number of routes which will then become unreachable. The majority of these are the result of mistakes made by address owners when creating ROA's for their address space. Anecdotal evidence from other network operators deploying RPKI is that these errors are usually resolved quickly when the owners of the address space are contacted. Failing that, we are able to add exceptions to our systems to work around any issues that arise.

Who else is deploying RPKI?

The first major player to announce their deployment of RPKI was Cloudflare[9]. Cloudflare claims up to 10% of all internet traffic is delivered from their CDN. More recently AT&T announced their deployment[10]. AT&T is one of the largest network operators in the world.

My users haven't been affected by route hijacking, why bother?

Although most of us haven't seen the negative effects of route hijacking yet, recent attacks have demonstrated there is money to be made by bad actors performing these attacks. In one recent example, route hijacking was used to perform advertisement impression fraud and it's believed those involved were able to make US$29M[11]. It's reasonable to assume the frequency and sophistication of these attacks will grow.

I've read there are ways to circumvent RPKI, is that true?

Yes. RPKI enhances routing security, but it is not a perfect solution. A determined attacker can still perform route hijacking, but with RPKI enabled this is considerably harder. There is ongoing work in the standard bodies to enhance RPKI or introduce new standards that will further tighten routing security, but in the meantime RPKI is a good step in the right direction.

 

[1] https://rpki.readthedocs.io/en/latest/about/introduction.html#doc-about-intro

[2] https://arstechnica.com/information-technology/2018/12/how-3ves-bgp-hijackers-eluded-the-internet-and-made-29m/

[3] https://rpki.readthedocs.io/en/latest/about/introduction.html#doc-about-intro

[4] https://www.apnic.net/community/security/resource-certification/

[5] https://www.apnic.net/community/security/resource-certification/

[6] https://www.internetsociety.org/blog/2018/05/what-is-bgp-hijacking-anyway/

[7] https://www.manrs.org/

[8] https://www.manrs.org/

[9] https://blog.cloudflare.com/rpki

[10] https://mailman.nanog.org/pipermail/nanog/2019-February/099501.html

[11] https://arstechnica.com/information-technology/2018/12/how-3ves-bgp-hijackers-eluded-the-internet-and-made-29m

Find anything about our products, services, and more. Enter a query in the search input above.