RPKI (Resource Public Key Infrastructure)

RPKI Definition

Resource Public Key Infrastructure (RPKI) is a system designed to secure the Border Gateway Protocol (BGP), which is critical for the functioning of the internet. RPKI allows network operators to cryptographically verify the legitimacy of IP address prefixes and the autonomous systems that announce them.

How RPKI Works

RPKI provides a mechanism for IP address space holders to verify their association with specific IP prefixes through the issuance of digitally signed certificates. These certificates, issued by Regional Internet Registries (RIRs), match IP address blocks to the autonomous systems that are authorized to announce them. With RPKI, network operators can check the validity of route advertisements by validating them against the RPKI data, ensuring that the announced routes originate from legitimate sources.

RPKI operates on a hierarchical model. At the top level, there are the RIRs, which are responsible for managing IP address allocations and issuing certificates. The RIRs, such as the American Registry for Internet Numbers (ARIN) and the Asia-Pacific Network Information Centre (APNIC), issue certificates to Internet Service Providers (ISPs) and other entities that hold IP address space. These certificates contain information about the IP address blocks and the autonomous systems authorized to announce them.

When an ISP or network operator receives a route advertisement through BGP, they can use RPKI to verify its legitimacy. This involves checking the digital signature of the announcement and matching the IP prefix and autonomous system number (ASN) against the RPKI data. If the announcement matches a valid certificate in the RPKI repository, it is considered legitimate. If not, the network operator can take appropriate actions, such as filtering or rejecting the route.

Prevention Tips

To enhance the security and reliability of BGP routing, network operators can take the following actions:

• Deploy RPKI Validation: Configure internet routers to perform RPKI validation. This ensures that only route announcements that are verified against the RPKI data are accepted.
• Regularly Check RPKI Status: Network operators should periodically check the RPKI status of their IP address space using RPKI validators. These tools provide real-time information about the validity of route origin authorizations (ROAs) and help identify any potential misconfigurations or unauthorized announcements.
• Participate in RPKI: Network operators should actively participate in RPKI by acquiring and maintaining ROAs for their IP address space. ROAs are digitally signed documents that specify the prefixes that an authorized autonomous system (AS) is allowed to originate. By creating and publishing ROAs, network operators can enforce route origin validation and protect against route hijacking and accidental route leakage.

Related Terms

• BGP (Border Gateway Protocol): The protocol that enables the routing of internet traffic between autonomous systems.
• ROA (Route Origin Authorization): A digitally signed document that specifies the prefix that an authorized AS is allowed to originate.

RPKI Benefits and Importance

RPKI plays a crucial role in improving the security and resilience of the internet's routing infrastructure. By cryptographically verifying the legitimacy of IP address prefixes and the autonomous systems announcing them, RPKI helps mitigate various routing threats, such as route hijacking, accidental route leakage, and IP address spoofing.

1. Route Hijacking Prevention: Route hijacking occurs when an unauthorized entity falsely announces ownership of IP address prefixes, causing internet traffic to be diverted to unauthorized networks. RPKI enables network operators to validate the legitimacy of route advertisements, reducing the risk of route hijacks and ensuring that internet traffic follows the intended paths.

2. Accidental Route Leakage Mitigation: Accidental route leakage happens when an autonomous system mistakenly advertises routes that it is not authorized to announce, potentially causing disruptions or impacting the stability of the internet. RPKI allows network operators to verify the authorization of route announcements, helping prevent accidental route leaks and ensuring the accuracy of routing information.

3. IP Address Spoofing Protection: IP address spoofing is a technique used by attackers to impersonate the source IP address of network packets, enabling various malicious activities, such as Distributed Denial of Service (DDoS) attacks and network reconnaissance. RPKI, combined with other security measures like BGP prefix filtering, helps mitigate IP address spoofing by verifying the ownership and authorization of IP address prefixes.

4. Enhanced Routing Security: RPKI strengthens the overall security of the Border Gateway Protocol (BGP), which is fundamental to internet routing. By providing cryptographic verification mechanisms, RPKI reduces the potential for BGP-related security incidents and helps protect against route hijacks, route leaks, and other routing attacks that can disrupt internet connectivity and compromise data integrity.

5. Internet Stability and Trustworthiness: By implementing RPKI and participating in the validation process, network operators contribute to the overall stability and trustworthiness of the internet. Validating route advertisements and preventing unauthorized announcements help establish a more robust and reliable routing infrastructure, enhancing the end-user experience and ensuring the integrity of communications across networks.

It is worth noting that while RPKI brings significant benefits to the security of BGP routing, its adoption and deployment are ongoing processes. Encouraging widespread participation and collaboration among network operators, ISPs, and RIRs is essential to maximize the effectiveness of RPKI and further strengthen the security of the global routing system.

In summary, RPKI (Resource Public Key Infrastructure) is a system designed to secure the Border Gateway Protocol (BGP) by allowing network operators to verify the legitimacy of IP address prefixes and the autonomous systems announcing them. By cryptographically validating route advertisements against the RPKI data, RPKI helps prevent route hijacking, accidental route leakage, and IP address spoofing. Its benefits include enhanced routing security, reduced risks of malicious activities, and improved internet stability and trustworthiness. Deploying RPKI validation, regularly checking RPKI status, and actively participating in RPKI are key preventive measures for network operators to ensure the security and reliability of BGP routing.