Unlocking the Power of Resource Public Key Infrastructure (RPKI)

Welcome to the world of Resource Public Key Infrastructure (RPKI), a significant improvement in Internet routing security. If your enterprise hasn't explored RPKI yet, this blog post is for you. We'll cover the essentials, highlight the key benefits, and explain why RPKI is advantageous for your network security strategy. Additionally, we’ll debut a new ThousandEyes feature that enables you to monitor RPKI more efficiently.

What Is RPKI?

RPKI is a framework designed to improve the security of the Internet's routing infrastructure. RPKI helps ensure that the IP prefixes advertised from Autonomous Systems (AS) are legitimate and authorized. This capability reduces the impact of IP address space hijacking by malicious actors and minimizes the effects of misconfigurations by benign entities, thereby improving the overall security and reliability of Internet routing.

Why Should Enterprises Care About RPKI?

By validating the authenticity of IP prefix origins, RPKI helps limit the spread of illegitimate prefix advertisements caused by misconfigurations and hijacks. As more organizations, including large financial institutions and the U.S. federal government, adopt RPKI, it is becoming a must-have for improved routing security. Limiting the blast radius of Border Gateway Protocol (BGP) hijacks and misconfigurations benefits network security, operational stability, financial health, regulatory compliance, and competitive advantage. By investing in measures to prevent and mitigate BGP hijacks, organizations can protect their assets, reputation, and revenue streams while enhancing customer trust and satisfaction. 

A Brief History of RPKI

BGP was not originally designed with security in mind, which limits the options operators have when a route is hijacked. If advertising a more specific prefix is not feasible, often the only recourse is to contact peers directly. So, to address these challenges, the routing community has adopted various best practices, such as configuring the maximum prefixes that can be advertised and using route filtering. 

Over the past decade, there has also been significant effort in building and promoting RPKI to prevent both malicious and accidental route hijacks. Currently, around 53% of IPv4 prefixes and approximately 60% of IPv6 prefixes have valid Route Origin Authorizations (ROAs). 

Despite the progress, implementing security measures like RPKI is not mandatory for network operators, which signals a long journey ahead to fully secure BGP. However, there are positive trends: major transit providers such as NTT, Cogent, and Lumen, along with large content providers like Amazon and Netflix, have deployed RPKI validation, contributing to a safer Internet. Operators must work together to ensure that more providers adopt these practices and make the Internet safer for everyone.

How Does RPKI Work?

RPKI uses digital certificates to verify that specific IP address blocks can be announced by certain AS numbers. Then, there are two steps: signing and validation. Here's a simplified breakdown of the process:

1. Certification Authority (CA): A trusted entity, known as a Certification Authority, issues digital certificates to IP and AS prefix holders. These certificates confirm which IP prefixes and ASes the entity can issue ROAs.

2. Route Origin Authorizations (ROAs): The IP prefix holder creates ROAs, which specify the AS numbers that are authorized to announce their IP address blocks. These ROAs are signed with the digital certificates issued by the CA.

3. Validation: Network operators use RPKI validators to check the authenticity of the ROAs. If the ROAs are valid and route announcements are consistent with them, the routes are accepted; otherwise, they should be rejected. This process is called Route Origin Validation (ROV).

RPKI Validation in Action

In Figure 1, ThousandEyes BGP route visualization shows path changes for a specific prefix. Solid red lines represent new paths being installed, while dotted red lines indicate paths being withdrawn. Two ThousandEyes BGP monitors, located in New York and Amsterdam, report prefix unreachability. This is because two providers, AT&T and KPN, detect invalid ROAs for the advertised prefix. Due to their ROV implementation, they drop this advertisement, resulting in a lack of prefix visibility. This situation arises from an ROA misconfiguration rather than malicious activity. However, from this scenario, we can see how RPKI can prevent the spread of invalid announcements in the event of a hijack.

When network operators fix the ROA, everything works as expected, as indicated in Figure 2 below.

Getting Started With RPKI

Implementing RPKI might sound daunting, but it's more straightforward than you think. Here are the steps to get started:

1. Understand the Role of Regional Internet Registries (RIRs): Regional Internet Registries (RIRs, ARIN, RIPE NCC, APNIC, LACNIC and AFRINIC) act as Root CAs for RPKI services and act as Trust Anchors. Begin by logging in to your RIR's portal and review their guide on how to create ROAs.

2. Create ROAs: Use the RIR's web interface or API to create ROAs. An ROA specifies which AS is authorized to originate a particular IP prefix. In many cases, the RIR can suggest this automatically, and you simply need to confirm.

3. Monitor: Monitor for RPKI invalids using ThousandEyes.

4. Maintain: Additionally, operators will need to set the maximum prefix length, evaluate impacts on existing systems such as DDoS mitigation, and update related workflows to keep ROAs current to ensure ongoing security and compliance and to help prevent global outages. (Note: For the purposes of this blog, we have necessarily simplified some details.)

Monitoring RPKI in ThousandEyes

After setting up ROAs for your ASN-prefix pairs, you can configure alerts using ThousandEyes’ new RPKI Status alert type (see Figure 3) to monitor for any RPKI invalid announcements detected by our BGP monitors. Associate these alerts to the specific tests or prefixes you want to monitor.

When ThousandEyes’ BGP monitors detect an RPKI Invalid announcement, you will receive an alert and see a visual representation in BGP Views, as shown in Figure 4, indicating which AS is announcing the RPKI Invalid prefix.

Conclusion

RPKI is a powerful security framework that can enhance the security and reliability of your BGP posture. By mitigating the effects of misconfigurations and BGP hijacks, RPKI makes it easier to protect your data and helps you maintain a trustworthy Internet presence. Start your RPKI journey today and unlock the full potential of secure routing for your enterprise.

If you have any questions or need assistance with RPKI implementation, reach out to our team. We're here to help you navigate the world of more secure Internet routing!