Definition of RPKI
Resource Public Key Infrastructure (RPKI) is a security technology for the BGP protocol, which is one of the cornerstones of the Internet. RPKI allows network operators to verify the validity and reliability of IP addresses and the autonomous systems that announce them.
How RPKI Works
RPKI works like a set of digital certificates that authenticate the association between a specific ASN and a specific IP address that will announce through that ASN. The certificates are generated through Regional Internet Registrars (RIRs) and stored in their databases. In this way, network operators can authenticate routes.
When an ISP or network operator receives a route announcement via BGP, they can use RPKI to verify its legitimacy. This involves verifying the digital signature of the announcement and matching IP prefixes and Autonomous System Numbers (ASNs) with RPKI data. If the announcement matches a valid certificate in the RPKI repository, it is considered legitimate. Otherwise, the network operator can take appropriate action, such as filtering or route rejection.
Prevention Tips
To improve the security and reliability of BGP routing, network operators can take the following actions:
- Deploy RPKI validation: Configure Internet routers to perform RPKI validation. This ensures that only route advertisements that are validated with RPKI data are accepted.
- Regularly check RPKI status: Network operators should periodically check the RPKI status of their IP addresses using RPKI validators. These tools provide real-time information on the validity of route prefix authorisations (ROA) and help identify potential misconfigurations or unauthorised announcements.
- Participate in RPKI: Network operators should actively participate in RPKI by obtaining and maintaining ROAs for their IP addresses. ROAs are digitally signed documents that specify the prefixes that an authorised Autonomous System (AS) is authorised to announce. By creating and publishing ROAs, network operators can implement route origin validation and protect themselves from route hijacking and accidental route leaks.
Benefits and Importance of RPKI
RPKI plays a key role in improving the security and resilience of the Internet routing infrastructure. By cryptographically verifying the legitimacy of IP address prefixes and the autonomous systems that announce them, RPKI helps mitigate various routing threats such as route hijacking, accidental route leaks, and IP address spoofing.
It is worth noting that despite the significant benefits RPKI brings to BGP routing security, its adoption and proliferation is ongoing. Fostering broad participation and collaboration between network operators, ISPs, and Regional Internet Registries (RIRs) is critical to maximising the effectiveness of RPKI and further enhancing the security of the global routing system.
Lifehack
If your IP address does not currently have an ASN, i.e., no one is announcing it, but you are concerned about address hijacking, or if you want to get rid of unwanted announcements from someone else’s ASN, the best way to do this is to install RPKI on AS0.