The Internet has become so fast in the last decades, with the speed of a high-end user’s Internet connection expected to grow by 50 percent yearly. Nowadays you can send huge volumes of data across the world blazingly fast, but there’s something else that absolutely has to exist alongside speed: security.
It’s easy to get lost in all those network types and protocols, but luckily, we can explain everything you need to know in an easy and accessible way. Today, we will shed some light on RPKI (Resource Public Key Infrastructure), an extra layer of security that acts both as a certificate of legitimacy and as a method of preventing routing leaks and possible cyber attacks.
RPKI is closely related to AS, ASN, and BGP
In our previous article, we talked about autonomous system numbers. These are responsible for making the Internet run smoothly and more efficiently. Let’s recap some key aspects in order to understand the role RPKI plays here.
An autonomous system is a big network or group of networks (more specifically, it’s about a group of one or more IP prefixes) that have a single routing policy. An autonomous system is responsible for routing the external traffic between systems. To be more specific, data travels between autonomous systems until it finds the one that contains the correct IP address.
Sending data between autonomous systems is done via BGP. This is short for “Border Gateway Protocol”, the one responsible for processing the data and picking the fastest and most efficient route the data can take. In many cases, this route means jumping from one autonomous system to another until the destination is reached.
In order for multiple autonomous systems to better communicate with each other, each of them is assigned an ASN, an autonomous system number. The whole point of using autonomous system numbers is to increase the speed at which data travels over the Internet. Thanks to ASNs, and these unique identifiers, BGP routing is done faster and more efficiently.
However…
When you route data via BGP, it doesn’t mean that data is routed securely as well. While it’s true that BGP sends information across autonomous systems quicker and more efficiently, the routing infrastructure is still susceptible to security breaches that can potentially hijack the network and leak sensitive information. This is where RPKI comes into help.
What is RPKI and what is it used for specifically?
RPKI stands for Resource Public Key Infrastructure. It is a measure employed by network operators to secure the routing infrastructure. It basically uses encrypted signatures to check if the IP blocks and routes an autonomous system declares belong to that specific autonomous system legitimately. It is both a security measure and a legitimate proof of ownership of those resources.
This still sounds like a mouthful of technical jargon. What RPKI essentially does is protect the Internet’s infrastructure. When routing information via BGP (Border Gateway Protocol), RPKI is there to ensure no leaks and breaches occur while the information is travelling across the network.
So, in short, RPKI is a security framework that completes BGP. This “tool” is usually managed and provided either by IANA (Internet Assigned Numbers Authority), RIRs (Regional Internet Registries), LIRs (Local Internet Registries), or Internet Service Providers.
How does it work?
Resource Public Key Infrastructure greatly helps with network security and reliability. Take an AS and its specific ASN and IP addresses it contains. Here, RPKI is used to prove the fact that those IPs and/or ASN legitimately belong within that autonomous system.
The verification process has two important parts: Route Origin Authorization (ROA) and Route Origin Validation (ROV). The first one works pretty much as a public key that can fix an IP address to an autonomous system. Naturally, this public key must also be joined by a private key in order to create the verification key pair.
Route Origin Authorization holds vital routing parameters that will help check the validity of autonomous systems. These parameters include information like the origin ASN, the specific IP prefix and its maximum length. ROAs are generated by certificate authorities (also known as CAs or trust anchors) and resource holders use them to prove the ownership of those particular resources. Also, keep in mind that ROA can be created only by the owner of the IP block/range.
As we mentioned above, resource certification authorities include IANA, RIRs, LIRs, and Internet Service Providers. They are responsible for issuing certificates (signatures) to legitimate IP holders. With this signature, you can generate ROA and create instructions that BGP routers can use to validate the IP/ASN pairs.
In essence, each RIR has its trust anchor (CA). This anchor is a file that allows relying parties (RPKI validators verified by RIR) to retrieve RPKI data from the RPKI repository.
Since RPKI data is separate from BGP, you need to use Route Origin Validation (ROV) to successfully exchange information with the RPKI architecture. For this, an RPKI validator is used. After the ROA data is extracted from every trust anchor, the validators present it to the paired routers.
But here comes another protocol, called RTR (RPKI to Router Protocol). This is what routers use to communicate with the validators. RTR does nothing more than gather ROA data and transfer it to BGP. The final step is RTR comparing the announced BGP route with the data it just collected. If the public and private keys do not match and the result seems invalid, the protocol rejects the announcement and prevents any further attempts to track the information that’s jumping from AS to AS.
Why is it important?
The whole point of this security framework is to prove the resource holder’s right to use their resources. While this is a benefit in itself, RPKI does more than that. Because the BGP protocol is only good for path validation (finding the best route kind of like Google Maps), the information itself is exposed. BGP is not able to validate the information by itself because it lacks built-in security.
This unfortunately can lead to many threats, including route leaks, hijacks, and even human errors like incorrect routing policies/information. Such problems can lead to outages and severe security breaches that affect both IP resource holders and regular users.
This is why RPKI has been designed. It acts as a protective layer that makes sure all resources are validated cryptographically. Its goal is to check whether an AS legitimately declared the routes (paths) of its IP addresses.
Resources – How to set up RPKI/ROA depending on the RIR you are working with?
Each RIR usually has its own procedures that must be followed in order for you to be eligible for a resource certification. The following links will take you to the information you need for generating RPKI/ROA for your resources for each corresponding RIR:
- RIPE
- ARIN
- APNIC
- AFRINIC
- LACNIC
Conclusion
At the end of the day, RPKI is an important component of a secure network. Not only that, but it helps with preventing leaks and cyberattacks over the information that’s being routed because it checks the validity of the IP routes and ASNs declared by the owner of the address space.
In doing so, RPKI provides resource holders with proof of ownership they can use to securely and legitimately distribute their resources. This also helps resource holders to build a trustworthy relationship with their customers since they will be working with an entity that has the rights of use over that IP range and/or ASN. In addition, based on the RPKI validation results, threats can be prevented by consolidating the security of the exposed network.
The validation process is done cryptographically with the use of two important elements: Route Origin Authorization (ROA) and Route Origin Validation (ROV). In this way, RPKI compensates for BGP’s weak spots, namely its inability to validate the information by itself. The result is that data travels fast, efficiently, and most importantly, safely.