As we depend on the Internet more and more to manage our lives, securing internet routing infrastructure becomes vitally important. It has for a long while relied on the trust-based model of Border Gateway Protocol (BGP), developed several decades ago. The threat landscape was very different in the early days of Internet development compared to today, and no security mechanisms were integrated into the protocol. However, owing to the lack of authentication in BGP, it has become increasingly vulnerable not only to configuration mistakes, but also abuse by bad actors seeking to redirect routes to achieve criminal objectives.
With no means of verifying route announcements, the internet routing model of BGP is flawed, as evidenced by thousands of routing incidents, from accidental route leaks to malicious route hijackings over the years, clearly outlining the need for a more secure system for route validation.
RPKI (Resource Public Key Infrastructure) has emerged as a framework to help secure internet routing by cryptographically verifying route announcements, removing any concerns surrounding the origin of IP prefixes. RPKI verifies that a specific system is authorized to use its stated IP prefixes. Known as Route Origin Authorizations (ROAs), these authorizations are collected in a repository at the Regional Internet Registry (RIR) level, so that IP addresses are certifiably linked to a trust anchor.
Holders of IP addresses publish their RIR-certified ROAs, stating which autonomous system is authorized to originate certain IP prefixes, as well as the length of those prefixes. RPKI then validates the ROAs using BGP Route Origin Validation (ROV) - a process that verifies the originating system and prefix length announced in the ROA. BGP announcements are compared with the repository, where valid announcements are permitted and invalid announcements are dropped. This is the key to stopping accidental errors from being transmitted, as well as preventing cyber criminals from falsely originating routes that they have no ownership of.
A growing number of network providers have committed to enabling RPKI. In 2020, there was uptake from nearly all major tier 1 transit and cloud providers, including Amazon, Cloudflare and Netflix. In addition to these big names, other significant players such as Google, AT&T and Telstra have also begun the process of enabling RPKI in their networks.
The internet is composed of a complex labyrinth of networks and RPKI can only safeguard routing close to the network using it, meaning it can prevent hijacks in the first hop of routing from the network, but cannot secure the entire routing path. It is therefore imperative that more Service Providers implement RPKI to help close this security loophole.
While some Service Providers might be erring on the side of caution amidst the global pandemic, it is crucial that they get onboard now as the internet will continue to play a pivotal role in our lives, post COVID-19.
Nexusguard has already flipped the switch and uses RPKI route validation on all BGP sessions for both customers and peers. A designated ROA cache server is deployed to retrieve and check the validity of ROA data from trust anchor APNIC.
● Customers who have existing, established ROAs will receive immediate ROV via RPKI from Nexusguard.
● Customers who establish new ROAs will receive ROV via RPKI from Nexusguard once the ROAs have been validated by APNIC.
● Customers who do not have ROAs will need to register their IP addresses, and only upon validation from APNIC will they receive ROV via RPKI from Nexusguard.
OP/IP customers with RPKI implemented in their networks are advised to register their ROAs with maximum prefix length set to /24 in order to allow traffic diversion to Nexusguard.
You can rest assured that all our customer and peer sessions are fully validated and that we make no exceptions or allow unverified sessions.