March 14, 2022

Enhancing Nexusguard Cloud Diversion with RPKI ROA

With Border Gateway Protocol (BGP), transit network providers edit access lists in order to only announce prefixes they have manually verified someone has the authority to advertise. However, due to the lack of authentication in BGP, it has become increasingly vulnerable not only to human error such as misconfiguration and typos, but also abuse by cyber threat actors seeking to hijack routes to achieve criminal objectives.



Secure Routing with RPKI


As Internet traffic has increased exponentially in recent years, the importance of routing validation has become paramount. This has led to the advent of Resource Public Key Infrastructure (RPKI), developed jointly by Regional Internet Registries (RIRs), leading router vendors and open source software developers. RPKI is a community-driven routing innovation to help secure the Internet’s routing infrastructure in real time and at scale, by linking IP addresses and AS numbers to a trust anchor.

For RPKI to function optimally, owners of IP addresses and ASNs need to create a cryptographic statement called a Route Origin Authorization (ROA). A ROA can only be created by the legitimate owner of the prefix and states which AS number is authorized to announce a particular prefix on the Internet. This helps to validate that route announcements originate from the route they claim (Route Origin Validation), and then filters the requests (Route Filtering), through which any ‘invalid’ routes are dropped.

Secured Routing with Nexusguard RPKI Framework

To support the community’s initiative to secure BGP via RPKI, Nexusguard has added RPKI status visibility into all its products, including the Cloud Diversion feature, developed specifically to facilitate automated route diversion of under attack IP prefixes to scrubbing centres. For route verification to be effective, Nexusguard validates ROAs created by their customers, ensuring all their routes are safe to announce to the Internet. ROAs help to digitally verify where a prefix should have originated from and who the legitimate owner of it should be, preventing bad actors from intercepting Internet traffic, or from accidental routing mistakes through human error.



Figure 1 - Modified Route Template with RPKI ROA


In the case of Nexusguard Cloud Diversion, this feature is enhanced using RPKI ROA Origin AS information which automatically validates the origin AS, thereby eliminating the risk of unintended routing mistakes. Moreover, the cryptographical verification component intrinsic to RPKI prevents potential hijacks in the first hop of routing in the network. 

For more information on how to enable RPKI for a safer Internet, check out the Nexusguard blog post

The RPKI ROA feature is now available to customers using our Origin Protection service. For further information, please read about Nexusguard’s Origin Protection.

Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.