Resource Public Key Infrastructure (RPKI)

Resource Public Key Infrastructure (RPKI) 

Overview

Routing protocols like Border Gateway Protocol  (BGP) are commonly deployed today with a strong reliance on trust: Every peer can by accident or maliciously advertise prefixes they don't control and affect traffic flow on the Internet. Many networks protect from this using manually curated filter rules, which require human involvement for changes to advertisements. RPKI provides a solution to the problem of incorrect advertisements from third parties impacting routing on the global Internet. 

RPKI allows declaring who is allowed to advertise prefixes based on a certificate based trust system. A hierarchy of trust anchors as certificate authorities is used which follows the hierarchy for number allocation (IP addresses and Autonomous System Numbers) where Regional Internet Registries (RIRs), National Internet Registries (NIRs) and ISPs issue and sign X.509 PKI certificates that contain the resources that they have allocated. RIRs allocate resources to NIRs and ISPs, NIRs allocate resources to ISPs, and ISPs allocate resources to their customers.

 

 

 

Figure 1.

Route Origin Authorizations (ROAs)

Using the certificates issued by the CAs, holders of a set of prefixes (e.g. ISPs) generate Route Origination Authorizations (ROAs.) ROAs let prefix holders attest how a prefix can be originated, that is, by setting the allowed origin ASNs and the maximum prefix length for a given prefix.

Specifying the maximum prefix length that is longer (more specific) than the actual prefix the ROA is being created for will have an effect of also covering more specific advertisements.

For example, the a ROA specifying:

• origin_asn: X
• prefix: a.a.a.a/20
• maximum_prefix_length: 24

will cover prefixes from a.a.a.a/20 to a.a.a.a/24 advertised by ASN X.

Route Origin Validation (ROV)

Networks can verify BGP advertisements using ROAs, this is known as Route Origin Validation (ROV). Using a Relying Party (RP) software, networks can download and verify RPKI certificates and ROA content from Trust Anchors (using Trust Anchor Locators). Then, ROAs can be sent to routers using RPKI to Router Protocol (RPKI-RTR: RFC 6810 and RFC 8210), enabling routers to verify if a prefix is valid, invalid or unknown:

• A prefix is ‘valid’ if there is a ROA that matches the origin ASN and its maximum length 
• A prefix is ‘invalid’ if the the origin ASN is different from the ROA, or the prefix is more specific than the maximum length
• If the prefix does not match any ROA, then it is marked as ‘unknown.’

Using ROAs and BGP, networks can build routing tables depending on the RPKI state of a prefix. For example, by discarding invalid prefixes, or reducing the local preference of unknown prefixes.

 

 

How to create RPKI certificates and ROAs

The easiest way to create RPKI certificates and ROAs is to use the Hosted RPKI operated by the RIRs. In this mode, the RIRs host a Certificate Authority (CA) and sign all Route Origin Associations (ROAs) for resources that they assign.

The process to create the CA, certificates and ROAs varies depending on the RIR, but in general it is accomplished using a web interface. ARIN, APNIC and RIPE NCC also support an API for bulk and automated creation of ROAs.

RIRs with RPKI Hosted:

ARIN RPKI: https://www.arin.net/resources/manage/rpki/hosted/ 

APNIC RPKI: https://www.apnic.net/community/security/resource-certification/ 

AFRINIC RPKI: https://afrinic.net/resource-certification 

LACNIC RPKI: https://rpki.lacnic.net/rpki-hosted-web/

RIPE NCC RPKI: https://www.ripe.net/manage-ips-and-asns/resource-management/rpki/using-the-rpki-system 

 

RPKI at Google

You can use the ‘BGP View’ at that ISP Portal to review the status of the routes that you announce to Google. To access the ‘BGP View’  go to ‘Monitoring’ -> ‘BGP’ (https://isp.google.com/bgp/.) You can also filter the prefixes to show only problems with RPKI or IRR validation using the filter boxes.

 

Additional Resources

• An Infrastructure to Support Secure Internet Routing RFC6480 https://datatracker.ietf.org/doc/html/rfc6480
• The Resource Public Key Infrastructure (RPKI) to Router Protocol RFC6810 https://datatracker.ietf.org/doc/html/rfc6810
• The Resource Public Key Infrastructure (RPKI) to Router Protocol, Version 1
• RFC8210 https://datatracker.ietf.org/doc/html/rfc8210
• Which RPKI-related RFCs should you read?  https://blog.apnic.net/2021/03/15/which-rpki-related-rfcs-should-you-read/