RPKI: The Key to Routing Security

By Andy Newton - Chief Engineer, ARIN

We are big fans of making sure the Internet is secure, and a lot of that comes from understanding how networks communicate with one another on the Internet. Internet Service Providers (ISPs) request a block of IP addresses from a Regional Internet Registry (RIR), such as us! The RIR records this information in a publicly accessible registry. Network administrators then configure their routers to announce their IP addresses to the rest of the Internet. However, network administrators will sometimes announce IP addresses that don’t belong to them, either by accident or on purpose.  A wrongly announced IP address block can take an entire network offline.

So, what can you do to prevent this from happening?  The answer is Resource Certification. As IPv4 address space depletes, an urgent need exists to strengthen routing security, and we are here to help you with that.

What is RPKI?

RPKI stands for Resource Public Key Infrastructure and its purpose is to be one of the main building blocks behind routing security on the Internet. Using cryptographically verifiable certificates, RPKI allows IP address holders to create public statements specifying which Autonomous Systems are authorized to originate their IP address prefixes. These statements, known as Route Origin Authorizations (ROAs), allow network operators to make informed routing decisions, and help secure Internet routing in general.

Why use it?

Internet routing is dependent upon many chains of relationships that are based on mutual trust. Each party trusts that the route used to transmit information is safe, accurate, and will not be maliciously altered. This was sufficient in the early stages of Internet development, but has become increasingly vulnerable to attack as the Internet’s resources have seen a massive increase in usage.

As IPv4 address space continues to deplete, it’s increasingly important to strengthen your routing security. RPKI helps to ensure that Internet number resource holders are certifiably linked to those resources, and reliable routing origin data is available to help determine routing decisions.

Here are a few examples of when RPKI could have prevented disaster:

  • In late 2013 and early 2014, Dell Secure Works noticed /24 announcements were being hijacked. Amazon, OVH, Digital Ocean, LeaseWeb, and Alibaba networks were being routed to a small network in Canada. Data between Bitcoin miners and Bitcoin data pools were intercepted – an estimated haul of $83,000. All of this could have been prevented with RPKI.
  • The Turkish President ordered censorship of Twitter. Turk Telekom’s DNS servers were configured to return false IP addresses, so people started using Google’s DNS (8.8.8.8). Turk Telekom hijacked Google’s IP addresses in BGP. RPKI could have stopped this from happening.
  • In another instance, Pakistan Telecom was ordered to block YouTube. They originated their own route for YouTube’s IP address block which resulted in YouTube’s traffic being temporarily diverted to Pakistan. This incident could have been prevented with widespread adoption of RPKI.

Internet routing today is vulnerable to hijacking, and the provisioning/use of certificates is one of the steps required to make routing more secure. Widespread RPKI adoption will help simplify IP address holder verification and routing decision-making throughout our region.

How can I participate through ARIN?

ARIN Online users may now participate in RPKI, and it is a free, opt-in service. In order to participate you will need:

  • IPv4 or IPv6 resources obtained directly from ARIN
  • A signed RSA or LRSA covering the resources you wish to certify
  • ARIN Online account linked to an admin or tech Point of Contact (POC) with authority to manage the resources you wish to certify

For detailed instructions on how to participate in RPKI through ARIN Online, please our RPKI info page.

POST WRITTEN BY:

Andy Newton

Chief Engineer, ARIN