Imagine you’re taking a trip by plane. You start off in Los Angeles, and want to get to Germany, and the ticket agents in Los Angeles tell you that the quickest way there is via Washington, DC and London. You take their advice and in three relatively painless flights, you arrive in Germany, safe and sound. The ticket agents heard where you want to go and selected the best possible route for you to take based upon what they knew about air traffic, layover times, and geographic locations between themselves and Germany.
This is generally how routing works in today’s Internet world. Data packets (passengers) are sent to their destinations along a route selected by each router (airport) along the way. Between your home computer and the server where your email account is stored, there may be a large number of short trips for your data to take. It is up to the routers, beginning with the one in your own home, to determine where to send your packets next, in order to minimize the time it takes to get to your email server. Each router makes programmatic decisions based on information from neighboring routers. But how does a router know which other router is really the best place to send your data?
Currently, Internet routing is based largely upon trust; each router trusts that the next router is safe, legitimate, and reliable. While this trust model still works, the Internet has become increasingly vulnerable to attack. Anyone with enough motivation could insert themselves in the path of data and cause your data to be redirected, just like a makeshift air traffic controller could send your plane to the wrong destination. So what can be done to make sure routing is legitimate and tracked so that your data can be safely transported to the correct location?
Enter Resource Public Key Infrastructure (RPKI)! That mouthful of an acronym is the first key step toward secure global routing. Let’s break up the term to better understand it:
- Resource: Internet Protocol (IP) addresses: the numbers we use to identify locations on the Internet
- Public Key: Part of a public/private key pair, used in cryptographic verification
- Infrastructure: The system in which these resources and keys operate
In a general sense, RPKI is used to certify beyond any doubt that a particular IP address or ASN was obtained legitimately by the organization that requested it. ARIN customers may opt into RPKI by making a cryptographic key pair, and giving the public key of that key pair to ARIN. ARIN then generates a resource certificate and allows them to request Route Origin Authorizations (ROAs): verifiable statements saying which Autonomous Systems may originate their IP address(es).
Let’s get back to our fantasy trip to Germany. The ticket agents in Los Angeles know that they can send you to Germany via the Washington, DC airport because of the information they have available to them. They have assurance that not only does that airport exist and is accepting flights, but it is also certified by the Federal Aviation Administration, screens passengers and airline staff based on Transportation Security Administration regulations, and it has a verifiable history of maintaining this standard of operation. In RPKI, ARIN is certifying that the router’s IP addresses are legitimately registered to the network operator and that the route originated in the right spot. This provides much more trustworthy data for routers to use, and gives your data a much better chance of always getting where it needs to go.
Visit ARIN’s RPKI section for participation details, frequently asked questions, troubleshooting and more.