RPKI: securing Internet routes against attackers

Posted date 01/02/2024
Author
INCIBE (INCIBE)
Decorative photo RPKI: securing Internet routes against attackers

Originally conceived as a network of mutual trust between different entities and autonomous systems, the Internet has enabled exponentially rapid global development and interconnection. This foundation of trust interconnects a vast conglomerate of networks, promoting collaboration and information sharing. But this same principle has subjected the global network to a number of vulnerabilities by design in its routing system. Given the lack of validation and verification mechanisms, malicious or incorrect information can be easily accepted and propagated by the Network, causing interruptions or malicious traffic diversions that can compromise the security and privacy of user data.

This inherent fragility is particularly evident in the BGP routing protocol, which lacks intrinsic security mechanisms and is fundamentally dependent on trust between different autonomous systems. This lack of security has allowed the emergence of cyber threats, such as BGP Hijacking, where attackers can redirect Internet traffic by manipulating BGP routes. This violation of the principle of trust in routing systems evidenced the need to develop effective solutions to ensure the authenticity and legitimacy of routing information on the Internet.

The Public Key Routing Infrastructure (RPKI), introduced in 2012 and specified in documents such as RFC 6480 or RFC 6810, is established as a critical component for Internet security, providing a verification and authentication framework to secure routing on the Internet, adapting and specifying the fundamentals of a conventional Public Key Infrastructure (PKI) to address specific security issues.

The adoption and implementation of RPKI has advanced significantly, with growing support from different stakeholders and the Internet community, who recognize the critical importance of RPKI in protecting the Network infrastructure. This endorsement extends throughout the global Internet community, including service providers, network operators, and research entities. Websites, such as 'Is BGP Safe Yet?' offer useful resources to check if an organization has implemented RPKI.

BGP protocol normal request

- BGP protocol. Source. -

BGP protocol (hijacked)

- BGP protocol Hijacking. Source. -

BGP protocol with RKPI

- BGP protocol with RKPI. Source. -

These resources allow users and organizations to have a clearer view of the security measures implemented by ISPs and make informed decisions about the Internet services they choose, while incentivizing more ISPs to adopt security practices such as RPKI to improve Internet routing security.

RPKI: PKI-based operation

RPKI uses digital certificates to validate ownership of the network's numerical identifiers, such as IP addresses and Autonomous System Numbers (ASNs). These certificates function as a means of ensuring that the routes advertised in BGP are legitimate and authorized by the resource owner.

The RPKI process, from requesting IP addresses to announcing BGP prefixes, is comprehensive and multifaceted. It involves various stages and coordination between the various components of RPKI and BGP, to ensure the legitimacy of the routes. The steps involved in this process are summarized below:

  1. Resource request: An entity, typically an Internet Service Provider, requests the assignment of Internet number resources to its corresponding RIR: ARIN, RIPE NCC, APNIC, LACNIC, or AFRINIC. These resources include IP addresses and ASNs that are required to identify and manage devices and routes on the network
  2. Resource allocation and certification: Once the request is approved, the RIR allocates the requested resources and generates an X.509 certificate for the entity, certifying its legitimate right to use those resources. With its RPKI certificate, the entity generates a Route Authorization Object (ROA). The ROA specifies which ASNs are authorized to advertise the assigned IP blocks, adding an extra layer of verification and security in the routing process.
  3. ROA Publishing: Certification data, stored in the RIR repository, is synchronized between global repositories using protocols such as rsync or RRDP, through their Publishing Points (PP) ensuring consistency and accessibility. This synchronization allows any entity on the Internet to perform validations, improving the reliability and integrity of the routes in the Network.
  4. BGP route announcement: The entity advertises its IP blocks assigned using the BGP protocol, which regulates routing between existing ASs.
  5. Validation of legitimate ads: In the RPKI system there is a component called Relying Point (RP) or commonly, RPKI validator. They are responsible for comparing BGP ads against available ROAs, using data from synchronized RPKI repositories. This validation process ensures that only legitimate ads are accepted, mitigating risks associated with malicious or incorrect routes.
  6. Establishing legitimate routes: With the validated RPKI information, routers build the routing table by prioritizing validated and legitimate routes. Using the 'RPKI to Router Protocol (RPKI-RTR)', routers receive real-time RPKI validation data from Waypoints (RPs), enabling informed and secure routing decisions.
Internet routing certification process with RPKI

- Internet routing certification process with RPKI. -

Implementation of a proprietary RPKI validator

The RPKI system was designed to operate in a decentralized manner, so that each entity would have the possibility to manage its own CA and publish its own certificates and ROAs. But, given the infrastructure and services already provided by RIRs, the common practice has been to use these already established services to facilitate certification and resource management, which has reduced the need for many organizations, such as ISPs, to manage their own certification infrastructure, allowing them to focus instead on operational and quality of service aspects.

Despite this, deploying a first-party validator presents significant advantages for organizations like ISPs that implement their own backbone. This allows you to mitigate dependencies, get direct confirmation of route validity, adjust, and optimize the validation process according to your specific needs and internal policies, contributing to more efficient network operation.

There are several open-source RPKI validators available to organizations and ISPs. When choosing a validator, it is important to consider factors, such as community activity and support, available documentation, ease of installation and configuration, and integration with other systems and tools used in the organization. Using an open-source validator allows organizations to benefit from the community's expertise and knowledge. Some of the most well-known and active open-source validators include:

  • Routinator: of NLnet Labs, very active in the community to verify the validity of routes using RPKI's public key infrastructure.
  • RPKI Validator 3: very popular and widely used in the community. It is developed by RIPE NCC, one of the five RIRs.
  • FORT Validator: open source, developed by NIC Mexico. It is distinguished by its simplicity and lightweight, making it an attractive option for resource-constrained environments.
  • OctoRPKI: this Cloudflare toolset stands out for its modular architecture, which separates the validation process from the handling of RTR communication, providing flexibility in deployment.

It is advisable to adopt certain best practices when implementing your own validator, such as:

  • Establish a redundant architecture by deploying multiple validators in various locations and subnets, which will improve service availability.
  • Perform proactive software maintenance that includes regular updates and continuous monitoring of the system and perform a review of security parameter configuration.
  • Ensure authentication and secure access through rigorous access controls and secure protocols and thoroughly validate the system in a test environment.
  • Carefully handle the use of whitelists or blacklists when running on top of an RPKI validator, as a manual filtering rule, such as those implemented through lists, could conflict with a legitimate route announcement in the RPKI system, invalidating or blocking legitimate route announcements. Therefore, these elements must be used in a conscious and controlled manner.

Conclusions

The implementation of RPKI stands out as an essential element in Internet routing security, offering an effective solution against threats, such as BGP Hijacking. RPKI enhances the security of routing on the Internet by rigorously validating routes, ensuring that only authorized operators can advertise specific IP address blocks. This mitigates the likelihood of malicious traffic redirects and interceptions, building a more secure and reliable network environment.

The proactive adoption of RPKI by Internet service providers, cloud companies, and other stakeholders is a vital step toward a more secure and trustworthy digital environment. As the implementation of RPKI continues to expand and mature, it is expected to contribute significantly to mitigating risks associated with cyberattacks, thereby promoting a safer and more reliable Internet for all users.