BGP RPKI
On the Internet, we use BGP for routing. BGP has no built-in security mechanisms to check whether a prefix belongs to a specific autonomous system (AS). It’s all based on trust. You can advertise whatever you want; the only thing stopping those prefixes is outbound or inbound filters if you have any. The Internet is vulnerable to bogus routing information. This is a problem, such as BGP hijacking or route leaking.
Prefixes belong to specific ASes with matching autonomous system numbers (ASN). You can look them up in the Internet Routing Registry (IRR). You can look at the IRR using services such as RaDb.
You could configure your routers to use the data from the IRR to filter prefixes. That sounds nice, but the data in IRR is unreliable. There is invalid data, stale records, and even typos. There are multiple data suppliers, and there is not enough control over the creation and verification of data.
RPKI is a security framework to ensure that BGP routing information is authentic. With RPKI, you can validate BGP announcements. As you’ll see, most of it works outside of BGP.
The “resource” part refers to Internet number resource information, such as ASNs and IP addresses. The “PKI” part means we use a cryptographic method with certificates and signing. Normally, we use X.509 for user authentication or websites. These include an identity. RPKI certificates don’t, so there is an extension for IP addresses and AS identifiers
The resource holder owns the prefix and ASN, so this is the only entity that can create a signed object with the prefix and ASN. These signed objects are added to central lists, which we can use for verification.
Only allowing recourse holders to create objects and using PKI with certificates to enforce and validate the trustworthiness of this data is what IRR lacks and what makes RPKI a reliable solution.
RPKI makes the Internet more secure because you can check which prefixes belong to what ASes. Another benefit is that when you peer with a remote AS or assign IP addresses to customers, you have proof that you are the legitimate owner of one or more prefixes.
BGP Hijacking Scenarios
BGP route acceptance depends on the ISP engineering. The ISP due diligence only goes so far: input errors, automation blunders and malicious intent are just some examples which are hard to mitigate against. Ultimately, the core of the problem is there is no ground truth as to who should announce the path or who the real owner is.
Information sent through the Internet has limited protection against BGP Hijacks. A BGP hijack happens when an AS makes a BGP announcement for equal or more specific IP prefixes which the AS does not own.
(a) shows a scenario in which BGP advertisement is normal. AS 1 is the valid holder of the IP address 10.1.0.0/16 and advertises the corresponding route with this prefix and the AS_Path of 1 through a BGP message. After receiving the route, AS 2 sends the IP packets whose destination addresses are included in the 10.1.0.0/16 address block to AS 1, adds its AS number to the front of the AS_Path, and advertises the route. In the route, the IP prefix is 10.1.0.0/16, and the AS_Path is <2 1>. The implementation in AS 3 and AS 4 is similar to that in AS 2.
(b), after AS 1 advertises the route 10.1.0.0/16, AS 4 forges a route advertisement, claiming itself as the origin AS (10.1.0.0/16). In this case, AS 3 receives two routes destined for 10.1.0.0/16: one route whose AS_Path length is 2 (the real route), and another whose AS_Path length is 1 (the fake route). Because BGP prefers the route with the shortest AS_Path, AS 3 selects the fake route. As a result, all traffic to be sent to AS 1 is hijacked to AS 4. This is prefix hijacking.
(c), after AS 1 advertises the route 10.1.0.0/16, AS 4 constructs and sends an advertisement of a more detailed route (10.1.0.0/24). Because BGP prefers the route with the longest prefix, the traffic from AS 2 or AS 3 to 10.1.0.0/24 is sent to AS 4. This is sub-prefix hijacking.
Key Benefits of BGP RPKI
1. Preventing Route Hijacking
Route hijacking occurs when a malicious actor advertises IP prefixes they do not own, causing traffic to be misrouted or intercepted. RPKI mitigates this risk by verifying that the AS announcing the route is authorized to do so. This validation process makes it significantly harder for attackers to successfully hijack routes.
2. Reducing Misconfigurations
Network misconfigurations can lead to incorrect route announcements, causing widespread disruptions. By using RPKI, network operators can ensure that only legitimate routes are advertised, reducing the likelihood of accidental misconfigurations and enhancing overall network stability.
3. Enhancing Trust and Security
RPKI adds a layer of trust to the internet's routing infrastructure. By cryptographically validating routing information, RPKI helps build a more secure and reliable network. This increased trust is crucial for maintaining the integrity of data transmission across the internet.
4. Improving Routing Efficiency
With RPKI, BGP routers can make more informed routing decisions. By validating routes against the RPKI database, routers can prioritize legitimate routes and discard invalid ones. This improves the efficiency and reliability of routing, leading to better network performance.
5. Supporting Best Practices and Compliance
Implementing RPKI aligns with industry best practices for network security. Many internet governance organizations and industry groups recommend RPKI adoption to enhance routing security. By adopting RPKI, network operators can demonstrate their commitment to securing the internet's infrastructure and complying with industry standards.
How Does RPKI Work?
Important Concepts
IANA further assigns resources to the five Regional Internet Registries (RIR):
2 RPKI: RPKI is a digital certificate system. Its basic function is to provide cryptographically verifiable guarantees for resources such as IP addresses and AS numbers.Routers can download the validated cache from the RPKI validator using the RPKI to router protocol (RPKI-RTR). The router will download a list with VRPs and compare the routing information in the BGP table with the VRP. There can be one of three states per prefix:
3 Certificate:Any resource holder who has the right to reallocate resources must be able to issue certificates for reallocated resources.RPKI certificates include those issued by a certificate authority (CA) and by an end entity (EE). CA certificates are used to guarantee IP address and AS number assignment and associate IANA with the regional Internet registries (RIRs), national Internet registry (NIR), and Internet service providers (ISPs). EE certificates are used to validate Route Origin Authorization (ROA).An entity that holds CA certificates is called a CA. Each CA maintains its own database for relying parties (RPs) to synchronize its certificates and signature objects. The databases of all CAs constitute an RPKI database, which is a certificate storage system — an important part of the RPKI architecture.
4 ROA:ROA refers to the authorization of an IP address by its owner to an AS.
Most RIRs offer dashboards that resource holders can use to log in and find the ASN and prefixes they own. This is also where they can create a signed object with public key cryptography, which contains three items:
How to Create an ROA
There are several things to consider before creating an ROA:
For in-depth information on how to create an ROA, please refer to the instructions outlined by each respective RIR:
5 RPKI database:The RPKI database is used to store certificates and signatures.
6 RPKI RP is a bridge between the RPKI system and the Internet inter-AS routing system. The RP periodically downloads certificates and ROA signatures from the RPKI database and validates them to obtain the binding relationship between IP address prefixes and AS numbers. The RP delivers the validation results to routers. Based on the results, the routers determine the authenticity of BGP routing messages.
Validating Prefixes
Implementing validation depends on network details. The general steps in setting up a network for prefix validation are:
1. Installing RPKI validators – Software that retrieves RPKI data from all Internet Routing Registries (IRRs) and verifies signatures.
2. Configure validation on border routers with the route validator – The routers fill the validation cache with combinations of validated prefixes, prefix lengths, and source ASNs.
Recommended by LinkedIn
3. Implementing BGP filters on external BGP sessions – Adding a policy to all BGP sessions (peer, transit, and customers) to reject any prefix that is RPKI Invalid.
Best Practices for RPKI
1. Obtain and Maintain RPKI Certificates
Description:
Ensure that you obtain RPKI certificates from your Regional Internet Registry (RIR). These certificates are essential for creating Route Origin Authorizations (ROAs).
Best Practices:
2. Create Accurate ROAs
Description:
Route Origin Authorizations (ROAs) are critical components of RPKI. They specify which Autonomous Systems (ASes) are authorized to announce specific IP prefixes.
Best Practices:
3. Regularly Update ROAs
Description:
Network configurations and routing policies can change over time. It's important to keep ROAs up to date to reflect these changes.
Best Practices:
4. Use Relying Party Software
Description:
Relying party software validates BGP announcements against the RPKI repository, ensuring that only authorized routes are accepted.
Best Practices:
5. Monitor Validation Results
Description:
Monitoring validation results helps identify and address potential issues with your RPKI implementation.
Best Practices:
6. Coordinate with Upstream and Downstream Networks
Description:
Effective RPKI implementation requires coordination with both upstream and downstream networks to ensure consistency and reliability.
Best Practices:
7. Educate Your Team
Description:
RPKI implementation involves various technical details and requires ongoing management. Educating your team is crucial for successful deployment.
Best Practices:
8. Implement Redundancy and Backup Plans
Description:
RPKI infrastructure should be resilient to failures and disruptions. Implementing redundancy and backup plans ensures continuous operation.
Best Practices:
Conclusion
Implementing RPKI is a vital step toward securing BGP and improving the integrity of internet routing. By following these best practices, network operators can maximize the benefits of RPKI, prevent route hijacking, reduce misconfigurations, and enhance overall network security. As the internet continues to evolve, staying committed to these best practices will ensure a more stable and secure routing infrastructure for everyone.
Sources
Thinks a lot about privacy and information security
10moThank you. Should be basic on all networks, but is not - which numerous OSINT tools shows you for nothing.
Senior Network Engineer and System Administrator - Cisco Certified Network Professional Enterprise (Encor+Enarsi) - Still Learning...CCNP Service Provider and DataCenter technologies in progress. Thinking in CCIE.
10moSuper interesting! Thanks! 👏