What’s RPKI in networking?

By Bingxin Lan 16 No comment
  • Resource Public Key Infrastructure(RPKI), is a framework designed to secure the BGP and improve routing security.
  • RPKI aims to mitigate these vulnerabilities by allowing network operators to cryptographically validate that a BGP update.

RKPI is resource public key infrastructure, a special type of PKI. RKPI is a framework designed to secure the Border Gateway Protocol (BGP) and improve the routing security of the internet.

BGP is the protocol responsible for determining the best paths for data to travel across the internet. However, because BGP doesn’t include any inherent security features, it is vulnerable to various types of attacks, such as BGP prefix hijacking and route leaks.

RPKI aims to mitigate these vulnerabilities by allowing network operators to cryptographically validate that a BGP update (i.e., a route advertisement) is authorized by the entity that owns the IP address block.

RKPI components

  • Trust Anchors (TAs): These are typically the Regional Internet Registries (RIRs) that issue resource certificates. They serve as the root of trust for RPKI, enabling resource holders to sign their prefixes and ASNs.
  • Route Origin Authorizations (ROAs): These are cryptographic attestations created by resource holders that define which AS is allowed to announce specific IP prefixes. ROAs help in validating BGP route announcements.
  • RPKI Validators: These tools fetch and validate RPKI data from repositories, providing network operators with the necessary information to make informed routing decisions based on the validity of received BGP announcements.

Also read:How does an IP address contribute to fraud detection?

How does RKPI work?

1. Creating ROAs

Network operators create ROAs using their resource certificates issued by RIRs. A ROA specifies:

  • The IP prefix.
  • The authorized AS that can originate this prefix.
  • The maximum length of the prefix that can be advertised.

2. Fetching and Validating Data

  • Connecting to Trust Anchors: RPKI validators connect to the trust anchors provided by RIRs to retrieve all published certificates and ROAs. This connection follows a chain of trust established by the root certificate and its subordinate certificates.
  • Data Retrieval Protocols: Initially, data was fetched using rsync, but most validators now use the RPKI Repository Delta Protocol (RRDP), which operates over HTTPS for better security and performance.

Also read:Why big data analytics is important for business growth

3. Validating Route Announcements

Once the validator has fetched the ROAs, it processes them to determine their validity:

  • Valid: The route announcement is covered by at least one ROA.
  • Invalid: The prefix is announced from an unauthorized AS or exceeds the maximum length specified in the ROA.
  • Not Found: There is no matching ROA for the prefix.

The results of this validation are stored as VRPs in a validated cache, which routers can access.

4. Integration with BGP

Routers use the validated cache from RPKI validators through the RPKI to Router Protocol (RPKI-RTR). When a router receives a BGP route announcement, it compares it against the VRPs:

  • If a valid VRP exists for the announcement, it is accepted.
  • If it is invalid, it is typically rejected, preventing propagation of potentially malicious or misconfigured routes.

Also read:Network challenges in Palestine: A talk with Anwar Abu Afifa

What’s the benefit of RKPI

  1. Enhanced Security: By ensuring that only legitimate holders can authorize route announcements, RPKI significantly reduces the risk of malicious activities such as route hijacking.
  2. Improved Reliability: The use of RPKI helps prevent accidental route leaks and ensures that routing information is accurate and trustworthy, thereby enhancing overall network reliability.
  3. Simplified Validation Process: Unlike traditional methods that rely on less secure databases, RPKI provides a centralized and cryptographically secure method for validating routing information, making it easier for network operators to manage their routes effectively.

An important development in protecting Internet routing infrastructure is RPKI. It fixes a number of BGP routing flaws by utilizing cryptographic techniques and creating an unambiguous chain of trust. Adoption of RPKI is becoming more and more important as the Internet expands and changes, as it is thought to be crucial to preserving the security and integrity of international network connections.

Tags:
Bingxin-Lan

Bingxin Lan

Bingxin Lan is a journalist at Blue Tech Wave specialising in AI and Internet governance. She graduated from the University of California, irvine. Send tips to b.lan@btw.media.

Related Posts

news-security-firm-crowdstrike

Global outage: CrowdStrike update cripples key services

By Ashley Wang
types-of-phishing

The 4 types of phishing

By Sissy Li
CV

Computer vision: Everything you need to know

By Crystal Feng

Leave a Reply

Your email address will not be published. Required fields are marked *