RPKI: How and Why

Written By Ali Fisher

If I were a big dumb nerd, I would start by telling you that RPKI is a framework designed to secure the Internet's routing infrastructure. It provides cryptographic validation of route announcements, ensuring that only authorized networks can advertise specific IP address blocks. However, because we’re all super cool here, I’m instead going to tell you that RPKI is like a verified blue check on your advertised routes. Yesterday afternoon, we had a brief period of panic when the ISP that services the internet backbone connected to our datacenter started dropping BGP routes, which brought essentially all network traffic traversing those routers to a grinding halt. This got me thinking; maybe it’s time we implement some route security.

Why Implement RPKI?

  1. Enhanced Security: RPKI ensures that route advertisements are legitimate, preventing unauthorized entities from hijacking IP address spaces.

  2. Improved Trust: Establishes a chain of trust within the routing infrastructure, enhancing the overall reliability of internet communications.

  3. Compliance: Many regulatory bodies and industry best practices are increasingly recommending or requiring RPKI implementation.

Steps to Implement RPKI

1. Understand Your Resources

Before diving into the implementation, it's crucial to have a clear understanding of your IP address blocks and Autonomous System Numbers (ASNs). Ensure that your records are accurate and up-to-date.

2. Set Up RPKI Infrastructure

You have two main options for setting up RPKI:

  • Hosted RPKI: Utilize the RPKI services provided by your Regional Internet Registry (RIR), such as ARIN, RIPE NCC, APNIC, LACNIC, or AFRINIC. This option is simpler and more user-friendly, especially for smaller organizations.

  • Delegated RPKI: Deploy your own RPKI infrastructure, which offers more control but requires a higher level of technical expertise.

3. Create Route Origin Authorizations (ROAs)

ROAs are digital certificates that specify which ASNs are authorized to originate certain IP address prefixes. Follow these steps to create ROAs:

  1. Login to Your RIR's Portal: Access the RPKI section in your RIR's web portal.

  2. Generate ROAs: Specify the IP prefixes and the corresponding ASNs authorized to originate them.

  3. Publish ROAs: Once generated, publish these ROAs to the RPKI repository.

4. Deploy RPKI Validators

RPKI validators are essential for verifying the authenticity of ROAs. Deploy RPKI validation software, such as:

  • Routinator (NLnet Labs)

  • OctoRPKI (Cloudflare)

  • RPSTIR (BII)

Configure these validators to fetch and validate ROAs from the RPKI repositories.

5. Integrate RPKI with Your Routing Infrastructure

Integrate the validated ROAs into your Border Gateway Protocol (BGP) routers. This typically involves:

  1. Configuring BGP Routers: Update the configuration of your BGP routers to accept and use RPKI validation results.

  2. Implementing Routing Policies: Create routing policies that prefer routes validated by RPKI and reject or deprioritize invalid routes.

6. Monitor and Maintain RPKI Deployment

Regularly monitor the status of your RPKI deployment to ensure its effectiveness. This includes:

  • Periodic Validation: Regularly validate your ROAs and ensure your validators are up-to-date.

  • Incident Response: Develop procedures for responding to RPKI-related incidents, such as invalid route detections.

Conclusion

Implementing RPKI is a crucial step in safeguarding the integrity of internet routing. By following the steps outlined in this guide and adhering to best practices, you can enhance the security and trustworthiness of your network. As cyber threats continue to evolve, proactive measures like RPKI will play an essential role in maintaining a secure and resilient internet.

Ali Fisher
Previous

AI Adversarial Attacks and Defenses: Be Nice to Our Future Overlords
Next

Get ‘em while they’re hottt!