Author: Names and Numbers Committee
RPKI can be an effective anti-abuse tool by helping to not only clean up Internet routing, but to make it more secure by working to prevent leaks and route hijacks. These were some of the topics covered by a panel at the most recent Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) meeting in San Francisco. The panel, titled “Implementing RPKI,” stemmed from an open-round table discussion at a previous M3AAWG meeting: “How to Encourage Adoption of RPKI to Help Stop Abuse of Internet Number Resources.” This RPKI session was chaired by the Names and Numbers Committee and featured Brad Gorman from ARIN and Rich Compton from Charter Communications, each presenting different perspectives on RPKI. The topics covered included a high-level overview of routing security, and a more in-depth look at RPKI, and how it can be an effective anti-abuse tool in helping to prevent route hijacks. The discussion also highlighted the three current options for RPKI deployment — hosted, delegated, and hybrid and covered the components of each. Also included in the discussion was an implementer's experience with deploying RPKI into their company network, the steps they took to deploy it, and the lessons they learned.
What is RPKI?
RPKI stands for Resource Public Key Infrastructure and its purpose is to be one of the main building blocks behind routing security on the Internet. Using cryptographically verifiable certificates, RPKI allows IP address holders to create public statements specifying which Autonomous Systems are authorized to originate their IP address prefixes. These statements, known as Route Origin Authorizations (ROAs), allow network operators to make informed routing decisions, and help secure Internet routing in general.
Why use it?
Internet routing is dependent upon many chains of relationships that are based on mutual trust. Each party trusts that the route used to transmit information is safe, accurate, and will not be maliciously altered. This was sufficient in the early stages of Internet development but has become increasingly vulnerable to attack as the Internet’s resources have seen a massive increase in usage. As IPv4 address space continues to deplete, it’s increasingly important to strengthen your routing security. RPKI helps to ensure that Internet number resource holders are certifiably linked to those resources, and reliable routing origin data is available to help determine routing decisions.
Here are a few examples of when RPKI could have prevented disaster:
- In late 2013 and early 2014, Dell Secure Works noticed /24 announcements were being hijacked. Amazon, OVH, Digital Ocean, LeaseWeb, and Alibaba networks were being routed to a small network in Canada. Data between Bitcoin miners and Bitcoin data pools were intercepted - an estimated haul of $83,000. All of this could have been prevented with RPKI. Source: https://www.secureworks.com/research/bgp-hijacking-for-cryptocurrency-profit
- The Turkish President ordered censorship of Twitter. Turk Telekom’s DNS servers were configured to return false IP addresses, so people started using Google’s DNS (126.96.36.199). Turk Telekom hijacked Google’s IP addresses in BGP. RPKI could have stopped this from happening. Source: https://www.computerworld.com/article/2489265/google--level-3-dns-services-hijacked-in-turkey.html
- In another instance, Pakistan Telecom was ordered to block YouTube. They originated their own route for YouTube’s IP address block which resulted in YouTube’s traffic being temporarily diverted to Pakistan. This incident could have been prevented with widespread adoption of RPKI. Source: https://www.ripe.net/publications/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study
Internet routing today is vulnerable to attack and hijacking, and the provisioning/use of certificates is one of the steps required to make routing more secure. Widespread RPKI adoption will help simplify IP address holder verification and routing decision-making globally.
For more information from each Regional Internet Registry (RIR) on how to deploy RPKI see:
- ARIN - https://www.arin.net/resources/manage/rpki/
- AFRINIC - https://afrinic.net/resource-certification
- APNIC - https://www.apnic.net/community/security/resource-certification/
- LACNIC - https://www.lacnic.net/640/2/lacnic/resource-certification-system-rpki
- RIPE NCC - https://www.ripe.net/manage-ips-and-asns/resource-management/rpki
- NIST RPKI Deployment Monitor - https://www.nist.gov/services-resources/software/nist-rpki-deployment-monitor
Additional email, messaging and online abuse best practices from M3AAWG are available here, https://www.m3aawg.org/published-documents.