Evolution of RPKI: Towards Higher Levels of Security in Regional Routing
25/01/2023
Routing policies are advancing in the region with RPKI at the forefront and hand in hand with simpler processes and initiatives by large companies and content providers. However, if optimal security margins are to be achieved, more operators need to become involved.
In recent years we have witnessed growth in the adoption of routing policies, which is good news for the entire Internet ecosystem. Yet there is still a long way to go.
According to LACNIC CTO Carlos Martínez, operators in the region should not ignore the risks of not doing anything about routing security issues. “Although between 2021 and 2022 we observed the evolution and growth of the measures implemented by operators, particularly RPKI (Resource Public Key Infrastructure), the reality is that many have not done anything: approximately half of our members have yet to publicly express their routing policies,” he said.
Routing is based on the automated Border Gateway Protocol (BGP), which is responsible for providing addresses so that traffic can travel from an IP address to its destination in the most efficient way possible. The problem is that BGP itself does not include any mechanisms to check whether an organization has the right to use the IP resources.
This allows for unsafe routing scenarios: route hijacking and route leaks.
BGP hijacking occurs when a network falsely claims to know how to reach its destination and thus manages to divert a portion of the traffic that passes through it. While most of these situations are caused by configuration errors, some malicious actors can analyze, modify, or eliminate traffic to cause a denial-of-service attack. “Cryptocurrency exchanges have recently suffered this type of attacks where a portion of the traffic is hijacked and the blockchain’s ability to generate consensus is eliminated. It is worth noting that there is a lot of money committed to this type of attacks,” Martínez added
A route leak is the propagation of routing announcements beyond their intended reach. “The network announces that it can reach a destination that it cannot actually reach but adds that the path it will use to get there is better than any other existing path. Traffic sent to this destination is lost, as it does not know which path it must use to get there. This is generally caused by configuration errors in the source autonomous system; however, from a technological point of view, route leaks are a little more difficult to mitigate than route hijacking,” Martínez explained.
Routing Policies: From LoAs to RPKI
Various techniques have been used over the years to check whether the information received via BGP is legitimate. The first of these were LoAs (letters of authorization), an official document from a service provider or client authorizing a third party to gain access to that client’s information from a telecommunications provider.
“Basically, in this type of documents, someone takes responsibility for all the routes. The funny thing about LOAs is that they are manually signed and scanned PDF letters, an incredibly precarious situation,” Martínez said.
For many years, Internet operation depended on LoAs. “Here, it should be noted that there is no digital check or automation of any kind: the connection between two networks is only mediated by a piece of paper that announces the routes, with the enormous possibility of error that this entails,” he stressed.
Today, there is more awareness regarding the dangers of this procedure, although at company level they abound as an administrative formality.
An Internet Routing Registry (IRR) is a database where operators can specify their routing policies and make this information publicly available so that other actors who are part of the Internet routing system can use it to configure their devices.
Martinez explained that IRRs are marginally better than LoAs because an IRR is the description of a routing policy written in a language that can be automatically processed and transformed into router configuration. In the words of Martínez, “In a way, human error is eliminated, but strictly speaking, a classic IRR has a lot of spoofing potential, as it is a hosted text file that lends itself to the unauthorized creation of objects.”
In turn, RPKI is a public key infrastructure framework designed to offer providers additional tools to check a client’s right to use specific Internet resources. It incorporates ROAs (Route Origin Attestations), i.e., digitally signed objects that describe an association between a set of prefixes (IPv4 or IPv6) and the autonomous system authorized to originate a route for these prefixes in BGP advertisements. This makes it possible to automatically compare the information received via BGP against the definitions contained in the RPKI ROAs.
Another Step Towards Security
In the opinion of Martínez, RPKI allows an additional level of security because it largely eliminates human error from the routing configuration process. RPKI also highlights the key role of actors such as LACNIC. “We are in the right position to be the trust anchors for the entire system. Our efforts are aimed at verifying the validity of all our members’ certificates and requiring all the necessary documentation to validate them,” he explained.
Hence the importance and our insistence that operators in the region express their routing policies. “Expanding the signed coverage of IP space announced by LACNIC members and, with it, achieving a better and more stable operation partly depends on more of our members creating ROA objects in our systems,” he observed.
The analysis conducted by LACNIC shows that the objects created in the IRR were those that grew the most: more than 200%. “On the one hand, the reason for this is that they became popular once again and we developed software that makes them easy to use,” he added.
Likewise, global RPKI adoption has grown in recent years. “We at LACNIC have noticed this among our members, especially during the past year,” Martínez said.
There are several underlying reasons for this, one of which relates to the actions of large companies. Major operators such as NTT or AT&T and important content providers such as Cloudflare have recently started to drop BGP announcements based on their RPKI validity status.
In the same sense, Martínez highlights an interesting fact: towards the end of 2020, some large content providers such as Netflix and Google began to require that those wishing to exchange traffic directly with them must have some form of routing safeguard configured, either IRR or preferably RPKI. “When the large content providers implemented this request, in both cases we clearly noticed the creation of a very large number of objects,” Martínez explained.
Another reason for the increase in RPKI adoption has to do with the simplification of the process at a technological level. However, this sounds an alarm: it is important to verify that the information defined by each organization in RPKI is correct. Incorrect ROAs might eventually lead to a loss of connectivity with important operators, hence the importance of having precise routing policies.
Martínez pointed out that one of the most surprising things they often come across is operators’ lack of knowledge of their own networks. “In order to create ROAs properly, an operator must know their own network or identify information that can sometimes get lost within the organization. ROAs must effectively follow their routing policy.”
In addition, potential extensions to the basic functions of RPKI have been proposed at the IETF.“These are all signs of the acceptance RPKI is gaining among operators seeking to guarantee global routing security. One of the current focuses is a set of techniques known as ASPA, because while RPKI solves the problem of route hijacking quite well, there is still a lot to be done in relation to route leaks and the addition of new functionalities in this sense is being studied,” Martínez explained.
As more and more operators publicly document their routing policy, routing security in Latin America and the Caribbean is reaching new levels. “Not only is the process increasingly less complex, at some point it may become a requirement, as is happening among large content operators. Why do it in a hurry if we can be proactive?” Martínez concluded.
Members who hold resources directly assigned by LACNIC or by NIC Mexico can access the MiLACNIC portal to create their ROAs. Members in Brazil must complete the process using the tools provided by NIC.BR
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of LACNIC.