Bringing Content Closer to Users: The Netflix Experience
Origin validation of Border Gateway Protocol (BGP) advertisements using resource certification (RPKI) and peering agreements between Internet service providers and content distribution networks (CDNs) is growing in Latin America and the Caribbean.
The growth of content distribution networks has allowed a group of servers located in different parts of the region to host local copies of certain content that is generally stored on other, geographically distant servers. This system of server copies allows accessing content in a more efficient and accessible way.
The Netflix platform is one of the organizations in the region that has incorporated BGP origin validation for its advertisements using RPKI or IRR.
Sulema Contreras, Netflix Network & CDN Strategist, explained that her company encourages their partner ISPs to follow industry best practices to build and operate a more secure Internet.
In February 2020, Netflix enabled RPKI filtering on BGP sessions to embedded Open Connect Appliances (OCAs). In September of that same year, Netflix enabled RPKI filtering on all peering and transit BGP sessions, “honoring the wishes of ISPs who chose to opt into the RPKI ecosystem to protect their IP address space, with no impact for ISPs who have not signed their address space,” Contreras added.
She also noted that RPKI provides a method for networks that have been assigned IP
addresses to specify which ASNs are authorized to originate those IP address prefixes via route origin authorizations (ROAs) stored by the regional Internet registries.
Peering. In the case of Netflix, their peering agreements do not request specific information. “What we expect from our partners is that they maintain up-to-date IRR (AS-SET) records for their own IP segments as well as for those that transit and/or are related to their network, RPKI, each partner must properly sign the prefix they are advertising to the network and make sure they set the correct maxlen value in the ROA (careful with netmask),” Contreras added.
As for the use of AS-SETs, Netflix believes that their partners must create an AS-SET with each ASN which they have an established transit and/or peering relationship and which is served from Netflix OCAs. “Thus, we receive an unambiguous signal that all prefixes associated with the ASNs in their AS-SET are not leaked routes but fully authorized and expected. This will keep us from erroneously flagging potentially leaked routes. To verify that their AS-SET is correctly defined, a query can be run via public registries such as RADb, APNIC, NSRC, or LACNIC,” the expert observed.
Along with other organizations in the region, Netflix has adopted Mutually Agreed Norms for Routing Security Standards (MANRS), a global Internet security initiative supported by the Internet Society.
MANRS standards help the Internet community (ISPs, CDNs, and IXPs) reduce the most common routing threats, helping to ensure the stability and security of the entire Internet ecosystem.
Source and resources:
Resource certification – RPKI