Importance of RPKI Validators

11/07/2023

By Jorge Cano, Senior Software Architect at LACNIC

The Internet has become an essential tool in our daily life. We use the Internet to work, for entertainment, to plan our holidays, and for many other activities. But something that we should have learned early on in matters of security is that we should not blindly trust the information we receive. There are malicious actors online who seek to deceive us by sending spam or phishing messages, often disguising themselves as people we know, members of our family, our bank, or service providers. Over time, we have learned to detect and ignore this type of threat, but we must always be vigilant so that we don’t fall into one of these traps.

You may be wondering what the relationship between phishing and RPKI validators (Resource Public Key Infrastructure validators) is. Well, the answer is that our routers blindly trust the announcements that reach them through their neighbors, and they can therefore fall victim to bogus information. This bogus information, however, is not necessarily the fault of malicious actors. It can also be due to a human error that can potentially affect third parties because of an incorrect configuration.

One of the most famous cases in the latter category occurred in 2008 with Pakistan Telecom[1], which caused major problems for YouTube users in their region as a result of a configuration error. During this incident, the government of Pakistan tried to block access to YouTube for its citizens, but mistakenly announced the YouTube prefix as if it were their own. As a result, all customers in the region were redirected to YouTube through a shorter route via Pakistan Telecom’s systems, which became saturated and caused major problems not only for themselves but also for Google and users in the region who wanted to use YouTube services. This is known as BGP route hijacking, where BGP is the protocol that routers use to communicate.

However, not all cases are due to errors and routes have sometimes been hijacked with malicious intent. In 2014, attackers used this technique to divert traffic through a Canadian Internet provider for a few seconds, and managed to steal a significant amount of cryptocurrency[2].

And this is where the importance of RPKI validators comes in, as they provide information to routers so that they can detect these bogus messages, regardless of whether they are due to configuration errors or malicious intent. Validators download the signed database, known as RPKI, which contains the relationship between the IP address blocks and the ASNs where their announcements can originate. With this information, routers can detect messages with fake or incorrect routes.

There are several implementations of RPKI validators that are supported by a large number of software and commercial routers. Open source options include: NLnetLabs’s Routinator, Cloudflare’s OctoRPKI Validator, and LACNIC’s and NIC Mexico’s FORT Validator.

Installing a couple of different validators is a good practice for redundancy and code diversity purposes. If you have already installed validators, it is extremely important to perform regular maintenance and to update them whenever a new stable version is released, as improvements are generated daily and best practices are created to enhance the performance and security of the ecosystem. By the way, if you have already installed the RIPE validator, keep in mind that this project has already concluded and will no longer be updated[3][4], so its use is no longer recommended.

At LACNIC, we are committed to the continued improvement of Internet security and strengthening the resilience of routing systems, a key component of Internet infrastructure. It is within this framework that the free and open source FORT Validator emerged in 2018. This solution allows operators to validate BGP routing information against the RPKI repository. We are currently working on a final, improved version of the validator that will be announced in the coming months.

References

1. https://www.lacnic.net/innovaportal/file/2639/1/guillermo-rpki.pdf
2. https://www.wired.com/2014/08/isp-bitcoin-theft/
3. https://labs.ripe.net/author/nathalie_nathalie/lifecycle-of-the-ripe-ncc-rpki-validator/
4. https://blog.apnic.net/2021/02/17/ripes-rpki-validator-is-being-phased-out-so-what-are-the-other-options/