RPKI: Answers to all Your Resource Certification Questions

25/04/2011

This year LACNIC launched an Internet resource certification program that allows regional organizations to digitally prove that they have the right to use the IPv4 and IPv6 addresses and ASNs they have been assigned. This program, a part of a global initiative by the Number Resource Organization (NRO), seeks to significantly improve the reliability and security of the Internet routing system.

Arturo Servin - Carlos Martinez

The key aspects of this initiative are described below.

What is RPKI?

RPKI is the acronym for Resource Public Key Infrastructure or simply “Resource Certification”. It is a group of protocols, standards and systems that allow verifying the right to use Internet number resources such as IPv4 and IPv6 addresses and Autonomous Systems. The main purpose of RPKI is to increase the safety and stability of the global Internet routing system.

How does RPKI work?

Internet is more than just one network: it is a confederation of networks that exchange traffic among themselves, some by and for their clients, while others – known as transit networks – act as gateways between networks that are not directly interconnected. Each of these networks is known as an “autonomous system” (AS). Each AS represents a region of the Internet under a single administration and is identified by a number known as an “autonomous system number”.

To properly route incoming and outgoing traffic, autonomous systems exchange control information (routes or prefixes) with their neighbors through the Border Gateway Protocol (PGP). As these prefixes are exchanged among neighboring autonomous systems, each AS adds a label with its own AS number to allow visualizing the Internet route any given prefix has followed. The first of these numbers is known as the “origin AS”. The object of RPKI is to allow intermediate autonomous systems to verify the validity of the origin AS. The system aims to provide each legitimate user of numbering resources with a digital certificate signed by its regional Internet registry (LACNIC in the case of Latin America and the Caribbean) that contains a list of all the specific resources assigned to that user.

Who certifies that an organization actually has the right to use the assigned resources?

RPKI follows the same model as resource assignment. The organization assigning the resources (the IANA, an RIR or an NIR) certifies that the organization receiving the resource (subscriber) does indeed have the right to use it.

Why should a company or organization certify its Internet resources? RPKI uses a chain of trust that allows certifying that a resource is held by a specific organization. Any organization using this chain can verify the right to use a resource and identify malicious users trying to hijack resources or protect themselves against configuration errors.

What are the benefits for an organization that certifies its resources?

The major benefit will be achieved once most organizations certify their resources and service providers use these repositories to validate the routing announcements they receive. Until massive use of RPKI is achieved, the organizations that decide to certify their resources will have less chances of having their resources hijacked by malicious users or of being affected by router configuration errors.

What possible issues will be faced by organizations that do not certify their resources?

Organizations that do not certify their resources will be exposed, as they are today, to possible Internet routing system failures that may occur as the result of malicious attacks (hijacking) or as a consequence of (involuntary) operating errors on the part of other routing system participants.

Regardless if whether it is due to a malicious attack or an involuntary error, route hijacking can cause serious damages to the affected organization before it is detected and corrected.

RPKI offers the possibility of implementing security enhancements that will allow avoiding this type of attacks. If an organization’s resources are certified, the ROAs are properly generated, and routing equipment are correctly configured, resource hijacking will no longer be something to be concerned about.

What is resource or route hijacking?

Resource or route hijacking occurs when an autonomous system announces an IP address on the global routing tables without having the authority to do so. This situation becomes more serious when the announced IPs are used by another organization.

There are many well-documented cases of the type of failure known as route hijacking, of which one that gained major media attention was the one that affected YouTube in Asia which occurred due to a route incorrectly announced in Pakistan.

The consequences of route hijacking can be devastating for an organization in the sense that its entire traffic to a broad region of the world may be redirected to an illegitimate destination, affecting not only service availability but also the confidentiality of information. This scenario becomes even more complex if we consider that no adequate tools exist that would allow an organization to know who and where its routes are being hijacked.

Can organizations with and without certified resources coexist?

Yes, absolutely. RPKI has been designed to be implemented incrementally and there is no “RPKI activation” date. Devices with and without RPKI can coexist without any problems. However, the more organizations that certify their resources and use the RPKI system’s repositories, the greater the benefits will be.

How does resource certification affect users?

Users can be sure that the traffic they originate will follow the proper route and not be redirected towards malicious routing devices.

Will companies and home users have to change their routers after resource certification?

The routers of small companies and home users will not be affected. Only Internet service providers (ISPs) and major organizations (banks, universities, etc.) that use the BGP protocol may have to update their equipment. However, in most cases this will only involve software updates.

Will the Internet be a safer place once all Internet providers certify their resources?

Without a doubt. In fact, it is already safer after a single organization certifies its resources. This technology allows “protecting” an organization’s resources regardless of whether or not other organizations also decide to do so.

Resource certification is not the solution to all of the Internet’s security problems, but it does deal with a critical issue which for a long time has been known to present potential weaknesses.