Resource Public Key Infrastructure
Resource Public Key Infrastructure (RPKI), also known as Resource Certification, is a specialized
RPKI provides a way to connect Internet number resource information (such as
The RPKI architecture is documented in RFC 6480. The RPKI specification is documented in a spread out series of RFCs: RFC 6481, RFC 6482, RFC 6483, RFC 6484, RFC 6485, RFC 6486, RFC 6487, RFC 6488, RFC 6489, RFC 6490, RFC 6491, RFC 6492, and RFC 6493. SEND is documented in RFC 6494 and RFC 6495. These RFCs are a product of the
Resource Certificates and child objects
RPKI uses
Route Origin Authorizations
A Route Origin Authorization (ROA)
Maximum prefix length
The maximum prefix length is an optional field. When not defined, the AS is only authorised to advertise exactly the prefix specified. Any more specific announcement of the prefix will be considered invalid. This is a way to enforce aggregation and prevent hijacking through the announcement of a more specific prefix.
When present, this specifies the length of the most specific IP prefix that the AS is authorised to advertise. For example, if the IP address prefix is 10.0.0.0/16 and the maximum length is 22, the AS is authorised to advertise any prefix under 10.0.0.0/16, as long as it is no more specific than /22. So, in this example, the AS would be authorised to advertise 10.0.0.0/16, 10.0.128.0/20 or 10.0.252.0/22, but not 10.0.255.0/24.
Autonomous System Provider Authorizations
An Autonomous System Provider Authorization (ASPA) states which networks are permitted to appear as direct upstream adjacencies of an autonomous system in BGP AS_PATHs.[4]
RPKI route announcement validity
When a ROA is created for a certain combination of origin AS and prefix, this will have an effect on the RPKI validity[5] of one or more route announcements. They can be:
- VALID
- The route announcement is covered by at least one ROA
- INVALID
- The prefix is announced from an unauthorised AS. This means:
- There is a ROA for this prefix for another AS, but no ROA authorising this AS; or
- This could be a hijacking attempt
- The announcement is more specific than is allowed by the maximum length set in a ROA that matches the prefix and AS
- The prefix is announced from an unauthorised AS. This means:
- UNKNOWN
- The prefix in this announcement is not covered (or only partially covered) by an existing ROA
Note that invalid BGP updates may also be due to incorrectly configured ROAs.[6]
Management
There are open source tools[7] available to run the certificate authority and manage the resource certificate and child objects such as ROAs. In addition, the RIRs have a hosted RPKI platform available in their member portals. This allows LIRs to choose to rely on a hosted system, or run their own software.
Publication
The system does not use a single repository publication point to publish RPKI objects. Instead, the RPKI repository system consists of multiple distributed and delegated repository publication points. Each repository publication point is associated with one or more RPKI certificates' publication points. In practice this means that when running a certificate authority, an LIR can either publish all cryptographic material themselves, or they can rely on a third party for publication. When an LIR chooses to use the hosted system provided by the RIR, in principle publication is done in the RIR repository.
Validation
Relying party software will fetch, cache, and validate repository data using rsync or the RPKI Repository Delta Protocol (RFC 8182).[8] It is important for a relying party to regularly synchronize with all the publication points to maintain a complete and timely view of repository data. Incomplete or stale data can lead to erroneous routing decisions.[9][10]
Routing decisions
After validation of ROAs, the attestations can be compared to BGP routing and aid network operators in their decision-making process. This can be done manually, but the validated prefix origin data can also be sent to a supported router using the RPKI to Router Protocol (RFC 6810),
RFC 6494 updates the certificate validation method of the Secure Neighbor Discovery protocol (SEND) security mechanisms for Neighbor Discovery Protocol (ND) to use RPKI for use in IPv6. It defines a SEND certificate profile utilizing a modified RFC 6487 RPKI certificate profile which must include a single RFC 3779 IP address delegation extension.
References
- ^ "Secure Inter-Domain Routing (SIDR)". datatracker.ietf.org.
- ^ Resource Public Key Infrastructure (RPKI) Router Implementation Report (RFC 7128), R. Bush, R. Austein, K. Patel, H. Gredler, M. Waehlisch, February, 2014
- ^ A Profile for Route Origin Authorizations (ROAs), M. Lepinski, S. Kent, D. Kong, May 9, 2011
- ^ Azimov, Alexander; Bogomazov, Eugene; Bush, Randy; Patel, Keyur; Snijders, Job; Sriram, Kotikalapudi (29 August 2023). "BGP AS_PATH Verification Based on Autonomous System Provider Authorization (ASPA) Objects". Internet Engineering Task Force.
- ^ Huston, Geoff; Michaelson, George G. (Feb 2012). Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations (ROAs) (Report). Internet Engineering Task Force.
- ^ M. Wählisch, O. Maennel, T.C. Schmidt: "Towards Detecting BGP Route Hijacking using the RPKI", Proc. of ACM SIGCOMM, pp. 103–104, New York:ACM, August 2012.
- ^ "GitHub - dragonresearch/rpki.net: Dragon Research Labs rpki.net RPKI toolkit". November 23, 2019 – via GitHub.
- ^ Bruijnzeels, Tim; Muravskiy, Oleg; Weber, Bryan; Austein, Rob (July 2017). "RFC 8182 - The RPKI Repository Delta Protocol". datatracker.ietf.org.
- S2CID 225042016.
- S2CID 225042016.
- ^ Bush, Randy; Austein, Rob (January 2013). "RFC 6810 - The Resource Public Key Infrastructure (RPKI) to Router Protocol". datatracker.ietf.org.
- ^ "RPKI Configuration with Cisco IOS". RIPE.
- ^ "Cisco IOS IP Routing: BGP Command Reference - BGP Commands: M through N [Support]". Cisco.
- ^ "Example: Configuring Origin Validation for BGP - Technical Documentation - Support - Juniper Networks". www.juniper.net.
- ^ "BGP Secure Routing Extension (BGP‑SRx) Prototype". NIST. August 15, 2016.
- ^ "Quagga with RPKI-RTR prefix origin validation support: rtrlib/quagga-rtrlib". May 10, 2019 – via GitHub.
- ^ "RTRlib - The RPKI RTR Client C Library". rpki.realmv6.org.
- ^ M. Wählisch, F. Holler, T.C. Schmidt, J.H. Schiller: "RTRlib: An Open-Source Library in C for RPKI-based Prefix Origin Validation, Proc. of USENIX Security Workshop CSET'13, Berkeley, CA, USA:USENIX Assoc., 2013.
External links
- Tool provided by Cloudflare to test if ISP is doing RPKI validation
- Tool by Cloudflare to explore RPKI
- Open source RPKI Documentation
- IETF Journal - Securing BGP and SIDR
- An open source implementation of the complete set of RPKI protocols and tools
- RTRlib - Open source RPKI-Router Client C Library
- NLnet Labs open source RPKI tools developed in Rust
- Quagga RPKI implementation
- BGP-SrX - Quagga router implementation of RPKI-based Origin and Path validation.
- RPKI-Monitor - Global and regional monitoring and analysis of RPKI deployment and use.
- RPKI Deployment statistics for all RIRs
- Global ROA deployment heatmap
- EuroTransit GmbH RPKI Testbed
- BGPMON - Validating BGP announcement with RPKI
- An APNIC primer on RPKI
- RIPE NCC Resource Certification (RPKI) information
- LACNIC RPKI Information
- ARIN RPKI Information
- NRO statement on RPKI
- Internet Architecture Board statement on RPKI
- Building a new governance hierarchy: RPKI and the future of Internet routing and addressing
- Secure Border Gateway Protocol (Secure-BGP)
- RPKI Router Implementation Report