Resource Public Key Infrastructure
Resource Public Key Infrastructure (RPKI), also known as Resource Certification, is a specialized public key infrastructure (PKI) framework designed to secure the Internet's routing infrastructure.
RPKI provides a way to connect Internet number resource information (such as Autonomous System numbers and IP addresses) to a trust anchor. The certificate structure mirrors the way in which Internet number resources are distributed. That is, resources are initially distributed by the IANA to the regional Internet registries (RIRs), who in turn distribute them to local Internet registries (LIRs), who then distribute the resources to their customers. RPKI can be used by the legitimate holders of the resources to control the operation of Internet routing protocols to prevent route hijacking and other attacks. In particular, RPKI is used to secure the Border Gateway Protocol (BGP) through BGP Route Origin Validation (ROV), as well as Neighbor Discovery Protocol (ND) for IPv6 through the Secure Neighbor Discovery protocol (SEND).
The RPKI architecture is documented in RFC 6480. The RPKI specification is documented in a spread out series of RFCs: RFC 6481, RFC 6482, RFC 6483, RFC 6484, RFC 6485, RFC 6486, RFC 6487, RFC 6488, RFC 6489, RFC 6490, RFC 6491, RFC 6492, and RFC 6493. SEND is documented in RFC 6494 and RFC 6495. These RFCs are a product of the IETF's sidr working group,[1] and are based on a threat analysis which was documented in RFC 4593. These standards cover BGP origin validation, while work on path validation (BGPSEC)[2] is underway. Several implementations for prefix origin validation already exist.[3]
Resource Certificates and child objects
RPKI uses X.509 PKI certificates (RFC 5280) with extensions for IP addresses and AS identifiers (RFC 3779). It allows the members of regional Internet registries, known as local Internet registries (LIRs), to obtain a resource certificate listing the Internet number resources they hold. This offers them validatable proof of holdership, though the certificate does not contain identity information. Using the resource certificate, LIRs can create cryptographic attestations about the route announcements they authorise to be made with the prefixes they hold. These attestations, called Route Origination Authorizations[4] (ROAs), are described below.
Route Origination Authorizations
A Route Origination Authorization states which autonomous system (AS) is authorised to originate certain IP prefixes. In addition, it can determine the maximum length of the prefix that the AS is authorised to advertise.
Maximum prefix length
The maximum prefix length is an optional field. When not defined, the AS is only authorised to advertise exactly the prefix specified. Any more specific announcement of the prefix will be considered invalid. This is a way to enforce aggregation and prevent hijacking through the announcement of a more specific prefix.
When present, this specifies the length of the most specific IP prefix that the AS is authorised to advertise. For example, if the IP address prefix is 10.0.0.0/16 and the maximum length is 22, the AS is authorised to advertise any prefix under 10.0.0.0/16, as long as it is no more specific than /22. So, in this example, the AS would be authorised to advertise 10.0.0.0/16, 10.0.128.0/20 or 10.0.252.0/22, but not 10.0.255.0/24.
RPKI route announcement validity
When a ROA is created for a certain combination of origin AS and prefix, this will have an effect on the RPKI validity[5] of one or more route announcements. They can be:
- VALID
- The route announcement is covered by at least one ROA
- INVALID
- The prefix is announced from an unauthorised AS. This means:
- There is a ROA for this prefix for another AS, but no ROA authorising this AS; or
- This could be a hijacking attempt
- The announcement is more specific than is allowed by the maximum length set in a ROA that matches the prefix and AS
- The prefix is announced from an unauthorised AS. This means:
- UNKNOWN
- The prefix in this announcement is not covered (or only partially covered) by an existing ROA
Note that invalid BGP updates may also be due to incorrectly configured ROAs.[6]
Management
There are open source tools[7] available to run the certificate authority and manage the resource certificate and child objects such as ROAs. In addition, the RIRs have a hosted RPKI platform available in their member portals. This allows LIRs to choose to rely on a hosted system, or run their own software.
Publication
The system does not use a single repository publication point to publish RPKI objects. Instead, the RPKI repository system consists of multiple repository publication points. Each repository publication point is associated with one or more RPKI certificates' publication points. In practice this means that when running a certificate authority, an LIR can either publish all cryptographic material themselves, or they can rely on a third party for publication. When an LIR chooses to use the hosted system provided by the RIR, in principle publication is done in the RIR repository.
Validation
Relying parties run local RPKI validation tools, which are pointed at the different RPKI trust anchors and using rsync gather all cryptographic objects from the different repositories used for publication. This creates a local validated cache which can be used for making BGP routing decisions.
Routing decisions
After validation of ROAs, the attestations can be compared to BGP routing and aid network operators in their decision making process. This can be done manually, but the validated prefix origin data can also be sent to a supported router using the RPKI to Router Protocol (RFC 6810),[8] Cisco Systems offers native support on many platforms[9] for fetching the RPKI data set and using it in the router configuration.[10] Juniper offers support on all platforms[11] that run version 12.2 or newer. Quagga obtains this functionality through BGP Secure Routing Extensions (BGP-SRx)[12] or a RPKI implementation[13] fully RFC-compliant based on RTRlib. The RTRlib[14] provides an open source C implementation of the RTR protocol and prefix origin verification. The library is useful for developers of routing software but also for network operators.[15] Developers can integrate the RTRlib into the BGP daemon to extend their implementation towards RPKI. Network operators may use the RTRlib to develop monitoring tools (e.g., to check the proper operation of caches or to evaluate their performance).
RFC 6494 updates the certificate validation method of the Secure Neighbor Discovery protocol (SEND) security mechanisms for Neighbor Discovery Protocol (ND) to use RPKI for use in IPv6. It defines a SEND certificate profile utilizing a modified RFC 6487 RPKI certificate profile which must include a single RFC 3779 IP address delegation extension.
References
- "Secure Inter-Domain Routing (sidr)". datatracker.ietf.org.
- Security Requirements for BGP Path Validation, S. Bellovin, R. Bush, D. Ward, October 19, 2011
- Resource Public Key Infrastructure (RPKI) Router Implementation Report (RFC 7128), R. Bush, R. Austein, K. Patel, H. Gredler, M. Waehlisch, February, 2014
- A Profile for Route Origin Authorizations (ROAs), M. Lepinski, S. Kent, D. Kong, May 9, 2011
- Validation of Route Origination using the Resource Certificate PKI and ROAs, G. Huston, G. Michaelson, November 11, 2010
- M. Wählisch, O. Maennel, T.C. Schmidt: "Towards Detecting BGP Route Hijacking using the RPKI", Proc. of ACM SIGCOMM, pp. 103–104, New York:ACM, August 2012.
- "GitHub - dragonresearch/rpki.net: Dragon Research Labs rpki.net RPKI toolkit". November 23, 2019 – via GitHub.
- "RFC 6810 - The Resource Public Key Infrastructure (RPKI) to Router Protocol". datatracker.ietf.org.
- "RPKI Configuration with Cisco IOS". RIPE.
- "Cisco IOS IP Routing: BGP Command Reference - BGP Commands: M through N [Support]". Cisco.
- "Example: Configuring Origin Validation for BGP - Technical Documentation - Support - Juniper Networks". www.juniper.net.
- "BGP Secure Routing Extension (BGP‑SRx) Prototype". NIST. August 15, 2016.
- "Quagga with RPKI-RTR prefix origin validation support: rtrlib/quagga-rtrlib". May 10, 2019 – via GitHub.
- "RTRlib - The RPKI RTR Client C Library". rpki.realmv6.org.
- M. Wählisch, F. Holler, T.C. Schmidt, J.H. Schiller: "RTRlib: An Open-Source Library in C for RPKI-based Prefix Origin Validation, Proc. of USENIX Security Workshop CSET'13, Berkeley, CA, USA:USENIX Assoc., 2013.
External links
- Tool provided by Cloudflare to test if ISP is doing RPKI validation
- Tool by Cloudflare to explore RPKI
- Open source RPKI Documentation
- IETF Journal - Securing BGP and SIDR
- An open source implementation of the complete set of RPKI protocols and tools
- RTRlib - Open source RPKI-Router Client C Library
- NLnet Labs open source RPKI tools developed in Rust
- Quagga RPKI implementation
- BGP-SrX - Quagga router implementation of RPKI-based Origin and Path validation.
- RPKI-Monitor - Global and regional monitoring and analysis of RPKI deployment and use.
- RPKI Deployment statistics for all RIRs
- Global ROA deployment heatmap
- EuroTransit GmbH RPKI Testbed
- BGPMON - Validating BGP announcement with RPKI
- An APNIC primer on RPKI
- RIPE NCC Resource Certification (RPKI) information
- LACNIC RPKI Information
- ARIN RPKI Information
- NRO statement on RPKI
- Internet Architecture Board statement on RPKI
- Building a new governance hierarchy: RPKI and the future of Internet routing and addressing
- Secure Border Gateway Protocol (Secure-BGP)
- RPKI Router Implementation Report