Registration of RPKI information for safer routing

Registration of RPKI information for safer routing

01-11-2018 14:46:30
internetstandaarden-forumstandaardisatie-veilig-internet.jpg
‘Under the hood’ of the internet, the BGP protocol has been in place for a long time for exchanging routing information between networks. The first versions of this protocol date back to 1989, when the internet was still in its early stages. Over the years the protocol has been improved a lot, but one of the basic principles has been the same form the start; it is assumed that there is trust between networks. To a large extent, networks trust the routing information they exchange with each other, without any proper checks of the correctness and validity of this information.

It has been a long time since the internet was an academic testing ground. We have become completely dependent on it in our daily lives. Unfortunately, this also means that there are things happening on the internet that we would rather not see. In addition, the number of businesses (and therefore people) that is responsible for the operational management of these networks is so large that there is no ‘inner circle’ that knows each other and can solve problems quickly amongst them.

In practice, we find two problems that occur regularly and that are related to this trust:

1. Unintentional errors in the configuration of BGP on routers leads network administrators to unintentionally advertise routes that they are not responsible for.  The consequence of this, is that the network in question will not be available for networks that accept this wrong route. It often concerns typographical errors for IP addresses or subnet masks, which can obviously have far-reaching consequences.

2. People with malicious intent purposefully try to redirect traffic to certain IP addresses by advertising certain routes. Uses of the networks that accept these routes will end up in the wrong place. A number of incidents have already been reported where specific websites were redirected in order to intercept account data from visitors, after which (digital) money was stolen. Such techniques are often used to ‘borrow’ temporary IP addresses for sending spam emails.

In recent years we have seen that the frequency and impact of such incidents has increased significantly. As a network with BGP you can be hindered in two ways by these so-called ‘BGP Hijacks’:

1. You learn routes incorrectly, so users of your network get redirected to a network that pretends to be another network.

2. Another network incorrectly advertises IP addresses of your network, so users do not end up with your network but with a (possibly malicious) other network.

The solution: RPKI

It is high time to increase the security of routing on the internet. Good thing that there is a solution that prevents a large part of these problems: RPKI (Resource Public Key Infrastructure).

RPKI enables its user to register which network (identified by a n autonomous system (AS) number) belongs to the owners of IP blocks and what the size of the IP blocks should be in the routing tables. These registrations can be checked on correctness by means of digital signatures. The regional internet registries (RIPE in Europe, ARIN in North-America, APNIC in Asia, etcetera), that are responsible for the allocation of IP addresses to ISPs, play a crucial role in this. They enable the registration of this RPKI information and make sure that it can be validated by third parties.

Employing the RPKI for a network consists of two steps:

1. Registering of RPKI information for all IP blocks assigned to the network

2. Checking of RPKI information for all routes that are received from other networks and how to react to such routes. If an IP block does not comply with the registration (for example because it is assigned to another network), this route should not be accepted.

RPKI at BIT

All IP addresses assigned to BIT are now equipped with an RPKI registration. This reduces the impact of a hijack of one of these IP addresses, but only if other networks also implement the second step as mentioned above. Therefore, BIT’s routers check for RPKI information and refuse incorrect routes.

Unfortunately, the vast majority of the IP addresses used on the internet is not equipped with RPKI registration yet and an even smaller part of the routers checks for these registrations, but the numbers are slowly starting to rise. The Netherlands seem to be a frontrunner in this, partly due to the attention RPKI got on the NLNOG Day 2018.

Problems related to RPKI

It happens that the published RPKI information does not correspond with the advertisements of the routers, which makes these IP addresses unavailable from BIT’s network, and every other network that uses RPKI validation and refuses invalid routes.

This might happen as a result of a network migration where two networks have been merged, or when IP addresses switch owners. If the RPKI registrations are not updated in such instances, the validation will fail and routes will be refused.

From the introduction of RPKI validation on September 18 until now, we have received five reports from clients about unavailability of IP addresses that could be related to incorrect RPKI registrations. Three of these have been corrected by the owner of the IP addresses.

There are, of course, several ways to check how ‘the world’ sees the RPKI status of an IP series, for example at RIPE and Hurricane Electric.

Want to know more?

Would you like to know more about RPKI? Take a look at the presentations given on the NLNOG Day 2018, where RPKI was one of the main subjects. More information can also be found on the website of RIPE.

Do you manage your own network that exchanges through BGP routes? You might want to consider implementing RPKI validation to avoid the chance of trouble caused by BGP hijacks. Are you the owner of your own IP addresses (so-called PA space at RIPE)? Then make sure that you create ROAs (Route Origin Authorisation). This can be done on the RIPE portal with little effort.


By: Teun Vink