Understanding RPKI (Resource Public Key Infrastructure)

Table of Contents

What is RPKI, how does it work, and why do networks use it?

What is RPKI?

RPKI, short for Resource Public Key Infrastructure - is a cryptographic technology used in the world of networking to prevent BGP hijacking - a disruptive attack where a malicious/misconfigured network advertises prefixes (routes) which belong to other networks - and they have no right to use.

RPKI allows regional internet registries (RIR's) to sign Route Origin Authorisations (ROAs) for their members (networks around the world such as ourselves) using asymmetric key cryptography (public key + private key). They then publish these ROAs to allow networks around the world to query them, allowing networks to verify the published ROAs haven't been tampered with by using the RIR's known signing certificate (public key).

How hard is RPKI to setup?

RPKI signing (protecting prefixes you advertise) can be setup within minutes, just by filling out 3 form fields on your RIR's RPKI portal for each prefix you want to enable RPKI for.

RPKI validation (filtering incoming prefixes which don't match RPKI) is a little more tricky, as it generally requires you to setup an RPKI server such as Routinator 3000, configure your peer-facing BGP routers to use your local RPKI server as an RPKI validator source, and setup some route maps to tell your router how strictly you'd like to enforce RPKI.

To show you how easy it is to setup RPKI signing, below are some screenshots of RIPE's RPKI Dashboard and some basic instructions for setting up RPKI signing.

First log into your RIR's LIR portal (e.g. RIPE/ARIN/AFRINIC). Locate the RPKI management page - for RIPE it's under Resources > RPKI Dashboard.

Look for a button / link which says something like "New ROA", "Add Route Origin Authorisation" etc.

Click on that button. Enter into the form:

  • your AS number (depending on RIR it may be just the number, or need to be prefixed with AS)
  • a CIDR formatted prefix (e.g. 1.2.3.0/24) which you're advertising (or soon will be) via BGP
  • for the most specific length, if you're not sure, just enter the same number used to denote your CIDR prefix size - e.g. for the prefix 1.2.3.0/24 you'd enter 24.

Go ahead and hit SAVE / SUBMIT. For RIPE, click the floppy disk in the same row as the form.

NOTE: For RIPE, once you've finished adding ROA's, you'll need to click "Review and publish changes" in the bottom right, as shown above - and click "Publish"

BGP is insecure (why RPKI helps to fix that)

The first thing to understand before you can see why RPKI is important, is that BGP (Border Gateway Protocol) is a very old protocol, and was designed in the early days of the internet - when the only networks that you'd peer with, would be large universities and government organisations who you could trust to be telling your router(s) the truth.

Here in 2020, the internet has grown massively, and large networks such as Google and Cloudflare peer with 100s or even 1000s of individual networks. With plain BGP, it's very easy for a network to lie to another network via BGP, or most commonly, just trick the network by claiming you have a better prefix than the real ISP.

As an example, let's say there's a network - AS65000 (ExampleNet), and they tell other networks via BGP "we are AS65000 and you should route 8.8.8.0/25 via our network!", where 8.8.8.0/25 is a more specific prefix than the real AS15169 Google prefix 8.8.8.0/24, and thus many networks' routers will just trust that 8.8.8.0/25 from some small barely known network (ExampleNet AS65000) is a better route than the real 8.8.8.0/24 (Google AS15169).

If the other networks had RPKI validation setup, and Google had setup ROA's to restrict the prefix 8.8.8.0/24 to AS15169 with a "most specific" prefix size of 24 - then AS65000's hijacker prefixes would be rejected based on both their ASN and the fact that /25 is more specific than the 24 maximum which Google had set.

Understanding an ROA (Route Origin Authorisation)

An ROA generally contains 3 pieces of information:

  • An ASN (Autonomous System Number) which is permitted to advertise this prefix
  • The IPv4 / IPv6 prefix (in CIDR format) expected to be advertised by this ASN
  • The "most specific prefix CIDR size" allowed. For example, the prefix may be 10.1.0.0/16 - but if the most specific prefix size is 24, then the ASN mentioned in that given ROA may advertise between 10.1.0.0/16 and 10.1.255.0/24

For example, here is a small subset of Privex (AS210083)'s RPKI ROA's, extracted using the Routinator command routinator vrps:

AS210083,185.130.44.0/24,24,ripe
AS210083,185.130.45.0/24,24,ripe
AS210083,2a07:e00::/48,48,ripe
AS210083,2a07:e00:a::/48,48,ripe
AS210083,2a07:e01::/32,32,ripe

Let's break down the first line to help you understand it.

AS210083,185.130.44.0/24,24,ripe
  1. The first part, AS210083, declares that this ROA line authorises the AS number 210083 to advertise the prefix defined in the following data.
  2. The second part 185.130.44.0/24 declares the prefix in CIDR format (a /24 is 256 IPv4 addresses).
  3. The third part 24 declares that AS210083 may only advertise this prefix block as a /24 - nothing bigger or smaller.
  4. The final part ripe simply tells us that the ROA was declared at RIPE - the RIR for Europe, Russia, and certain other nearby regions