Introduction
RPKI (Resource Public Key Infrastructure) provides effective solutions for mitigating BGP (Border
Gateway Protocol) route hijacking.
RPKI solutions
Here are the key RPKI solutions for addressing this issue:
Route Origin Validation: RPKI enables the validation of the origin of BGP routes. Network operators can digitally sign their IP address prefixes and Autonomous System (AS) numbers using cryptographic certificates. BGP routers can then verify the authenticity of routing
updates by checking if the origin AS is authorized through the signed objects stored in the RPKI repository. This helps prevent the acceptance of unauthorized route announcements,
reducing the risk of route hijacking.
Route Filtering: RPKI allows for more precise and reliable route filtering. Network operators can create Route Origin Authorizations (ROAs) that specify the authorized origin AS for their IP address prefixes. BGP routers can use these ROAs to validate incoming route
advertisements and filter out routes that do not match the authorized origins. This helps prevent the propagation of unauthorized routes and strengthens the security of the routing
system.
Invalid Route Propagation Prevention: RPKI enables network operators to publish and distribute ROAs that explicitly state the authorized origins for their IP address prefixes. BGP routers can use these ROAs to identify and reject routes that do not have valid
authorizations. By preventing the propagation of invalid routes, RPKI significantly reduces the likelihood of hijacked routes being accepted and propagated throughout the network.
Route Withdrawal Validation: RPKI provides mechanisms for validating route withdrawals. BGP routers can verify the cryptographic signatures associated with route withdrawal
messages to ensure that route withdrawals are authorized. This helps prevent unauthorized route withdrawals, mitigating the impact of hijacked routes being withdrawn without proper authorization.
By implementing RPKI solutions, network operators can enhance the security and trustworthiness of
BGP routing. RPKI’s route origin validation, route filtering, prevention of invalid route propagation,
and validation of route withdrawals collectively contribute to a more secure and resilient BGP
routing system, reducing the risk of route hijacking incidents.
The Key Components of RPKI
The Key Components of RPKI: Certificate Authority (CA): The Certificate Authority is responsible for issuing and managing the cryptographic certificates used in RPKI. CAs digitally sign the objects that attest to the legitimacy of IP address prefixes and Autonomous System (AS) numbers. CAs play a crucial role in establishing trust and ensuring the integrity of the RPKI system.
Resource Certification (RPKI Objects): RPKI employs various objects to certify the ownership and authorization of Internet resources. These objects include Route Origin Authorizations (ROAs) and Route Objects. ROAs specify the authorized origin AS for IP address prefixes, while Route Objects contain information about routing policies and preferences. These objects are signed by the CAs and are stored in the RPKI repository. RPKI Repository: The RPKI repository is a distributed database that stores the signed RPKI objects. It provides a centralized location for network operators to access and retrieve the cryptographic certificates and signed objects required for route validation and verification. Routers and relying parties can query the repository to obtain the necessary information for secure BGP routing.
Relying Party (RP): Relying Parties are entities, such as network operators and Internet service providers (ISPs), that rely on RPKI to validate the legitimacy of routing information. RPs use the cryptographic certificates and signed objects from the RPKI repository to verify the origin of BGP route announcements and ensure the integrity of the routing system. RPs play a critical role in implementing RPKI-based security measures and making informed routing decisions.
Validation Process: The validation process involves BGP routers or Relying Parties verifying the authenticity and authorization of routing information using the cryptographic certificates and signed objects obtained from the RPKI repository. This process includes checking the validity of Route Origin Authorizations (ROAs) and ensuring that the received routes align with the authorized origins specified in the ROAs.
Certificate Revocation: RPKI includes mechanisms for certificate revocation in case of compromised or invalidated cryptographic certificates. When a certificate needs to be revoked, a Certificate Revocation List (CRL) is issued by the Certificate Authority, listing the revoked certificates. Relying Parties consult the CRL to ensure they do not trust compromised or invalid certificates. These key components collectively form the foundation of RPKI, providing a framework for validating and verifying the legitimacy of routing information. The CAs issue cryptographic certificates, the RPKI repository stores signed objects, Relying Parties use these objects for validation, and the validation process ensures the integrity of BGP routing. Certificate revocation mechanisms further enhance the security and trustworthiness of the RPKI system.
Conclusion
By implementing RPKI, network operators and Internet service providers can enhance the security and reliability of BGP routing. RPKI’s hierarchical model, certificate issuance, resource certification, validation process, and route filtering collectively contribute to validating the legitimacy of routing information and mitigating the risks associated with route hijacking and unauthorized routing.