8 Min Read |4 Oct 2023 | Key Words: IP Address, RPKI, Hijacking Prevention
In February 2008, Pakistan Telecom started announcing an unauthorized prefix, which was forwarded to the rest of the internet by one of its upstream providers, PCCW Global. This resulted in a global hijacking of YouTube traffic. Pakistan Telecom had been ordered to block YouTube, so it originated its own route for YouTube’s IP address block, temporarily diverting YouTube’s traffic to Pakistan. This incident could have been avoided if RPKI had been more widely adopted.
Current RPKI Development Status
- Large ISPs have already started adopting RPKI more actively to prevent hijacking accidents.
- Google has achieved a significant milestone by registering 99% of routes in the Resource Public Key Infrastructure (RPKI).
- As of January 2022, RIPE NCC (Réseaux IP Européens Network Coordination Centre) reported a 26% rise in RPKI certificate numbers compared to the previous year.
RPKI has become increasingly important in recent years due to the growing number of cyberattacks targeted at both businesses and individuals. Internet Service Providers (ISPs) and other IP resource holders are crucial players in making the routing more secure and preventing malicious acts.
What IS RPKI?
RPKI stands for Resource Public Key Infrastructure. In simple terms, it is a security framework that enables network operators to secure the routing infrastructure.
Basic principles of RPKI
RPKI is a framework that helps secure BGP routing infrastructure. It works by cryptographically verifying that an AS is legitimately originating its IP prefix advertisements. RPKI certifies the association between specific IP address blocks or ASNs and the holders of these Internet number resources. The verification process consists of two important parts: Route Origin Authorization (ROA) and Route Origin Verification (ROV).
Tools to prevent hijacking
RIPE NCC:RIPE NCC–RISwhois and BGPlay
The RISwhois and BGPlay can prevent unauthorised announcements throughout the Internet by appropriate routing configuration by operators of Autonomous Systems. RIPE NCC will introduce digital certificates for Internet number resources further enhancing routing configuration throughout the Internet.
APNIC: RTBADT–Real Time BGP Anomaly Detection Tool
RTBADT is designed to run on a border router, where it can detect BGP anomalies by monitoring a peering session with one of its BGP neighbours.
Securing Internet Routing: The Critical Role of RPKI
Lack of protection can lead to BGP hijacking.
Internet routing today is vulnerable to attack and hijacking, and the provisioning and use of certificates is one of the steps required to make routing more secure. Widespread RPKI adoption will help simplify IP address holder verification and routing decision-making globally. BGP was originally developed as a trust-based protocol with no built-in security measures. This means network operators are forced to trust each other to protect their systems.
Internet traffic is redirected through illegal routes. From time to time, a network operator may accidentally make a configuration error and cause a network outage. RPKI can be an effective anti-abuse tool by helping to not only clean up Internet routing, but to make it more secure by working to prevent leaks and route hijacks.
The emergence of RPKI can improve the security of BGP routing and prevent malicious behavior. RPKI uses Routing Origin Authority (ROA) certificates to verify the origin of routing advertisements issued by resource holders.
Avoiding RPKI Deployment Pitfalls: A Guide for Network Security
Human error
Inexperienced engineers using RPKI portals managed by RIR may face a special risk when configuring ROAs for networks.
For example, the network engineer could create a single ROA authorizing AS0 to announce its network prefix. As this ROA will propagate to the various networks deploying RPKI origin validation “reject invalid”, the network prefix will stop being propagated on the Internet. At that point, it might become difficult for the engineer to fix this problem, as they might not be able to connect anymore to the RIR servers to correct the configuration.
Over 5% of the records in RPKI repositories conflict with legitimate long-lived BGP announcements and around 30% of the records are misconfigured. While the conflict would cause ROV-enforcing ASes to discard legitimate BGP route advertisements, hence disconnecting from thousands of legitimate destinations, the misconfiguration leaves the issuer unprotected from prefix hijacks.
Recommendations:
- The UI designers and/or providers of such user interfaces should provide warnings to draw the user’s attention to the risks of using special types of ASes.
- The designers and/or providers should give warnings by providing the name of the organization of the AS to which the owner is willing to assign its prefix.
- Using DISCO, a system for certifying ownership of IP address blocks that yields substantial security benefits while circumventing the obstacles to adoption facing RPKI and ROV.
Deleting ROAs from repositories
It has become a fairly common practice to leave in place the ROA associated with the exact RIR-allocated prefix length after more specific ROAs have been introduced. Although deleting ROAs from the repositories is possible, it is not an easy task. Examples of this kind of awareness were recorded on 19 December 2013 and on 26 February 2020. Both examples show operational difficulties in deleting ROAs in one of the RIRs using the RIR-hosted RPKI toolset.
Recommendation:
- Operators should use “minimal ROAs” that include only those IP prefixes that are originated in BGP, and no other prefixes.
How IPv4 Superhub Adopted RPKI
Malicious actors are becoming increasingly sophisticated in how they scam internet users and companies to extract sensitive data. IPv4 Superhub has taken the initiative to approach this issue by implementing the Resource Public Key Infrastructure (RPKI) – a system of cryptographic certificates that contributes to safer internet routing.
Keeping up with security trends
Today’s internet is a global system of tightly interconnected networks that communicate together with the help of the Border Gateway Protocol. However, BGP has security flaws that may hinder the stability and security of the internet ecosystem.Thus, we need to take advantage of RPKI to support network security and avoid large-scale network attacks.
If you purchase or rent on the IPv4 Superhub platform, we will provide you with RPKI service to reduce the probability of network attacks, creating a secure and harmonious network environment.
- Set double verification requirements in RPKI: ROA+RPKI
- Large ISPs should actively adopt RPKI to make routing safer for businesses and individual internet users.
Our ultimate goal is to automate the RPKI delegation process and simplify the resource management for both clients. Soon, subnet holders will be able to delegate RPKI management to save time on manual arrangements. Simultaneously, IP lessees will be able to issue ROAs on the IPmeetIP platform themselves and start using the leased IP addresses immediately.
If your company needs IP addresses from vetted IP holders, register an account at IPv4 Superhub and start leasing instantly.