Why ISPs must enable RPKI in 2021 for a safer internet

31 March 2021 | Nathalie Trenaman

Nathalie Trenaman

Blog Author | Guest contributor

Cover

Nathalie Trenaman, routing security programme manager for the regional Internet registry RIPE NCC, explains why stronger routing security by ISPs will create a safer internet for all.

As we find ourselves turning to the Internet more and more to manage our lives, internet routing and security becomes an increasingly important topic. It has for some time relied on the trust-based model of Border Gateway Protocol (BGP), designed several decades ago. BGP lacks the built-in security needed today to prevent the security risks posed by ‘fat-finger’ and even malicious hijacks, which have proven to be hugely significant.

In the week between Christmas and new year of 2020, usually a relatively quiet week for BGP updates and changes, the RIPE NCC saw a significant number of suspicious activities - and these were strongly connected to typos. These errors are the reality of many network outages, where a simple mistake from a network engineer can affect the internet connection in a completely different location. These outages can be detrimental for businesses, and the downtime can even make networks vulnerable to hackers intercepting internet traffic. So, it’s clear that something needs to be done to address the security concerns of the current system in place.

Introducing RPKI

This is where Resource Public Key Infrastructure, otherwise known as RPKI, is crucial. RPKI was developed to secure internet routing by cryptographically verifying routes - functioning much like a police car pulling you over to the side of the road to check your license and registration plate to verify you’re not driving a stolen car. A community-driven routing security innovation, RPKI connects IP addresses and AS Numbers to a trust anchor and requires two steps - Route Origin Authorisation (ROA) and Route Origin Validation - to achieve its vital goal of digital verification.

Firstly, the holder of the IP address or ASN must create a ROA that digitally verifies where an AS number should have originated from. This first stage is important, as all these routing statements are collected in a repository which operators use to perform Route Origin Validation. BGP announcements are then compared with the repository and the invalid announcements are caught and let go. This is the real key to stopping the transmission of accidental errors, as well as preventing bad actors from falsely originating routes that they do not have ownership of.

A year of progress 

2020 was a big year for RPKI. We witnessed a real gathering of momentum, with uptake from nearly all major tier 1 transit and cloud ISPs, including RETN, Telia, Amazon, Cloudflare and Netflix. In addition to these big names, other significant players such as Google, AT&T and Telstra have begun the process and are close to enabling RPKI in their networks. And it’s not only ISPs - we’ve also seen progress from a number of European IXPs including those in England, Ireland, Germany and France.

The industry has overcome the first hurdle - and it’s a significant development in the context of the Covid-19 pandemic, which presented a challenge to the RPKI mission.

The dependence on the internet during the recent global lockdowns led to an understandable reluctance from ISPs to implement any significant network changes which could potentially result in outages. For these businesses, it made a lot more sense to stick to necessary upgrades and avoid as much chance of interruption for end-users as possible.

For many that did implement RPKI in 2020, the process had already begun in the previous year - and after testing and tracking the journey, these ISPs felt confident to flip the switch in 2020.

The growing pressure to enable RPKI

While the success of 2020 is something to be celebrated, there’s still more work to do. The internet is a complex web of networks and RPKI only safeguards routing close to the network using it. This means it can prevent hijacks in the first hop of routing from the network, but it cannot secure the entire routing path. That’s why it’s essential that more players implement RPKI and that the community defines standards that protect the entire routing path.

Now that the tier 1 ISPs have done the heavy lifting, we need all the layers secured. The next layer to step it up are the tier 2 ISPs like Virgin, BT, Comcast and Verizon who will now face increasing pressure to enable RPKI in the year ahead. However, they should certainly take confidence from the recent success stories of the big players.

While these ISPs might be erring on the side of caution following the pandemic, it’s important that they get started now - as even once the pandemic is over, the internet will continue to be critical to our lives. By taking the necessary steps to unlock stronger routing security, the industry can create a safer internet for all.