Standfirst — Resource Public Key Infrastructure (RPKI) secures BGP routing by cryptographically validating route origins, blocking hijacks and leaks effectively.
RPKI enables creation of Route Origin Authorisations (ROAs) to authorise legitimate BGP announcements.
Deploying Route Origin Validation (ROV) allows networks to reject unauthorised or invalid routes
Understanding BGP vulnerabilities
The foundation of internet routing is the Border Gateway Protocol (BGP), which allows autonomous systems (ASes) to communicate reachability data. However, BGP lacked built-in methods to confirm the legitimacy of route announcements because it was built with trust as its cornerstone. Any network can announce prefixes it does not own thanks to this vulnerability, which could result in route hijacks or leaks.
When an unauthorized AS advertises a prefix and reroutes traffic meant for the rightful owner, this is known as a hijack. Accidental leaks that spread beyond intended boundaries are frequently caused by misconfigurations. The risks are brought to light by high-profile incidents like widespread outages or cryptocurrency thefts. Malicious or inaccurate announcements can spread throughout the world without validation, resulting in denial-of-service attacks, interceptions, or blackholes.
RPKI addresses this by providing a cryptographic framework to bind IP prefixes and AS numbers to their legitimate holders, preventing unauthorised announcements from being accepted.
What is RPKI and how does it work?
Resource Public Key Infrastructure (RPKI) is a specialised public key infrastructure framework that secures BGP through Route Origin Validation (ROV). It mirrors the allocation hierarchy of internet number resources: from IANA to Regional Internet Registries (RIRs), then to Local Internet Registries and end users.
Resource holders create Route Origin Authorisations (ROAs), cryptographically signed objects specifying which AS is authorised to originate a prefix, optionally with a maximum length to prevent sub-prefix hijacks. These ROAs are published in RIR-managed repositories.
Relying parties – typically validators like Routinator or rpki-client – fetch and validate this data, producing Validated ROA Payloads (VRPs). Routers then compare incoming BGP announcements against VRPs, classifying them as Valid, Invalid, or NotFound. Networks deploying ROV can reject Invalid routes, stopping unauthorised announcements.
As Job Snijders, a prominent RPKI expert and OpenBSD developer, has emphasised in discussions on routing security: “The only path forward is to continue investments in a cryptographically supported infrastructure that is the RPKI.”
Why RPKI is essential for preventing unauthorised announcements
Unauthorised BGP announcements pose severe threats, from traffic interception to outages. RPKI mitigates these by ensuring only authorised origins propagate.
In prefix hijacking, an attacker announces a victim’s prefix, potentially blackholing or eavesdropping traffic. RPKI marks such announcements Invalid if no matching ROA exists or if the origin AS mismatches.
Route leaks, often accidental, amplify issues by propagating unintended paths. RPKI’s origin validation limits their impact.By 2025, over 54% of global IPv4 and IPv6 routes are covered by ROAs, with traffic to valid destinations reaching around 74% according to estimates. Major providers like Cloudflare and AWS have deployed ROV, significantly reducing invalid propagation.
Experts underscore its importance. As noted in MANRS resources: “RPKI is a critical tool towards securing global Internet routing.”
Creating ROAs: the first step for resource holders
Resource holders must create ROAs to protect their prefixes. Most RIRs offer hosted systems via member portals – RIPE NCC, APNIC, ARIN, LACNIC, and AFRINIC provide intuitive interfaces.
Log into your RIR portal, navigate to RPKI services, and generate ROAs specifying the prefix, origin AS, and optional maxLength. For example, in RIPE NCC’s dashboard, select resources and create ROAs directly.
Hosted systems simplify management, handling certification and publication. Delegated models allow self-hosted CAs for advanced users. Best practices include covering all announcements, including more specifics, and regularly updating ROAs. Avoid common pitfalls like incorrect maxLength, which can invalidate legitimate deaggregations.
As per NRO guidelines: “ROAs are created for all route origins from the prefixes you hold.”
Deploying Route Origin Validation (ROV)
To enforce protection, networks perform ROV by running a validator and connecting routers via the RPKI-to-Router (RTR) protocol. Popular open-source validators include Routinator (NLnet Labs), rpki-client (OpenBSD), and FORT. Install on a server, configure trust anchors from RIRs, and sync data.
Routers from vendors like Cisco, Juniper, and Nokia support ROV, tagging or dropping Invalids. Start with monitoring mode to observe without disruption, then move to strict filtering. Redundancy is key: run multiple validators for diversity and availability. Do not drop NotFound routes to avoid disconnecting unprotected prefixes.
Deployment statistics show progress: major transit providers reject Invalids, limiting hijack propagation to under 50% in many cases.
Best practices for RPKI implementation
Successful RPKI deployment requires careful planning.
For ROA creation:
– Inventory all prefixes and announcements.
– Use maxLength judiciously for flexibility.
– Monitor and update regularly.
For ROV:
– Begin in shadow mode.
– Ensure router software supports RTR.
– Implement redundancy with diverse validators.
Phased rollouts, as used by operators like Orange and NTT, minimise risks. Train teams and integrate into operations.
NRO best practices emphasise: “Do not drop NotFound announcements” to maintain connectivity during partial deployment.
Real-world impact: Incidents mitigated by RPKI
RPKI has proven effective in limiting hijacks. In cases where victims had ROAs and attackers lacked authorisation, deploying networks rejected invalid routes. For instance, sub-prefix attacks – common in cryptocurrency thefts – are thwarted when maxLength restricts announcements.
As deployment grows, invalids propagate less: tier-1 providers’ filtering casts a protective shadow. Cloudflare’s tools demonstrate: “Any hijacking attempt… will result in invalid validation results, and such invalid BGP messages will be discarded.”
Challenges in RPKI adoption
Despite benefits, challenges persist: partial ROA coverage leaves gaps, and incomplete ROV allows propagation. Repository reliability issues can delay validation. Software vulnerabilities, though addressed in updates, require maintenance. Fear of self-inflicted outages deters some, but monitoring modes ease transitions. Experts like Job Snijders advocate persistence: RPKI remains underutilised but essential.
The future of routing security with RPKI
RPKI adoption accelerates, with milestones like 50%+ route coverage in 2024. Extensions like ASPA promise path validation. Global initiatives, including MANRS and policy proposals, drive progress. Widespread deployment will make unauthorised announcements ineffective, securing the internet’s foundation.
FAQs
1. What is a ROA and why do I need one?
A Route Origin Authorisation (ROA) is a cryptographically signed object authorising a specific AS to originate a prefix. Creating ROAs protects your prefixes from hijacks by enabling validation.
2. How does RPKI differ from IRR?
Internet Routing Registries (IRR) rely on databases without cryptography, prone to errors. RPKI adds cryptographic validation, making it more reliable for preventing unauthorised announcements.
3. Is RPKI deployment risky?
Initial monitoring modes allow safe observation. Best practices, like redundancy and phased rollouts, minimise risks. Partial deployment still benefits by protecting against validating networks.
4. Can RPKI prevent all BGP hijacks?
RPKI excels at origin validation, stopping most prefix and sub-prefix hijacks. Path manipulation requires extensions like BGPsec or ASPA.
5. How do I check my RPKI status?
Use tools like Cloudflare’s RPKI Portal, NIST monitor, or RIR dashboards to view ROA coverage and validity.
