CNNIC’s RPKI deployment experience

By on 26 Sep 2017

Category: Tech matters

Tags: , , , , ,

1 Comment

Blog home

CNNIC publicly launched its RPKI service in 2017.

Prefix hijacking is one of the large-scale BGP specific routing anomalies that are able to paralyze the Internet. RPKI (Resource Public Key Infrastructure) is a verification mechanism to couple an IP address range to an autonomous system number through cryptographic signatures (described in RFC6480), to prevent such route hijacking and other attacks on the Internet.

All the five Regional Internet Registries have completed the deployment of RPKI and provided RPKI services to their members.

CNNIC, as an NIR, has a strong focus on resource management and member service. In the past few years, we have received several requests from our members asking for help to remove the wrong route announcements that have affected their normal services.

Although CNNIC, as an Internet resource registry, does not have a role in dealing with routing problems — which are beyond our abilities — we always try to help them contact the AS holders making the wrong route announcements. Through this process, we have found that Internet registries can play a bigger role in helping prevent such problems.

We began to research RPKI in 2014, starting with the standardization in the IETF SIDR working group, as well as the China Communication Standards Association (CCSA) in China, followed by RPKI deployment. We began working closely with APNIC and experts in the APNIC community regarding RPKI deployment in 2015.

CNNIC RPKI launch

The RPKI pilot service was successfully launched in late 2015. Based on the pilot platform, our members could create their own Certificate Authorities (CAs), which interface with CNNIC’s RPKI parent system, and then manage Route Origin Attestations (ROAs) with their own CA.

Then we began to establish a formal RPKI service system at the end of 2016. Compared with the pilot, the new production system is more complex, bringing with it some technical challenges. But thanks to the help of APNIC’s technical and research teams, we finally overcame the difficulties and now provide a simple hosted system and web-based user interface in which our members can manage their ROAs simply.

We believe CNNIC members can benefit from RPKI. Using RPKI, our members (resource holders) can obtain a resource certificate listing the Internet number resources they hold. With the resource certificate, the members can create cryptographic attestations about the route announcements they authorize to be made with the prefixes they hold. In this way, the members are able to add more security to their routing announcements to guard against possible hijacking, unnecessary de-aggregation, and human errors.

The production service was introduced to our members one month ago, so the rate of adoption is still very low. CNNIC plans to further explore the system functions and improve our RPKI service to members. We will also be focusing on more promotion to increase the rate of adoption in the coming year.

Jessica Shen is Director of IP Operations at CNNIC. She is also a member of the APNIC Executive Council.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

One Comment

  1. fuzzypop

    THIS IS IRONIC
    CNNIC had signed fake certificates in 2015.
    https://security.googleblog.com/2015/03/maintaining-digital-certificate-security.html
    https://news.vice.com/article/china-accused-of-doling-out-counterfeit-digital-certificates-in-serious-web-security-breach

    China state-backed orgnization hijacked DNS root mirrors many times
    https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005260.html
    https://www.cdnetworks.com/en/news/impact-from-china-root-dns-outage/4280
    https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/014964.html

    China ISP had hijacked open resolvers 8.8.8.8 8.8.4.4 and 1.1.1.1 in some place base on BGP hijack

    Route onedrive.live.com to blackhole
    https://social.technet.microsoft.com/Forums/office/en-US/7ec2e960-c218-473f-85dc-689594ea524a/onedrive-is-unaccessible-in-china?forum=officeitpro

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Please answer the math question * Time limit is exhausted. Please reload CAPTCHA.

Top