Increasing RPKI at a national level

By on 7 Dec 2017

Category: Tech matters

Tags: , , , , ,

3 Comments

Blog home

One of the most common routing errors we see on the Internet today is the mis-origination of a prefix, either accidentally (‘fat finger’ errors when setting up routers) or intentionally (route hijacking attack). This means that someone announces an IP prefix that they are not authorized to originate.

When a router is not configured to verify the origin of the routes it receives, it has to trust that the Autonomous System (AS) that originated that route is authorized to do so.

RPKI can help resolve the associated security issues — it allows entities to issue Route Origin Authorizations (ROAs), which state that an AS has been given permission by an IP address block holder to advertise routes to one or more prefixes within that block, and these ROAs can be cryptographically verified.

The IP space covered by ROAs varies among regions and economies. In Latin and Central America, three economies — Ecuador, Uruguay and Venezuela — have over 90% RPKI deployment, thanks to national scale projects conducted by LACNIC.

In Colombia, the National Research and Education Network of Colombia (RENATA) is currently involved in a similar national RPKI awareness and deployment project (funded by Cisco and LACNIC via the Frida program), which has so far increased the economy’s RPKI deployment to over 46%.

Speaking on behalf of the project team at IETF 100 last month, Erika Vega said the project had provided virtual and face-to-face training for close to 400 professionals working at institutions connected to RENATA and ISPs that are members of NAP Colombia. Participants learned the benefits of RPKI and how to implement it, as well as how to check for support of and configure origin validation on network equipment.

In addition to building awareness and capacity, the project also sought to validate the origin of BGP routes that transit through the RENATA network, to achieve assurance of critical Internet infrastructure and academic networks.

Working with its partners at NAP Colombia, the RENATA team installed an RPKI validator and cache to a NAP Colombia’s network – NAP facilitates the connection to RedCLARA (Latin American Cooperation of Advanced Networks).

Of the 14,922 prefixes coming from NAP Colombia and the Internet about 46% were valid, more than 51% were not found, and less than 3% were invalid. From 17,912 prefixes coming from RedCLARA, less than 6% were valid, about 93% not found, and about 1% invalid.

One audience member asked about the invalids recorded from RedCLARA, questioning whether they’re “invalid because the origin AS does not match or because the prefix length does not match?” Although Erika did not have an answer, as they have not looked into this yet, I think this would be an interesting result to analyze further to try to draw some conclusion about the cause behind invalid prefixes — are potential hijacks being detected or are the invalid prefixes due to mistakes when creating the ROAs?

Erika said the next steps of the project were to recruit more organizations (mainly academic networks) to sign their resources (working in collaboration with RedCLARA) and run some experiments with some extensions for the validator.

Although this project is only being conducted in Colombia, it provides further evidence of the effectiveness of nationally-led RPKI deployment projects. That said, individuals and organizations can easily issue RPKI certificates and create ROAs to start getting familiar with the RPKI system and set up some routers to start validating BGP route origins, at least in a lab environment, checking the validity status of the routes they receive without making any routing decisions based on that information.

APNIC has a lot of content describing RPKI as well as a step-by-step guide on how to create your ROA.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

3 Comments

  1. Aftab Siddiqui

    Good to see some RPKI deployment from LAC region. Unfortunately, RENATA is announcing an ASN which doesn’t belong to them.

    http://www.cidr-report.org/cgi-bin/as-report?as=64322&view=2.0

    Reply
  2. Sofía

    Aftab, following up on the issue you reported about RENATA providing transit to an ASN not assigned to the organization using it, I wanted to let you know that I informed RENATA about this issue and their NOC performed the corresponding verifications and notified their downstream, who was using that ASN by accident. This issue has been corrected now.
    Once again, thank you for raising this!
    Have a nice day!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Top