RPKI in China

By on 14 Feb 2019

Category: Tech matters

Tags: , , , ,

Blog home

The Resource Public Key Infrastructure (RPKI) has received extensive attention since its inception (RFC 6480). It is used as a security resolution for the Border Gateway Protocol (BGP) by providing Route Origin Authorizations (ROAs), which can provide reliability to BGP routing.

RPKI has been widely deployed among the five Regional Internet Registries (RIRs) and all the RIRs are currently providing RPKI services to their members.

In this post I will discuss the past, present and future efforts surrounding the deployment of RPKI in China.

Past accomplishments

Among the few organizations that are currently involved in RPKI work in China, the China Internet Network Information Centre (CNNIC) and Internet Domain Name System Beijing Engineering Research Center (ZDNS) have done the most  extensive research and promotion.

As China’s National Internet Registry (NIR), CNNIC started RPKI-related research in 2014. Since then it has:

  • Published several papers on RPKI, including an ‘RPKI White Paper’, which details how to establish an RPKI experimental environment and assists with common troubleshooting, as well as many technical papers on data management architecture, deployment risks and solutions, and an RPKI deployment statement.
  • Continually participated in the standardization of RPKI both domestically and internationally, including at the IETF, where CNNIC has proposed several Internet drafts in the Secure Inter-Domain Routing (SIDR) group, and at the China Communications Standards Association (CCSA).
  • Led a number of industry standards on different aspects of RPKI.

In terms of deployment, CNNIC cooperated with APNIC to launch an RPKI-Pilot platform in late-2015, which was the first experimental RPKI platform for the public in China. Based on the operational experiences on the RPKI-Pilot platform, as well as the great support from the APNIC technical team, CNNIC launched its RPKI service to its members in mid-2017. ISPs, ICPs, DCs, CDNs and enterprises in China can currently use RPKI to manage and secure their IP addresses via a web-based, user-friendly interface.

Read: CNNIC’s RPKI deployment experience

ZDNS has been equally busy, contributing to RPKI open-source software and RPKI standardization at the IETF and CCSA. Since 2016, ZDNS has sponsored RPSTIR (bgpsecurity.net), the RPKI relying party software open-source project managed by Dr Di Ma, the Principal Research Fellow at ZDNS and co-author of RFC 8211 and RFC 8416.

Recent progress

CNNIC continued to develop and promote RPKI in 2018, including troubleshooting several technical issues that occurred during the operation of the RPKI service in China, including:

  1. Access Control. The data generated by an RPKI CA, such as Resource Certificates, ROAs, manifests and CRLs, should be accessed globally.

[Our solution] The repository shouldn’t add additional secure policies to limit any RP to fetch the data.

  1. Time synchronization issues. Unsynchronized time on a CA server, especially when it’s ahead of the standard time, may lead to unexpected problems, for example, certificates with the wrong validity inception time can cause ‘data not yet valid’, ‘object rejected’ and ‘certificate failed validation’ errors.

[Our solution] Use Network Time Protocol to synchronize the time and add this to the cron jobs.

  1. Certificate expiration time. Each Resource Certificate issued to the member of the CNNIC IP Address Allocation Alliance is generated with the validity for a period of one year.

[Our solution] Pay attention to this expiration time and reissue a new certificate in time to avoid validation problems.

With APNIC’s help, CNNIC finished the connection between the CNNIC and APNIC RPKI platforms in October 2018, enabling CNNIC to join the global RPKI system. CNNIC announced the exciting news at an APNIC-CNNIC joint training event in December 2018, at which CNNIC members were able to ask questions about the system and learn how to establish a child Certificate Authority and ROA records for themselves.

By the end of January 2019, 176 certificates, 39 ROAs and 178 CRLs were recorded in CNNIC’s RPKI system.

Future plans

Organizations in China, including CNNIC, will continue to keep working on troubleshooting operational issues with the RPKI service and improving RPKI system functions. After listening to the opinions of domestic communities and based on the RPKI operation status, we predict that:

  1. One or more public RP services will emerge, mainly targeted to domestic organizations.
  2. The maturity of the domestic RPKI service will be further enhanced using distributed sites, and other ways to improve the availability of the platform will be applied gradually.
  3. More RPKI technical training will be provided to further promote the adoption of RPKI in China.

It’s a pleasure to work with the global Internet community to strengthen Internet security continuously. Stay tuned to the APNIC Blog for more updates and please leave a comment if you have any questions.

Dr Yuedong Zhang is Assistant Director of the System Operations, IP Business, Technical Administration at CNNIC.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *