Over the past two years, 98% of Taiwan’s IP address holders have signed Resource Public Key Infrastructure (RPKI) Route Origin Authorizations (ROAs) for their routes, the highest rate percentage among the top 100 economies by IP address allocations.
This could not have been achieved without the efforts of the Taiwan Network Information Center (TWNIC) who have been actively promoting RPKI since signing its TWNIC RPKI Certificate Authority (CA) with APNIC in 2018.
Using RPKI, legitimate IP address holders can better control their assigned Internet routing protocols to prevent route hijacking or unintentional BGP configuration errors that can cause major Internet outages like those seen in Japan three years ago.
To mark this achievement and with it the start of the second phase of its RPKI project, TWNIC held the online Taiwan RPKI Day on 28 September 2020.
During the event, TWNIC launched its RPKI Validator service with 46 IP members agreeing to connect to it to test its functionality as they seek to enable Route Origin Validation (ROV), the main and most widely known application of RPKI. The new validation service allows users to activate the RPKI function of their routers connected to the TWNIC Validator server, download the latest ROA data, and perform ROV.
Speaking on the day, Wei-Chung Teng, commissioner of the National Communications Commission (NCC) in Taiwan, spoke about how Taiwan has limited resources and is often subject to cyberattacks due to its geographical location. As such, rapid RPKI deployment should be a widespread effort to ensure network routing in Taiwan is reliable, trustworthy, and untampered.
TWNIC’s Chairman of the Board, Kenny Huang, also spoke on the day, noting how the continuous technical support and six training sessions to assist TWNIC members to properly configure their RPKI deployment had played a crucial role in getting such a high rate of ROAs signed. Such hands-on work within the community has been a key factor in other economies too.
Moving forward into the third phase — automatically filtering out illegitimate routes
In a video message, APNIC’s Director General, Paul Wilson, also expressed his congratulations. He said after the signing of TWNIC RPKI CA with APNIC, TWNIC could start to use RPKI Digital Certificates to protect the IP addresses under its management, while allowing TWNIC members holding the certificates to protect their route declaration through ROAs. This is a critical step on the way to Internet routing security.
In phase two of the project, around 46 operators will participate in testing TWNIC’s Validator operations, which represents the persistent support for Internet security by Taiwan’s Internet community. This will be followed by a third phase, which will involve comprehensive route filtering.
Paul said such planning was crucial, and the overall strategy could serve as a great case study for other economies to follow. He urged Taiwan’s Internet community to follow TWNIC’s lead and take part in not only phase-two testing but also additional trial runs and field operations to build a reliable, secure and open Internet environment.
Kenny reiterated that the Internet is designed to enable communication, not with security as a top priority. Route declaration is based purely on trust, which is blind and vulnerable to malicious hijacking. RPKI enables authentication and validation of route origin to identify malicious conduct. Then, filtering can be applied to prevent hackers from arbitrarily broadcasting routes that they do not possess.
TWNIC will be monitoring phase two progress and move into phase three in the case of high participation in its validation service, wherein it will encourage its IP members to activate automatic filtering.
Ching-Heng Ku is Director of the TWNIC IP Department.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.