Resource Public Key Infrastructure
Encyclopedia
Resource Public Key Infrastructure (RPKI), also known as Resource Certification, is a specialized public key infrastructure
(PKI) framework designed to secure the Internet
's routing
infrastructure, specifically the Border Gateway Protocol
(BGP). RPKI provides a way to connect Internet number resource information (such as Autonomous System
numbers and IP Addresses
) to a trust anchor
. The certificate structure mirrors the way in which Internet number
resources are distributed. That is, resources are initially distributed by the IANA
to the Regional Internet Registries (RIRs), who in turn distribute them to Local Internet Registries
(LIRs), who then distribute the resources to their customers. RPKI can be used by the legitimate holders of the resources to control the operation of Internet routing protocol
s to prevent route hijacking and other attacks.
Work on standardizing RPKI is currently (late 2011) ongoing at the IETF in the sidr working group, based on a threat analysis which was documented in RFC 4593. The standards cover BGP origin validation, while work on path validation is underway.
PKI Certificates (RFC 5280) with Extensions for IP Addresses and AS Identifiers (RFC 3779). It allows the members of Regional Internet Registries, known as Local Internet Registries
(LIRs), to obtain a resource certificate listing the Internet number
resources they hold. This offers them validatable proof of holdership, though it should be noted that the certificate does not contain identity information. Using the resource certificate, LIRs can create cryptographic attestations about the route announcements they authorise to be made with the prefixes they hold. These attestations are called Route Origination Authorizations (ROAs).
(AS) is authorised to originate certain IP prefixes. In addition, it can determine the maximum length of the prefix that the AS
is authorised to advertise.
When present, this specifies the length of the most specific IP prefix that the AS is authorised to advertise. For example, if the IP address prefix is 10.0/16 and the maximum length is 22, the AS is authorised to advertise any prefix under 10.0/16, as long as it is no more specific than /22. So, in this example, the AS would be authorised to advertise 10.0/16, 10.0.128/20 or 10.0.255/22, but not 10.0.255.0/24.
gather all cryptographic objects from the different repositories used for publication. This creates a local validated cache which can be used for making BGP routing decisions.
is committed to offering this functionality in Cisco IOS
. Juniper Networks
is working on an implementation for Junos
as well. Quagga
will obtain this functionality through BGP Secure Routing Extensions (BGP-SRx).
Public key infrastructure
Public Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
(PKI) framework designed to secure the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
's routing
Routing
Routing is the process of selecting paths in a network along which to send network traffic. Routing is performed for many kinds of networks, including the telephone network , electronic data networks , and transportation networks...
infrastructure, specifically the Border Gateway Protocol
Border Gateway Protocol
The Border Gateway Protocol is the protocol backing the core routing decisions on the Internet. It maintains a table of IP networks or 'prefixes' which designate network reachability among autonomous systems . It is described as a path vector protocol...
(BGP). RPKI provides a way to connect Internet number resource information (such as Autonomous System
Autonomous system (Internet)
Within the Internet, an Autonomous System is a collection of connected Internet Protocol routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet....
numbers and IP Addresses
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
) to a trust anchor
Trust Anchor
In cryptography, a trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates and DNSSEC....
. The certificate structure mirrors the way in which Internet number
Internet number
An Internet number is a numerical identifier assigned to an Internet resource or used in the networking protocols of the Internet Protocol Suite. Examples include IP addresses and autonomous system numbers. Globally, Internet numbers are managed by the Internet Assigned Numbers Authority, an...
resources are distributed. That is, resources are initially distributed by the IANA
Internet Assigned Numbers Authority
The Internet Assigned Numbers Authority is the entity that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System , media types, and other Internet Protocol-related symbols and numbers...
to the Regional Internet Registries (RIRs), who in turn distribute them to Local Internet Registries
Local Internet Registry
A local Internet registry is an organization that has been allocated a block of IP addresses by a regional Internet registry , and that assigns most parts of this block to its own customers. Most LIRs are Internet service providers, enterprises, or academic institutions. Membership in an RIR is...
(LIRs), who then distribute the resources to their customers. RPKI can be used by the legitimate holders of the resources to control the operation of Internet routing protocol
Routing protocol
A routing protocol is a protocol that specifies how routers communicate with each other, disseminating information that enables them to select routes between any two nodes on a computer network, the choice of the route being done by routing algorithms. Each router has a priori knowledge only of...
s to prevent route hijacking and other attacks.
Work on standardizing RPKI is currently (late 2011) ongoing at the IETF in the sidr working group, based on a threat analysis which was documented in RFC 4593. The standards cover BGP origin validation, while work on path validation is underway.
Resource Certificates and child objects
RPKI uses X.509X.509
In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
PKI Certificates (RFC 5280) with Extensions for IP Addresses and AS Identifiers (RFC 3779). It allows the members of Regional Internet Registries, known as Local Internet Registries
Local Internet Registry
A local Internet registry is an organization that has been allocated a block of IP addresses by a regional Internet registry , and that assigns most parts of this block to its own customers. Most LIRs are Internet service providers, enterprises, or academic institutions. Membership in an RIR is...
(LIRs), to obtain a resource certificate listing the Internet number
Internet number
An Internet number is a numerical identifier assigned to an Internet resource or used in the networking protocols of the Internet Protocol Suite. Examples include IP addresses and autonomous system numbers. Globally, Internet numbers are managed by the Internet Assigned Numbers Authority, an...
resources they hold. This offers them validatable proof of holdership, though it should be noted that the certificate does not contain identity information. Using the resource certificate, LIRs can create cryptographic attestations about the route announcements they authorise to be made with the prefixes they hold. These attestations are called Route Origination Authorizations (ROAs).
Route Origination Authorizations
A Route Origination Authorization states which Autonomous SystemAutonomous system (Internet)
Within the Internet, an Autonomous System is a collection of connected Internet Protocol routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet....
(AS) is authorised to originate certain IP prefixes. In addition, it can determine the maximum length of the prefix that the AS
Autonomous system (Internet)
Within the Internet, an Autonomous System is a collection of connected Internet Protocol routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet....
is authorised to advertise.
Maximum Prefix Length
The maximum prefix length is an optional field. When not defined, the AS is only authorised to advertise exactly the prefix specified. Any more specific announcement of the prefix will be considered invalid. This is a way to enforce aggregation and prevent hijacking through the announcement of a more specific prefix.When present, this specifies the length of the most specific IP prefix that the AS is authorised to advertise. For example, if the IP address prefix is 10.0/16 and the maximum length is 22, the AS is authorised to advertise any prefix under 10.0/16, as long as it is no more specific than /22. So, in this example, the AS would be authorised to advertise 10.0/16, 10.0.128/20 or 10.0.255/22, but not 10.0.255.0/24.
RPKI Route Announcement Validity
When a ROA is created for a certain combination of origin AS and prefix, this will have an effect on the RPKI validity of one or more route announcements. They can be:- VALID
- The route announcement is covered by at least one ROA
- INVALID
- The prefix is announced from an unauthorised AS. This means:
- There is a ROA for this prefix for another AS, but no ROA authorising this AS; or
- This could be a hijacking attempt
- The announcement is more specific than is allowed by the maximum length set in a ROA that matches the prefix and AS
- The prefix is announced from an unauthorised AS. This means:
- UNKNOWN
- The prefix in this announcement is not covered (or only partially covered) by an existing ROA
Management
There are open source tools available to run the Certificate Authority and manage the resource certificate and child objects such as ROAs. In addition, the RIRs have a hosted RPKI platform available in their member portals. This allows LIRs to choose to rely on a hosted system, or run their own software.Publication
The system does not use a single repository publication point to publish RPKI objects. Instead, the RPKI repository system consists of multiple repository publication points. Each repository publication point is associated with one or more RPKI certificates' publication points. In practice this means that when running a Certificate Authority, an LIR can either publish all cryptographic material themselves, or they can rely on a third party for publication. When an LIR chooses to use the hosted system provided by the RIR, in principle publication is done in the RIR repository.Validation
Relying parties run local RPKI validation tools, which are pointed at the different RPKI trust anchors and using rsyncRsync
rsync is a software application and network protocol for Unix-like and Windows systems which synchronizes files and directories from one location to another while minimizing data transfer using delta encoding when appropriate. An important feature of rsync not found in most similar...
gather all cryptographic objects from the different repositories used for publication. This creates a local validated cache which can be used for making BGP routing decisions.
BGP Router Decision Making Process
After validation of ROAs, the attestations can be compared to BGP routing and aid network operators in their decision making process. This can be done manually, but work on streamlining this process is underway through a protocol for delivering validated prefix origin data to routers, known as the RPKI/Router Protocol. Cisco SystemsCisco Systems
Cisco Systems, Inc. is an American multinational corporation headquartered in San Jose, California, United States, that designs and sells consumer electronics, networking, voice, and communications technology and services. Cisco has more than 70,000 employees and annual revenue of US$...
is committed to offering this functionality in Cisco IOS
Cisco IOS
Cisco IOS is the software used on the vast majority of Cisco Systems routers and current Cisco network switches...
. Juniper Networks
Juniper Networks
Juniper Networks is an information technology and computer networking products multinational company, founded in 1996. It is head quartered in Sunnyvale, California, USA. The company designs and sells high-performance Internet Protocol network products and services...
is working on an implementation for Junos
Junos
Juniper Junos is the software or the network operating system used in Juniper Networks hardware systems. It is an operating system that is used in Juniper's routing, switching and security devices. Juniper offers a Software Development Kit to partners and customers to allow additional customization...
as well. Quagga
Quagga (Software)
Quagga is a network routing software suite providing implementations of Open Shortest Path First , Routing Information Protocol , Border Gateway Protocol and IS-IS for Unix-like platforms, particularly Linux, Solaris, FreeBSD and NetBSD....
will obtain this functionality through BGP Secure Routing Extensions (BGP-SRx).
External links
- IETF Journal - Securing BGP and SIDR
- An open source implementation of the complete set of RPKI protocols and tools
- RTRlib - Open source RPKI-Router Client C Library
- RPKI Deployment statistics for all RIRs
- Global ROA deployment heatmap
- EuroTransit GmbH RPKI Testbed
- BGPMON - Validating BGP announcement with RPKI
- Open Source reference C implementation of the router end
- An APNIC primer on RPKI
- RIPE NCC Resource Certification (RPKI) information
- LACNIC RPKI Information
- ARIN RPKI Information
- NRO statement on RPKI
- Internet Architecture Board statement on RPKI
- Building a new governance hierarchy: RPKI and the future of Internet routing and addressing
- Secure Border Gateway Protocol (Secure-BGP)
