|
Resource Public Key Infrastructure (RPKI) is a method to secure internet routing traffic by cryptographically verifying routes. As we begin 2022, we look back at 2021 and see how the year saw another significant step towards its adoption. High-profile issues with the old trust-based model of Border Gateway Protocol, designed several decades ago, have shown the continued importance of protecting popular networks from mistakes or hackers.
The RIPE NCC is one of five Regional Internet Registries (RIRs) providing Internet resource registration services and coordinating activities for the Internet for Europe, the Middle East and Central Asia. Last year, the RIPE NCC was pleased to report that more and more networks worldwide had implemented RPKI. The number of RPKI certificates and ROAs has already risen by 26% and 38% respectively since 2020, significantly strengthening the security and stability of the Internet ecosystem as a whole.
Several high-profile global ISPs, such as Amazon Web Services and Comcast, have already opted to embrace RPKI. A couple of incidents provide clues as to why. In April 2018 Amazon’s DNS servers were hit by hijackers who guided the traffic to a fake version of MyEtherWallet, an Amazon Web Service’s customer. Although it appeared the website was based in Germany, the incident was routed in Ukraine, facilitating hackers to steal $160,000 from Ether wallet users. Oracle’s Internet Intelligence claimed the attack on AWS’s DNS servers succeeded because the group of hackers was able to hijack a BGP route and oversee the Internet traffic targeting Amazon. An attack like this is not a single event but a problem which keeps happening. In May 2021, one of the largest American Internet Service Providers (ISPs), Comcast reported leveraging RPKI into its Border Gateway Protocol (BGP) security in an effort to strengthen their network’s security and maintain customer safety against BGP route hijacks. The move came a month after an extensive BGP leak in Vodafone’s autonomous network (AS55410) in India which hit thousands of networks around the world, affecting large-scale companies like Google. Several of Comcast’s prefixes were also reportedly impacted. In response, Jason Livingood, Comcast Cable’s Vice President of Technology Policy & Standards, stated the company now cryptographically signs route information whilst validating the cryptographic signatures of the route information of other networks. These developments illustrate that more companies are realising the value of RPKI and advocating for its adoption in an effort to strengthen and secure the network as a whole.
As similar leaks and hijacks are likely to occur in the future, ISPs may wish to benefit from RPKI adoption sooner rather than later. But how can they make RPKI as efficient as possible as we head into 2022?
Holders of IP addresses and ASNs should develop a cryptographic statement, or Route Origin Authorisation (ROA) which can only be created by an authentic holder of the prefix. The statement also indicates the AS number that is accredited with originating the prefix on the Internet. As a consequence, the route announcements have been certified as legitimate, coming from the route they state, in a process called Route Origin Validation. The route is then filtered and ‘invalid’ routes are dismissed during the Route Filtering - a significant feature that blocks malicious actors from originating false routes as well as prohibits the transmission of any misconfiguration that could potentially lead to a major accident. NOS Comunicações and Vocus, prominent Internet Service Providers in Portugal and Australia respectively, have both signed their prefixes and are rejecting invalid routes.
Route filtering is only effective when organisations generate ROAs to identify the origin of a prefix to protect their routes from leaks and hijacks. With the development of ROAs, RPKI can cryptographically verify if a network’s IP addresses are legitimate. Hijacking, purposeful or not, can lead to network outages which helps hackers disrupt Internet traffic. In June 2020 IBM experienced an outage worldwide that stemmed from a false BGP route and led to connectivity problems for websites and platforms running on IBM Cloud. It is, therefore, imperative to preserve data and to renew cryptographic certificates on a regular basis, as well as anytime a holder hands over IP addresses or ASN to another actor.
However, there is still work to do. The RPKI model is most effective when adopted by multiple parties, with many Tier 1 ISPs already making progress. Now the ball is in the hands of Tier 2 ISP, such as Virgin and BT, and Internet exchanges to help secure the whole routing path for all. Yet, the global pandemic brought about many challenges, making some ISPs reluctant to initiate major changes like RPKI adoption. Internet traffic in the UK has also increased by 78% in a year according to UK ISP Zen Internet’s research, this has pushed ISPs to opt solely for mandatory upgrades.
While it’s true that network outages related to upgrades are likely to occur, the risk is negligible in comparison to the ever-growing threat of cyber-attacks that could have long-standing effects on business as well as people’s personal and professional lives.
With Tier 2 ISPs gradually following the lead of Tier 1 ISPs, RIPE NCC supports their endeavours to strengthen the network for all, and provides clear data by offering a stable and secure Trust Anchor. The future of the Internet can only be ensured through a unified effort.
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byVerisign