New RPKI Guide for a More Secure Internet

By Tiziano Tofoni, CEO of Reiss Romoli, and Flavio Luciani, CTO of Namex (Roma IXP)

Many incidents in the Internet are caused by the propagation of incorrect routing information. The most common threats, such as prefix hijacking or route leaks, take advantage of the basic vulnerability of BGP: its inability to verify which Autonomous Systems propagating the announcements are legitimately permitted to do so.

To avoid this problem, in 2012 the Secure Inter Domain Routing (SIDR) group of the Internet Engineering Task Force (IETF) developed a standard architecture: RFC 6481 – “A Profile for Resource Certificate Repository Structure.” It’s based on a public structure (Resource Public Key Infrastructure, or RPKI) with distributed databases (RPKI repositories).

We recently released the handbook “BGP RPKI: Instructions for use” to illustrate the main components of the BGP RPKI architecture and how these interact to create a system that will check whether or not an AS is authorized to originate prefixes to the Internet. Since we want this document to be a practical guide for the implementation of the RPKI architecture, we also illustrate how to insert the ROAs in the repository of an RIR (for now RIPE NCC portal). We explain how the theory can be put into practice by illustrating the implementation of the architecture both in Cisco and Juniper environments, with configuration examples.

This guide could be useful for anyone who wants to know more about the theory behind RPKI. It is aimed especially to network operators who want to implement the architecture inside their own network infrastructure.

We consider MANRS an important initiative and a first step to support network operators, IXPs, and CDNs to improve their security levels. The three MANRS programs carry different sets of concrete actions designed to avoid the most common routing problems. This handbook should support network operators to be compliant with one of the key actions. Our goal is to guide you inside the RPKI architecture in order to make the Internet a a more secure place.

Read “BGP RPKI: Instructions for use”