Routing Security a Work in Progress in Australia, New Zealand

Terry Sweetser

Status of RPKI in Australia and New Zealand

The world needs a secure and resilient Internet, especially in the face of an ongoing pandemic still driving more activity and more people online. The trend makes cybersecurity a crucial issue as citizens and businesses increasingly move to exclusively digital modes.

The Australian government especially is concerned with critical infrastructure given the new focus on the trio of telecommunications, cloud services, and electricity. In fact, the Australian Cyber Security Centre recently issued new guidance on gateways, including Border Gateway Protocol route security.

Our new study, Status of RPKI in Australia and New Zealand finds that while the two countries have made progress, routing security is still in a poor state, exposing businesses, government, and citizens to great risks of data loss, theft, or interrupted critical services.

The study examined whether websites belonging to both public and private institutions in the two countries rejected connections from clearly invalid sources of traffic. It also examined if networks where these websites are hosted provide necessary measures to avoid route hijacks. The results were concerning for both.

We set out to study the state of Resource Public Key Infrastructure (RPKI) uptake in Australia and New Zealand, with particular emphasis on the security of critical infrastructure. We’re happy to release its findings today.

During the research for the report, there were various tests of routing across Australia and New Zealand to a select set of websites. Some of these sites included government services and educational organizations.

One test involved connecting to websites from address space in Sydney with a valid Route Origin Authorization. The next test to the same websites used a source address with an intentionally invalid ROA, therefore designed to fail Route Origin Validation. However, on many occasions, that test did not fail.

The implications of these “successful” results for invalid origins strongly suggests these sites could be accessed from hijacked addresses. Moreover, various networks serving these websites were allowing traffic to move over their networks without a check of the route origin. This also leads to finding that some upstream providers from these sites are passing traffic between the invalid origin and remote websites.

For those sites that never responded to the invalid connection test, the finding was very clear: some network along the path was dropping the traffic at the edge of their network. Time and again during tests, these networks never passed invalid origin traffic.

The implication of this is that some networks are insecure and are not adopting practices to keep their routing secure. Many of these networks provide services to important government services. Furthermore, under these circumstances, a routing hijack would adversely affect these networks and those services.

The possible remedy for these issues is obvious: the adoption of RPKI and the associated practices that prevent attacks and loss of routing integrity. The report data indicates half of the tested websites are at risk.

Network operators have a responsibility to ensure a globally robust and secure routing infrastructure. Your network’s safety depends on a routing infrastructure that weeds out bad actors and accidental misconfigurations that wreak havoc on the Internet. The more network operators work together, the fewer incidents there will be, and the less damage they can do.

All Internet service providers should aspire to become MANRS participants and comply with routing security best practices, including implementing RPKI. Learn about MANRS, implement the actions for network operators, and join the community of security-minded operators working together to make the Internet safer for everyone.

Leave a Comment