Will 2023 be the Year Half of the Internet is RPKI-Enabled?
The new year is a great time to reflect on the past, take stock of the present, forecast the future, and set resolutions to commit to improving yourself (or your network). In this post, I will look at all of these in relation to Resource Public Key Infrastructure (RPKI), which enters a critical juncture with more than 50% RPKI-enabled networks predicted by the end of 2023.
A Look at the Past
In case you missed it, Geoff Huston (APNIC) posted his annual Border Gateway Protocol (BGP) review last week, which, discussed in great detail the continued slowdown in the growth of the number of prefixes and unique Autonomous Systems (ASes) announced to the Internet (Figure 1).
While the Internet may not be growing as quickly as it once was, the threat to the whole global routing routing is. At the Internet Society, we continually investigate incidents that emphasize the vulnerability of the whole Internet routing ecosystem and how most of these incidents can be avoided by following the Mutually Agreed Norms for Routing Security (MANRS) actions, of which RPKI is an important best practice.
BGP incidents can be categorized into route/prefix hijacks and route/prefix leaks (RFC 7908).
A BGP hijack (prefix origin hijack, route origin hijack) happens when a network originates a prefix (or a set of prefixes) that are allocated to another network without its permission, whether intentionally or mistakenly. One of the mechanisms which offers a strong enhancement to BGP security and helps us eliminate route origin hijacks is RPKI.
There are two important steps when deploying RPKI:
- Creating Route Origin Authorisations (ROAs), which are cryptographically signed objects that state that an AS is authorized to originate a particular IP prefix or set of prefixes and the validity period for that statement.
- Validating your ROAs using the RPKI system (RFC 6482). Once a ROA is validated, the resulting object contains at least one IP prefix, a maximum length, and an origin AS number. This object is referred to as a Validated ROA Payload (VRP). The VRPs can be used to check the validity of routing announcements received by a network and can reject the announcement if it is invalid — this is Route Origin Validation (ROV).
A Look at the Present
Currently, 41.7% of routes in the global routing table have valid ROAs (Figure 2).
Below is a breakdown of the top 20 origin ASNs in each of the five Regional Internet Registry regions that are announcing valid ROAs. Note: these ROAs were not necessarily created by these ASN holders since the prefix holder can put any ASN in the origin field.
The top three origin ASNs from the AFRINIC region are Africa-on-Cloud-AS, South Africa (AS328608), Spectranet, Nigeria (AS37340), and RENU from Uganda (AS327687).
In the APNIC region, the highest origin ASN count, by a large margin, is from BSNL India (AS9829), followed by Tata Communications (AS4755) and Sify Limited (AS9583), both also based in India.
Another interesting aspect of this data is that AS0 (zero) is also very popular in the APNIC region (APNIC TAL) — 547 VRPs are configured with AS0 origin which is also called ‘do-not-advertise’ or negative intent of announcement from the resource holders. A prefix covered by a ROA with AS0 set as origin should not be seen in the global routing table, since no one can use AS0 as the origin. And if ROV is performed, it will always mark the prefix as ‘Invalid’, which means the prefix should be discarded.
In the ARIN region, the top three origin ASNs are Cox Communications (AS22773), Amazon (AS16509), and Google Cloud (AS396982).
The growth of ROA creation in the ARIN region is very slow and sits around 28% in the global routing table. Conversely, LACNIC sits above the global ROA creation average with around 45% valid ROAs.
The top three origin ASNs in the LACNIC region are Colombia Telecom (AS3816), Telefonica Peru (AS6147), and, surprisingly, Neustar Security Services (AS19905), which is registered in the ARIN region. This suggests that it is using most of its resources in the LACNIC region.
Finally, the RIPE region has historically led the way in RPKI deployment and, as such, has one of the highest uptakes in ROA creation (56%) so, it is not surprising to see so many ASNs with hundreds of VRPs associated with them.
Bezeqint Internet Backbone (AS8551) from Israel is the top origin ASN, followed by Turkcell Superonline (AS34984) and Telecom Iran (AS58224).
As mentioned, the origin ID field in the ROA doesn’t suggest that the ROA was created by the same ASN holder, but it confirms that the IP Address holder allows that specific ASN to originate those IP prefixes. For example, an IP Address holder in the APNIC region can create a ROA with an origin ASN from the RIPE NCC region. As such, there are some ASNs in the global top ten list (Figure 8), such as Cloudflare (AS13335) and Charter Communications (AS20115) that don’t appear in the regional lists as they have resources in multiple regions.
Room for improvement
A key part of MANRS is making participants and the wider community aware of any errors, given the Internet is only as secure as its weakest link. In this respect, there are currently:
- 153 VRPs with bogon (more about Bogon) ASNs.
- 621 VRPs with origin ASN marked as Reserved by the RIRs.
Around 2,000 problematic VRPs in the approximately 391k VRPs may not seem like a big deal, but it shows either a lack of understanding or monitoring from the resource holders. All these mistakes open possibilities to circumvent the security mechanisms and hijack the resources inadvertently because once those ASNs are registered they become automatically authorized to announce those prefixes. They also pollute the repository and increase the overall validation time of a repository.
A Look to the Future
Data from the MANRS Observatory shows there were more routing incidents in 2022 than the previous year. However, because of the increased use of RPKI, those incidents were less severe. This idea was very well explained by Doug Madory and Job Snijders in a Kentik blog post last August.
We’re seeing about 10% year-on-year improvement in RPKI, and if that growth continues, we will surpass 50% RPKI-enabled networks by the end of this year— a major tipping point (Figure 11).
MANRS participants (nearly 900) have a much higher than average compliance rate (Figure 12) and the community continues to promote RPKI through educational activities and making sure secure routing is viewed as not just a nice-to-have, but a business necessity.
We will most likely see the majority of the top 100 network operators implementing better routing security and more networks implementing other routing security technologies, such as Autonomous System Provider Authorization (ASPA) and BGP Security (BGPSec).
With many larger network operators such as NTT, AT&T, Telstra, Telia, IIJ, Hurricane Electric, Vocus, and Seacom dropping routes that fail RPKI-based ROV, we predict it will become much harder to propagate a route hijack or misorigination.
And a Resolution to Finish With
Repetition is the key to learning and maintaining habits. So, I will leave you with a statement that you have all heard several times but is important to remember when considering your resolution to continue to secure routing in 2023: BGP is central to how networks direct traffic across the Internet. It provides flexibility and scalability to accommodate Internet growth. And that is why the security and stability of BGP are important for a secure and reliable Internet.
Aftab Siddiqui is a Senior Manager of Internet Technology at the Internet Society.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of the Internet Society.
Leave a Comment