To highlight the importance of Resource Public Key Infrastructure (RPKI) and encourage network operators to take concrete steps to improve routing security, we hosted RPKI Week 2021 on 12-16 July 2021.
RPKI helps prevent Internet routing incidents like prefix hijacking and route leaks. It allows an entity to cryptographically verify that an autonomous system (AS) is authorized to originate a prefix, thus reducing incidents that can lead to DDoS attacks, traffic inspection, lost revenue, reputational damage, and more.
We brought together partners from across the Internet routing ecosystem to launch new tools, provide new educational materials, and facilitate discussion and build awareness about routing security. Here are some highlights:
- New educational videos on ROA creation, ROV deployment, and validator installation
- New tools, including an ROA Monitor on MANRS Observatory
- Several webinar panels featuring experts in the field
|Time & Date||Activity||Recordings & Presentations|
|Welcome to RPKI Week|
In the first part of the session, the MANRS Ambassadors will introduce new, short instructional videos that show how you can implement RPKI in your network.
In the second part, we will examine the story of how RPKI came about, told through the personal account of Geoff Huston, Chief Scientist of APNIC, who’s been deeply involved from the start.
Since border gateway protocol (BGP) was not designed with security in mind, it depends on the good behavior of tens of thousands of trusted entities in routing. Engineers realized early that issues can arise from this weak trust model, and multiple ideas were proposed to secure BGP. By 2005, there were at least three serious proposals, but none of them was widely accepted. Why not, though? Was it to do with operational costs, business practices, or perceived needs? While RPKI was developed and deployed as a supporting technology and has proven to be useful for origin validation, it did not help to resolve path validation. Were there alternatives for origin validation with less overhead than X.509 PKI? Is there still hope for BGPSEC? What is next on the path to validating paths? Is RPKI secure enough?
Aftab Siddiqui (Internet Society)
Geoff Huston (APNIC)
|Using and Operating the Hosted RPKI|
We have seen an increase in networks, both small and large, filtering invalid BGP announcements. As the Internet adapts to these new security measures, it is important that their implementation does not negatively affect network operations. It is important that the Operators of RPKI Services (ORS) responsible for the operation of a hosted RPKI put necessary measures in place to increase resilience and reliability in the infrastructure. With this document, we outline changes/improvements ORS can do to increase security and reliability of ROA. These requirements and security standards will make more networks adapt to RPKI and avoid common mistakes with ROA management.
Andrei Robachevsky (Internet Society)
Somesh Chaturmohta (Microsoft)
Vamseedhar Raja (Google)
Ali Monfared (Microsoft)
Carlos Martinez (LACNIC)
Willy Manga (AFRINIC)
|IXPs and RPKI – A MANRS Community Panel|
In recent years, many Internet exchange points (IXPs) have started to implement RPKI technology on their route servers, i.e. dropping routes with invalid Route Origin Authorization (ROA). You may think it’s easier to introduce RPKI ROV to route servers in comparison to a larger network operators, but the grass is not greener on the other side. There are many things to consider, such as selection of relying party software, the right set of config parameters for the route server, and monitoring. In this session, we have invited some large IXP operators who have implemented RPKI to share lessons learned from their journeys.
Max Stucchi (Internet Society)
Stavros Konstantaras (AMS-IX)
Mauricio Oviedo (LAC-IX)
Nick Pratley (IX-AU)
Barry O’Donovan (INEX)
|Trust in RPKI|
This session will examine the role of trust in RPKI. Specifically, what is the RPKI certificate structure? How do we use RPKI to improve BGP security? The speakers will also help you understand hosted vs. delegated RPKI and, eventually, using RPKI data for ROV.
Karen O’Donoghue (Internet Society)
Alex Band (NLnet Labs)
|ISPs, NSPs, and RPKI – A MANRS Community Panel|
2020 was the year of RPKI. Many big network operators across the globe started the rollout of Route Origin Validation (dropping routes with “Invalid” ROA status) and many others have followed them in 2021. There are many things to consider, such as selection of relying party software, the right set of config parameters for the edge routers, design, and how to monitor it. In this panel, prominent industry players who implemented ROV will share their insight, clear common misconceptions, and address problems it causes and how to remedy them.
Philip Smith (NSRC)
D’Wayne Saunders (Telstra)
Mark Tinka (Seacom)
Tony Tauber (Comcast)