RPKI
Resource certification is a security framework that proves the association between specific IP address blocks or AS numbers and the custodians of those Internet number resources (INRs). It does this through the production of public-private cryptography certificates known as PKI (for Public Key Infrastructure).
The certificates provide proof and authority to use given IPv4, IPv6 and ASN resources and can be validated cryptographically.
What is RPKI?
Resource Public Key Infrastructure (RPKI) is a cryptographic method of signing records that associate a BGP route announcement with the correct originating AS number. RPKI is defined in RFC6480 (An Infrastructure to Support Secure Internet Routing).
Because any route can be originated and announced by any random network, independent of its rights to announce that route, there needs to be an out-of-band method to help BGP manage which network can announce which route. That system exists today. It's part of the IRR (Internet Routing Registry) system. Many registries exist, some run by networks, some by RIRs (Regional Internet Registries) and the granddaddy of IRRs, Merit's RADB service. This service provides a collective method to allow one network to filter other networks routes.
This works somewhat. An invalid announcement is normally squashed near-instantly as the route crosses an ASN boundary because one network is meant to filter the other network (based on rules created from the IRR database). This of course doesn’t happen perfectly - in fact, far from it. Route leaks or route hijacks happen more often than they should. A fact that is well documented. Here’s the highlights:
1997 - AS7007 mistakenly (re)announces 72,000+ routes (becomes the poster-child for route filtering).
2008 - ISP in Pakistan accidentally announces IP routes for YouTube by blackholing the video service internally to their network.
2017 - Russian ISP leaks 36 prefixes for
payments services owned by Mastercard, Visa, and major banks.
2018 - BGP hijack of Amazon DNS to steal crypto currency.
That’s just a partial list! Each route leak or hijack exposes a lack of route filtering by the network that peers or transits the offending network.
RPKI comes into the picture because the existing IRR system lacks any form of cryptographic signing for its data. In fact, today the IRR databases contain plenty of invalid data. There's very little control over the creation of invalid data.
Implementing RPKI is just the first step
in better BGP route security because RPKI only secures the route origin; it
doesn't secure the path. (Sadly, the same is true for IRR data). When we want
to secure the path; we are going to need something else; but that comes later.
RPKI applications
These are two current applications of RPKI:
* Route Origin Validation (ROV) performed by ROAs to make BGP routing decisions. (This is the primary function of RPKI).
* Resource Tagged Attestation (RTA), which allows an arbitrary digital object to be signed by the holder of the IP address/ASN mentioned in the digital object (this is a work in progress).
Benefits of RPKI
* Much safer than manually checking the APNIC Whois Database or the IRR database.
* Secure origin of the prefix or origin-as is the first step to preventing many attacks on BGP integrity.
* Instruction/information from the resource custodian can be cryptographically verified (for example, Letter of Authority signing).
ROV and ROA
BGP route assertions have an origin AS and a series of AS forming the path. Route Origin Validation (ROV) is the application of RPKI to validating the origin AS.
The main and most widely known application of RPKI is Route Origin Validation (ROV).
ROV is performed using a Route Origin Authorization (ROA). A ROA lists the prefixes that an ASN is authorized to announced. ROAs therefore state which AS is authorized to originate certain IP address prefixes. Once validated, a ROA can be used to generate route filters.
Benefits of creating a ROA
* Verify whether an AS is authorized to announce a specific IP prefix
* Minimize common routing errors
* Prevent most accidental hijacks
What’s contained in a ROA
* The AS number you authorize
* The prefix that is being originated from it
* The most specific prefix (maximum length) that the AS may announce
Resource Tagged Attestation
Another potential application of RPKI is Resource Tagged Attestation (RTA), which allows RPKI certificates to be used to sign an arbitrary object, such as a cryptographic verifiable ‘Letter of Authority’ (LOA) as a PDF file, or word document.
Current practice uses an informal scanned/signed PDF under company letterhead, which is unverifiable without more information. Forging a LOA is a risk that cannot easily be detected as-is.
RTA generates a ‘detached signature’ using RPKI. The signing certificate contains the IP address range listed in the LOA document. The signed object contains the specific IP resources relevant to the signing, identifies the certificate that proves the resource holder has control, and a digital signature of the object being signed. This is now a cryptographically verifiable object (for instance a LOA) and can be automated.
The exact intent of the resources included is not specified: it depends entirely on the meaning of the signed object. So, a LOA should continue to state conclusively which INRs it relates to.
APNIC is developing RTA and will release services in due course.
The Single Trust Anchor
The single trust anchor is represented by
a file called a ‘Trust Anchor Locator’ or TAL. It is very important that
relying parties, who consume the products of the APNIC RPKI system have this
TAL configured into their validator.
Does my ISP/Public Internet BGP use RPKI to be safe???
It
is possible to test very easily by using URL: https://isbgpsafeyet.com/
Go
to the URL and Just hit “Test your ISP” Button.
We can also check any Prefix valid, invalid or unknown in status by using following these two Public RPKI servers.
1.
https://rpki-validator.ripe.net/trust-anchors
2.
https://rpki.cloudflare.com/
No comments:
Post a Comment