RPKI: Resource Public Key Infrastructure

GT-RNOC is working on an NSF funded project to evaluate deployment options for the Resource Public Key Infrastructure (RPKI) and develop best practices for the research networking community as a first step toward securing the Internet's routing infrastructure. This work includes designing and evaluating the architectures for managing Resource Certificates and Resource Origin Authorizations (ROAs). The work involves deploying RPKI across 21 university networks connected to the SoX regional network based in Atlanta, GA. As the system is deployed, researchers will need to watch the operation for several months to study route stability and determine best practices for further deployment across the Internet.

Today’s Internet routing infrastructure is based on trusted relationships between networks. This has allowed for major disruptions. The more recent & most effective solution is RPKI. GT-RNOC is working on an NSF funded project to evaluate deployment options for the Resource Public Key Infrastructure (RPKI) and develop best practices for the research networking community as a first step toward securing the Internet's routing infrastructure. This work includes designing and evaluating the architectures for managing Resource Certificates and Resource Origin Authorizations (ROAs). The work involves deploying RPKI across 21 university networks connected to the SoX regional network based in Atlanta, GA. As the system is deployed, researchers will need to watch the operation for several months to study route stability and determine best practices for further deployment across the Internet.

 

  • Specific PKI (X.509-based) for Internet Routing Infrastructure
  • Goal: Prevent route or prefix hijacking
  • How: Provide a trusted binding between IP address and AS number to check if an AS is authorized to announce a specific prefix
  • Based on pyramidal key infrastructure (IANA, RIR, NIR, LIR/ISP)

 

 

 

 

 

 

 

 

 

 

 

Samuel Norris who is one of the contributors of the project explains the RPKI as below:

The main goal of the project is to prevent malicious or accidental mis-advertisement of BGP routes by using a distributed database of signed certificates. Under the current system, someone who advertises a route they don't own may be able to "steal" network traffic. RPKI allows legitimate owners to publish a signed certificate, called a ROA, in a distributed database. RPKI-enabled BGP routers can then check advertisements against the certificates in this database in order to validate (or invalidate them). This would decrease the number of incorrect routes in routing tables. We hope to implement RPKI routing security measurses on the Southern Crossroads regional research network. To that end, I have designed a virtual network on which we can run tests and experiments.