RPKI: Resource Public Key Infrastructure

GT-RNOC is working on an NSF funded project to evaluate deployment options for the Resource Public Key Infrastructure (RPKI) and develop best practices for the research networking community as a first step toward securing the Internet's routing infrastructure. This work includes designing and evaluating the architectures for managing Resource Certificates and Resource Origin Authorizations (ROAs). The work involves deploying RPKI across 21 university networks connected to the SoX regional network based in Atlanta, GA. As the system is deployed, researchers will need to watch the operation for several months to study route stability and determine best practices for further deployment across the Internet.

Today’s Internet routing infrastructure is based on trusted relationships between networks. This has allowed for major disruptions. The more recent & most effective solution is RPKI. GT-RNOC is working on an NSF funded project to evaluate deployment options for the Resource Public Key Infrastructure (RPKI) and develop best practices for the research networking community as a first step toward securing the Internet's routing infrastructure. This work includes designing and evaluating the architectures for managing Resource Certificates and Resource Origin Authorizations (ROAs). The work involves deploying RPKI across 21 university networks connected to the SoX regional network based in Atlanta, GA. As the system is deployed, researchers will need to watch the operation for several months to study route stability and determine best practices for further deployment across the Internet.

 

  • Specific PKI (X.509-based) for Internet Routing Infrastructure
  • Goal: Prevent route or prefix hijacking
  • How: Provide a trusted binding between IP address and AS number to check if an AS is authorized to announce a specific prefix
  • Based on pyramidal key infrastructure (IANA, RIR, NIR, LIR/ISP)

 

 

 

 

 

 

 

 

 

 

 

Samuel Norris who is one of the contributors of the project explains the RPKI as below:

The main goal of the project is to prevent malicious or accidental mis-advertisement of BGP routes by using a distributed database of signed certificates. Under the current system, someone who advertises a route they don't own may be able to "steal" network traffic. RPKI allows legitimate owners to publish a signed certificate, called a ROA, in a distributed database. RPKI-enabled BGP routers can then check advertisements against the certificates in this database in order to validate (or invalidate them). This would decrease the number of incorrect routes in routing tables. We hope to implement RPKI routing security measurses on the Southern Crossroads regional research network. To that end, I have designed a virtual network on which we can run tests and experiments.

Articles

RPKI Rcynic Labs

In order to assist with the implementation of Resource Public Key Infrastructure (RPKI) adoption, the GT-RNOC has developed introductory labs that will assist in implementing RPKI using Dragon Research Labs Rcynic validator software in different configurations and environments. There are three sets of instructions, each building upon the previous one, to implement different RPKI architectures. All of the labs are based within GENI, (Global Environment for Network Innovations) a network simulation environment. 

Juniper Route Origin Validation (RPKI) Setup

Basic setup instructions for Juniper routers in order to setup route origin validation (RPKI). These instructions will establish a basic session between the RPKI capable router and your RPKI server running the RIPE RPKI Validator, Rcynic RPKI tool suite, or other RPKI server of your choosing.

RPKI.net Tool Rcynic: What to do if routes are showing up incorrectly as valid, invalid, or unknown:

Sometimes routes may appear as invalid or unknown when they should appear as valid. This will happen if the rcynic implementation is misconfigured in some way. Two of those reasons might be concerning the Trust-Anchor-Locators (TALs), or with permissions of the rcynic folders. Problems with the TALs include that it could be missing, it is in the wrong format, or its contents are incorrect. In regards to permissions, rcynic could have been run manually using sudo, thus creating files and folders with the user:group of root:root preventing the rcynic agent from being able to access or modify these files. These two issues can be identified quickly and can be remedied with relative ease once the problem has been identified.