19 May 2022 | 5 min read

How IPXO Adopted RPKI  

The Resource Public Key Infrastructure is an essential security framework that ensures safe routing. Learn how IPXO has implemented RPKI at the IPXO Marketplace.

RPKI certificate with a lock and a key.

Malicious actors are becoming increasingly sophisticated in how they scam internet users and companies to extract sensitive data. IPXO has taken the initiative to approach this issue by implementing the Resource Public Key Infrastructure (RPKI) – a system of cryptographic certificates that contributes to safer internet routing. IPXO RPKI acts as an additional protective layer within the IPXO Marketplace, the world’s first fully automated IP address lease platform. 

How does IPXO RPKI contribute to a safer internet? How does IPXO guarantee that only legitimate IPv4 resources are put up for lease? We have answered these questions in this guide. But first, let’s review how RPKI supports the security of the internet ecosystem. 

RPKI is a relatively new model that the Internet Engineering Task Force (IETF) standardized in 2008. The infrastructure emerged as a response to the need for more secure internet routing. In simple terms, RPKI uses certificates to verify that only legitimate IP holders use IP addresses. 

RPKI has been gaining momentum in recent years due to the growing number of cyberattacks targeted at both businesses and individuals. Internet service providers (ISPs) and other IP resource holders are crucial players in making the routing more secure and preventing malicious acts. Naturally, they are the ones initiating the implementation of RPKI to mitigate route leaks and protect the end users’ data. 

Large ISPs have already started adopting RPKI more actively. For example, Hurricane Electric did that back in 2020. Cloud providers, streaming services and other companies are following suit. For example, Google has even managed to register 99% of routes in the RPKI. As a result of wider RPKI adoption, by January 2022, RIPE NCC reported a 26% increase in RPKI certificate numbers compared to 2020 data.

An upward arrow indicating an increasing number of RPKI certificates.
RIPE NCC reported a 26% growth in RPKI certificates during 2021

We can expect this percentage to continue climbing as the list of companies adopting RPKI is constantly growing. Without a doubt, the more industry players start deploying RPKI, the safer the internet will be. 

IPXO has also contributed to safer network routing by successfully implementing RPKI in the IPXO Marketplace. How does that work? RPKI validates that only legitimate IP resource holders add them to the Marketplace. 

RPKI is the way to secure BGP routing 

The Border Gateway Protocol (BGP) is a default protocol used by routers to enable data routing on the internet. BGP finds the fastest route for the data to reach its destination, which involves choosing between autonomous systems

BGP was originally developed as a trust-based protocol without built-in security measures. This means that network operators are forced to trust each other to secure their systems. Also, autonomous systems have to trust the routes that are shared with them without checking if the provided paths are safe. 

Unfortunately, the lack of protection measures can lead to BGP hijacking. This is a sophisticated malicious attack, during which internet traffic is redirected via illegitimate routes. Of course, not all routing redirections are malicious. Sometimes, network operators might accidentally make configuration errors and cause network outages. 

In the case of BGP hijacking, attackers attempt to redirect unsuspecting users to fake websites and potentially steal their credentials and even money. For example, during a large-scale attack reported on February 3, 2022, hackers stole around $1.9 million from a South Korean cryptocurrency platform KLAYswap.  

Fortunately, RPKI can encourage the security of BGP routing and prevent malicious acts. RPKI verifies the association between specific IP addresses or autonomous system numbers (ASNs) and the resource holders. Specifically, RPKI uses Route Origin Authorization (ROA) certificates to verify the origin of the route announcements made by the resource holders. 

At IPXO, we have implemented RPKI to verify the resource holders and mitigate the risk of route hijacking. RPKI certificates ensure that IP lessees who join the IPXO Marketplace can acquire valid IP resources held by verified IP holders. 

IPXO is implementing managed RPKI 

Managed RPKI, or delegated RPKI, is a feature that enables clients who monetize IP addresses via the IPXO Marketplace to assign the management rights to IPXO. After the successful reassignment, IPXO, as an RIR-delegated certificate authority, can manage clients’ RPKI. 

However, a subnet holder may not necessarily manage RPKI themselves. In that case, they must sign the Registration Services Agreement (RSA), or Legacy Registration Services Agreement (Legacy RSA or LRSA), with the specific RIR for the resources they want to certify. 

Two people shaking hands over Legacy Registration Services Agreement.
Legacy Registration Services Agreement

If a subnet holder has already configured RPKI management and wants to manage it at IPXO, they can contact the Product Support team to delegate it to IPXO. Soon, we will be able to offer the automated RPKI delegation functionality to our clients via the IPXO Portal. 

Currently, when IPXO receives a request to lease a subnet and the lessee requests an ROA certificate, our Product Support team contacts the subnet holder. The holder creates an ROA specifying the ASN and verifying the ownership of the resources. Then, the team can make other configurations to allow lessees to use the subnet. Note that the delegation and configuration processes may take several days. 

Our goal is to automate the RPKI delegation process to make the work of the IPXO Product Support team more efficient. This will ensure that when the client requests RPKI with their subnet, the team will not need to contact the subnet holder to obtain RPKI management rights. 

Eventually, subnet holders will be able to automatically delegate RPKI management to IPXO without contacting us. At the same time, lessees will be able to obtain certificates automatically and use the resources quicker. 

Automated LOA and ROA increase efficiency 

IPXO can issue two types of documents for IP lessees. One of them is the Letter of Authorization (LOA), which allows the use of leased IP addresses. LOA is issued after the IP lessee rents a subnet.  

An envelope with a Letter of Authorization agreement.
Letter of Authorization (LoA)

IPXO issues LOA documents for lessees automatically. Before uploading a subnet to the Marketplace, the lessor signs a contract with IPXO so that we could issue the document for the lessee on their behalf. This automated process simplifies the work for the Product Support team. Also, the client can receive LOA and start using the leased resources much quicker. 

You are already familiar with the second type of certification that IPXO issues to IP lessees – Route Origin Authorization. ROA is a statement verifying that an autonomous system can use a particular IP address prefix for routing. ROAs contain several critical routing parameters: origin ASN, prefix and maximum length. Based on the ROA information, network operators can further evaluate if routes are safe and, consequently, prevent BGP hijacking. 

IPXO plans to automate the ROA assignment process. This will make IP address leasing more efficient and allow lessees to use the resources without significant waiting time.  

Automated RPKI: The future of safer and more efficient IP leasing 

Today’s internet is a global system of tightly interconnected networks that communicate together with the help of the Border Gateway Protocol. However, BGP has security flaws that may hinder the stability and security of the internet ecosystem. 

Fortunately, RPKI can support the networks’ security and help evade wide-scale cyberattacks. Large ISPs are already actively adopting RPKI to make routing safer for businesses and individual internet users. 

IPXO, as an integral player in the IP address lease market, has also implemented RPKI into the IPXO Marketplace – the automated IP lease and monetization platform. RPKI allows certifying the leased resources, thereby ensuring that lessees are paying for legitimate IP addresses. Currently, our clients can request IPXO Product Support to issue ROA certificates. 

Our ultimate goal is to automate the RPKI delegation process and simplify the resource management for both clients and the IPXO Product Support team. Soon, subnet holders will be able to delegate RPKI management to save time on manual arrangements. Simultaneously, IP lessees will be able to issue ROAs on the IPXO platform themselves and start using the leased IP addresses immediately.  

If your company needs IP addresses from vetted IP holders, register an account at IPXO and start leasing instantly.