How IPXO Adopted RPKI

6 min read
16 October 2024

The Resource Public Key Infrastructure is an essential security framework that ensures safe routing. Learn how IPXO has implemented RPKI at the IPXO Marketplace.

RPKI certificate with a key.

Quick Learnings:

  • Resource Public Key Infrastructure (RPKI) validates the legitimacy of IP resource holders, preventing BGP hijacking and ensuring safer internet routing. 
  • IPXO has implemented RPKI in its automated IP address leasing platform, ensuring only verified IP holders can lease IPs, reducing the risk of route hijacking. 
  • IPXO plans to automate RPKI delegation and Route Origin Authorization (ROA) issuance, enabling faster, more secure leasing processes. 

Malicious actors are becoming increasingly sophisticated in how they scam internet users and companies to extract sensitive data. IPXO has taken the initiative to approach this issue by implementing the Resource Public Key Infrastructure (RPKI) – a system of cryptographic certificates that contributes to safer internet routing. IPXO RPKI acts as an additional protective layer within the IPXO Marketplace, the world’s first fully automated IP address lease platform.  

How does IPXO RPKI contribute to a safer internet? How does IPXO guarantee that only legitimate IPv4 resources are put up for lease? We have answered these questions in this guide. But first, let’s review how RPKI supports the security of the internet ecosystem.

RPKI is a relatively new model that the Internet Engineering Task Force (IETF) standardized in 2008. The infrastructure emerged as a response to the need for more secure internet routing. In simple terms, RPKI uses certificates to verify that only legitimate IP holders use IP addresses.  

RPKI has been gaining momentum in recent years due to the growing number of cyberattacks targeted at both businesses and individuals. Internet service providers (ISPs) and other IP resource holders are crucial players in making the routing more secure and preventing malicious acts. Naturally, they are the ones initiating the implementation of RPKI to mitigate route leaks and protect the end users’ data.

Large ISPs have already started adopting RPKI more actively. For example, Hurricane Electric did that back in 2020. Cloud providers, streaming services and other companies are following suit. For example, Google has even managed to register 99% of routes in the RPKI. As a result of wider RPKI adoption, by January 2022, RIPE NCC reported a 26% increase in RPKI certificate numbers compared to 2020 data.

An upward graph indicating an increasing number of RPKI certificates.
RIPE NCC reported a 26% growth in RPKI certificates during 2021

We can expect this percentage to continue climbing as the list of companies adopting RPKI is constantly growing. Without a doubt, the more industry players start deploying RPKI, the safer the internet will be.

IPXO has also contributed to safer network routing by successfully implementing RPKI in the IPXO Marketplace. How does that work? RPKI validates that only legitimate IP resource holders add them to the Marketplace.

RPKI Is the Way to Secure BGP Routing

The Border Gateway Protocol (BGP) is a default protocol used by routers to enable data routing on the internet. BGP finds the fastest route for the data to reach its destination, which involves choosing between autonomous systems.  

BGP was originally developed as a trust-based protocol without built-in security measures. This means that network operators are forced to trust each other to secure their systems. Also, autonomous systems have to trust the routes that are shared with them without checking if the provided paths are safe.  

Unfortunately, the lack of protection measures can lead to BGP hijacking. This is a sophisticated malicious attack, during which internet traffic is redirected via illegitimate routes. Of course, not all routing redirections are malicious. Sometimes, network operators might accidentally make configuration errors and cause network outages.  

In the case of BGP hijacking, attackers attempt to redirect unsuspecting users to fake websites and potentially steal their credentials and even money. For example, during a large-scale attack reported on February 3, 2022, hackers stole around $1.9 million from a South Korean cryptocurrency platform KLAYswap.   

Fortunately, RPKI can encourage the security of BGP routing and prevent malicious acts. RPKI verifies the association between specific IP addresses or autonomous system numbers (ASNs) and the resource holders. Specifically, RPKI uses Route Origin Authorization (ROA) certificates to verify the origin of the route announcements made by the resource holders.  

At IPXO, we have implemented RPKI to verify the resource holders and mitigate the risk of route hijacking. RPKI certificates ensure that IP lessees who join the IPXO Marketplace can acquire valid IP resources held by verified IP holders.

IPXO Is Implementing Managed RPKI

Managed RPKI, or delegated RPKI, is a feature that enables clients who monetize IP addresses via the IPXO Marketplace to assign the management rights to IPXO. After the successful reassignment, IPXO, as an RIR-delegated certificate authority, can manage clients’ RPKI.  

However, a subnet holder may not necessarily manage RPKI themselves. In that case, they must sign the Registration Services Agreement (RSA), or Legacy Registration Services Agreement (Legacy RSA or LRSA), with the specific RIR for the resources they want to certify.  

A paper showing Legacy Registration Services Agreement.
Legacy Registration Services Agreement

If a subnet holder has already configured RPKI management and wants to manage it at IPXO, they can contact the Product Support team to delegate it to IPXO. It’s a long-term goal to eventually provide our clients with automated RPKI delegation functionality through the IPXO Portal. 

When IPXO receives a request to lease a subnet, and the lessee needs an ROA certificate, our Product Support team works with the subnet holder. The holder creates an ROA that proves ownership and specifies the ASN. Then, the team makes additional configurations so the lessee can use the subnet. If the subnet doesn’t have RPKI delegation, this process might take a few days. However, for most subnets with RPKI delegation, the ROA is issued automatically, making the process more efficient. 

Our long-term goal is to automate the RPKI delegation process to make the work of the IPXO Product Support team more efficient. This will ensure that when the client requests RPKI with their subnet, the team will not need to contact the subnet holder to obtain RPKI management rights.  

Eventually, subnet holders will be able to automatically delegate RPKI management to IPXO without contacting us. At the same time, lessees will be able to obtain certificates automatically and use the resources quicker. 

Automated LOA and ROA Increase Efficiency

IPXO can issue two types of documents for IP lessees. One of them is the Letter of Authorization (LOA), which allows the use of leased IP addresses. LOA is issued after the IP lessee rents a subnet. 

An envelope with a Letter of Authorization agreement.
Letter of Authorization (LoA)

IPXO issues LOA documents for lessees automatically. Before uploading a subnet to the Marketplace, the lessor signs a contract with IPXO so that we could issue the document for the lessee on their behalf. This automated process simplifies the work for the Product Support team. Also, the client can receive LOA and start using the leased resources much quicker.  

You are already familiar with the second type of certification that IPXO issues to IP lessees – Route Origin Authorization. ROA is a statement verifying that an autonomous system can use a particular IP address prefix for routing. ROAs contain several critical routing parameters: origin ASN, prefix and maximum length. Based on the ROA information, network operators can further evaluate if routes are safe and, consequently, prevent BGP hijacking.  

IPXO plans to automate the ROA assignment process. This will make IP address leasing more efficient and allow lessees to use the resources without significant waiting time.   

Automated RPKI: The Future of Safer and More Efficient IP Leasing

Today’s internet is a global system of tightly interconnected networks that communicate together with the help of the Border Gateway Protocol. However, BGP has security flaws that may hinder the stability and security of the internet ecosystem.  

Fortunately, RPKI can support the networks’ security and help evade wide-scale cyberattacks. Large ISPs are already actively adopting RPKI to make routing safer for businesses and individual internet users.  

As a key player in the IP address lease market, IPXO has integrated RPKI into its automated IP lease and monetization platform. RPKI certifies leased resources, ensuring that lessees are paying for legitimate IP addresses. If the IP holder has delegated RPKI to IPXO, the ROA is issued automatically, eliminating the need for manual requests. This automated solution streamlines the process and ensures seamless certification of resources. 

Our long-term objective involves streamlining the RPKI delegation process and enhancing resource management efficiency for clients as well as the IPXO Product Support team. In the future, we plan to enable subnet holders to delegate RPKI management, thereby reducing the need for time-consuming manual processes. Simultaneously, IP lessees will be able to issue ROAs on the IPXO platform themselves and start using the leased IP addresses immediately.   

Need IP addresses from vetted IP holders?
IPXO Marketplace is the place!

Conclusion

The adoption of RPKI by IPXO marks a significant step toward enhancing internet security, particularly within the IP address leasing market.

By implementing RPKI, IPXO ensures that only verified and legitimate IP resource holders can lease addresses through its platform, effectively reducing the risk of BGP hijacking and other malicious routing activities. Additionally, the automation of RPKI delegation and ROA issuance will streamline the leasing process, enabling faster, more secure transactions for both IP holders and lessees. As RPKI becomes increasingly prevalent across the industry, IPXO’s commitment to adopting and automating this critical security framework positions the company as a leader in safeguarding network integrity and efficiency.

Looking ahead, IPXO’s plans to further automate and refine its RPKI processes will contribute to a safer, more efficient, and secure internet ecosystem for all.

FAQ

What is RPKI, and why is it important?

RPKI (Resource Public Key Infrastructure) is a security framework that verifies IP address ownership using cryptographic certificates. It prevents malicious routing activities like BGP hijacking, contributing to safer internet routing. 

How does IPXO use RPKI?
What is BGP hijacking, and how does RPKI prevent it?
What is the difference between LOA and ROA at IPXO?
What are IPXO’s future plans for RPKI?

About the author

Jolita Puzakova

Content Writer

Jolita is a Content Writer at IPXO. She uses her tech and e-commerce know-how to create SEO, PR, and creative content. Jolita's interest in psychology helps her understand people, while her writing skills help people understand tech. This mix allows her to turn tricky tech ideas into clear, easy-to-read content for IPXO's readers.
Table of contents

Related reading

Gustavas Davidavicius, Customer Solutions Engineer at IPXO

How IPXO Handles Abuse: Ensuring a Secure and Trusted Marketplace 

Discover how IPXO's robust abuse management strategies ensure a secure and trustworthy IP address marketplace by preventing, detecting, and mitigating potential threats.

Read more
A featured image for an article SPAM remains one of the most prevalent abuse cases across all industries. How did IPXO tackle this persistent threat with their three-fold approach?

IPXO’s Innovative Approach to Combating SPAM: Lessons for All Industries 

SPAM remains one of the most prevalent abuse cases across all industries. How did IPXO tackle this persistent threat with their three-fold approach?

Read more
IPXO logo next to the words 2022 wrap-up.
14 December 2022   •   Behind the Scenes, IPXO Solutions and Company

2022 IPXO Highlights: Accomplishments and Milestones 

Let's take a look back at 2022 and what IPXO accomplished in one short year.

Read more

Subscribe to the IPXO email and don’t miss any news!