18 November 2021 | 5 min read

What Is RPKI? Resource Public Key Infrastructure For Beginners

Here's all you need to know about the Resource Public Key Infrastructure, how it works and where to use it.

What is RPKI?

Resource Public Key Infrastructure (RPKI) is a cryptographic security framework. It works to prevent leaks and route hijacks for the internet’s routing infrastructure – Border Gateway Protocol (BGP). RPKI maps internet number resources (IP addresses and autonomous system numbers) to their legitimate resource holder. 

Since the early days of internet development, we relied on a transitive trust model. According to this model, everyone agrees to route packets via the path advertised and not to maliciously change someone else’s routes. 

This trust-based model has served well in the past. Unfortunately, the exponential growth of the internet and the increased number of cyberattacks exposed the weaknesses of this model. 

The Internet Engineering Task Force (IETF) acknowledged the rising security concern and developed the RPKI framework to secure BGP routing infrastructure. However, it is still scarcely implemented. 

This article explains why RPKI plays a crucial role in securing the internet routing system and why it’s necessary to deploy it.

What is BGP?

Border Gateway Protocol is an essential routing protocol responsible for directing IP packets between autonomous systems. Whenever someone submits data on the internet, BGP makes routing decisions by reflecting on all available paths, local routing policies or rulesets configured by network operators. If the chosen path goes down, BGP swiftly finds a new one to ensure the network’s stability. 

BGP in the center between two autonomous systems.
BGP finds the best path between autonomous systems

Undeniably, BGP is the backbone of the internet. Without it, internet routers couldn’t communicate, and packets wouldn’t reach the specific IP address blocks within the AS.

To better understand how BGP works, it’s important to get familiar with autonomous systems and the IP address space. 

Autonomous system

An AS is a group of large networks that makes up the internet. A network or a group of networks owns an autonomous system, which a resource holder manages.

A single AS consists of numerous different subnetworks that share a common internet routing logic and routing policies. A routing policy consists of an IP space and other autonomous systems it can connect to. 

Address space

An IP address space is a range of IP address prefixes controlled by an AS. The IP address prefix identifies the network. Meanwhile, the prefix length specifies a range of devices within the same network. The prefix length can be expressed as a slash (/). For example, 192.0.2.1/24.

To identify autonomous systems, the Internet Assigned Numbers Authority (IANA) allocates each of them a unique 16-digit AS number (ASN).

IANA presents the autonomous system number in the AS(number) format. An ASN can be between 1 and 65534 or represent 32-bit numbers from 131072 to 4294967294. For example, IPXO’s ASN is AS834, and ​​Google’s is AS15169.

The sole purpose of an ASN is to communicate with other autonomous systems. With its help, the Border Gateway Protocol can quickly navigate between unique AS paths across the internet. 

Autonomous system numbers interconnected on a world map.
Autonomous system numbers help autonomous systems communicate

How does RPKI work? 

While BGP is efficient at path validation, it is notorious for its inability to validate the routing information by itself. That’s why the internet is highly unsafe. The lack of built-in security leaves BGP routing susceptible to attacks that can cause major outages or a route leak. 

Cybercriminals have already attempted to exploit this vulnerability many times. For instance, back in 2014, hackers used a BGP hijack to steal at least $83,000 worth of cryptocurrency

That’s where Resource Public Key Infrastructure comes in. As we mentioned before, RPKI is a framework that helps to secure the BGP routing infrastructure. It works by cryptographically verifying whether an AS legitimately originates its IP prefix announcement. 

The verification process involves two important parts: Route Origin Authorization (ROA) and Route Origin Validation (ROV).

ROA and ROV

Route Origin Authorization is a cryptographic certificate structure, also known as a public key, that can fix an address to an AS. ROAs contain a number of crucial routing parameters, such as origin ASN, prefix and maximum length. Certificate authorities generate ROAs, and resource holders usually run them.

Resource certificate authorities include the Internet Assigned Numbers Authority, Regional Internet Registries (RIR), Local Internet Registries (LIRs) or internet service providers (ISPs), depending on location in the RPKI hierarchy.

Each regional internet registry has a trust anchor that can specify the route to the verified routing data of a particular RPKI repository. A trust anchor is a file used to allow relying parties to retrieve RPKI data from a repository. 

Since RPKI data stands outside of BGP, network operators need to use Route Origin Validation to exchange information with RPKI architecture. An RPKI validator (relying party software) takes care of that. After RPKI extracts ROA data from every certificate authority, the RPKI validator presents it to the paired routers. It also handles all the crypto processing of the received data. 

Flow chart of RPKI validator extracting ROA data from RIR and sending it to router.
RPKI validator extracts ROA data from RIRs and presents it to routers

For routers to query RPKI validators, the lightweight protocol called RTR (RPKI to Router Protocol) gets involved. Essentially, it receives aggregated ROA data and then transfers it to the BGP.

Then, RTR compares a BGP route announcement with the collected data. If it appears invalid, the protocol rejects the announcement, stopping bad actors in their tracks.

Why should RPKI be used? 

The RPKI system solves several of BGP’s routing problems, such as initially distributed mistakes, human error (e.g., typos) and malicious agents. But RPKI’s primary focus is to provide the most efficient out-of-band BGP routing security currently available. 

For one, it plays a crucial role in preventing route hijacking. A route hijack is either a malicious or accidental unauthorized route origination, resulting in critical outages or fraudulent traffic manipulation.  

Furthermore, RPKI provides resource holders with proof of ownership to use and distribute resources through a signed resource certification.

But it’s not only the enterprises and other resource authorities who benefit from RPKI. Regular internet users do too. The framework can prevent personal data breaches and redirection to malicious sites.

Note that if you want to deploy RPKI to secure BGP, you must choose an ISP provider who implements RPKI validation. 

Conclusion

BGP, originally intended to work on a trust-based model, is extremely vulnerable to potential threats, including route leaks, hijacks and initially distributed mistakes. BGP lacks built-in security that could allow validating routing information by itself. 

To secure BGP, the Internet Engineering Task Force introduced the RPKI framework. It acts as an additional security layer and works by cryptographically verifying whether an AS legitimately originates its IP route announcements. 

RPKI benefits both IP resource holders and regular users by preventing outages caused by BGP hijacks or human error and personal data leaks. 

While this framework is the most efficient tool at securing internet routing, unfortunately, it is still scarcely implemented.