18 November 2021 | 6 min read | Ignas Anfalovas
You are exploring: IP Security Network Engineering

What Is RPKI? Resource Public Key Infrastructure For Beginners

Here's all you need to know about the Resource Public Key Infrastructure, how it works and how to use it.

A key that represents the Resource Public Key Infrastructure.

RPKI stands for Resource Public Key Infrastructure. In simple terms, it is a security framework that enables network operators to secure the routing infrastructure. In not so simple terms, it is a security framework that associates Internet Protocol address ranges with autonomous system numbers – IPs with ASNs – using cryptographic signatures to perform route origin validation

What is RPKI used for specifically? To put it plainly, to prevent route hijacks and leaks within the internet’s routing infrastructure supported by the Border Gateway Protocol (BGP). The Internet Engineering Task Force (IETF) introduced the PRKI framework in 2012 with the goal to support secure internet routing, and Regional Internet Registries (RIRs) are instrumental in the process.

RIRs assign IPs and ASNs as well as issue certificates to legitimate IP address holders. A resource certificate is like a digital signature, using which a holder can generate Route Origination Authorizations (ROAs) and enable autonomous systems to originate routes to one or more prefixes. Both certificates and ROAs are publicly accessible, which allows creating filters that BGP routers can use to validate prefix announcements. 

Before we jump into the nitty gritty of the BGP, autonomous systems, RPKI and ROAs, let’s continue exploring internet number resources and how they are allocated. 

Internet number resources and their allocation

As RPKI does not exist without IP addresses and AS numbers, it is important to understand the ins and outs of how these resources are allocated. Here’s a quick rundown.

The Internet Assigned Numbers Authority (IANA) is the central repository for all internet number resources. Lower in the hierarchy, we have Regional Internet Registries, which, as you now know, play the important role of assigning IP addresses and ASNs. But did you know Local Internet Registries (LIRs) are also in the picture? 

Tree chart shows how IANA splits the entire pool of IPv4 addresses.
How internet number resources are allocated to resource holders

Let’s explore the roles of RIRs and LIRs more closely. 

Regional Internet Registries

Five RIRs exist in total, and each Regional Internet Registry is responsible for a different geographical region:

RIRs allocate IPs and ASNs to resource holders according to strict rules and regulations, which were first implemented partly due to the poor management of the same resources in the early days of the internet. Before the emergence of RIRs. Today, IANA has no more resources to allocate, and RIRs are responsible for managing what’s left of the 4.29 billion IPv4 address pool. 

That said, RIRs do not allocate resources to an end user (i.e., resource holder). LIRs are, in fact, the ones responsible for allocated resources to actual internet users. 

Local Internet Registries

A Local Internet Registry is an organization that a RIR approves to provide services in its region. In many cases, that is an internet service provider (ISP), an educational institution or another trusted organization that has the LIR status and can allocate internet number resources.

IPXO has the LIR status and is a member of RIPE NCC, which enables us to provide managed LIR services in the region. We will soon provide delegated RPKI services to ensure effective BGP management too. But what exactly is BGP?

What is BGP?

The Border Gateway Protocol is an essential routing protocol responsible for directing IP packets between autonomous systems. Whenever someone submits data on the internet, BGP makes routing decisions by reflecting on all available paths, local routing policies or rulesets configured by network operators. If the chosen path goes down, BGP swiftly finds a new one to ensure the network’s stability.

BGP in the center between two autonomous systems.
BGP finds the best path between autonomous systems

Undeniably, BGP is the backbone of the internet. Without it, internet routers couldn’t communicate, and packets wouldn’t reach the specific IP address blocks within the AS.

To better understand how BGP works, it’s important to get familiar with autonomous systems and the IP address space. 

Autonomous system

An AS is a group of large networks that make up the internet. A network or a group of networks owns an autonomous system, which a resource holder manages.

A single AS consists of numerous different subnetworks that share a common internet routing logic and routing policies. A routing policy consists of an IP space and other autonomous systems it can connect to.

Address space

An IP address space is a range of IP address prefixes controlled by an AS. The IP address prefix identifies the network. Meanwhile, the prefix length specifies a range of devices within the same network. The prefix length can be expressed as a slash (/). For example, 192.0.2.1/24.

To identify autonomous systems, IANA allocates each of them a unique 16-digit AS number (ASN).

IANA presents the autonomous system number in the AS(#) format. An ASN can be between 1 and 65534 or represent 32-bit numbers from 131072 to 4294967294. For example, IPXO’s ASN is AS834, and ​​Google’s is AS15169.

The sole purpose of an ASN is to communicate with other autonomous systems. With its help, the Border Gateway Protocol can quickly navigate between unique AS paths across the internet. 

Autonomous system numbers interconnected on a world map.
Autonomous system numbers help autonomous systems communicate

How does RPKI work? 

While BGP is efficient at path validation, it is notorious for its inability to validate the routing information by itself. That’s why the internet is highly unsafe. The lack of built-in security leaves BGP routing susceptible to attacks that can cause major outages or a route leak. 

Cybercriminals have already attempted to exploit this vulnerability many times. For instance, back in 2014, hackers used a BGP hijack to steal at least $83,000 worth of cryptocurrency

That’s where RPKI comes in. As we mentioned before, RPKI is a framework that helps to secure BGP routing infrastructure. It works by cryptographically verifying whether an AS legitimately originates its IP prefix announcement. 

The verification process involves two important parts: Route Origin Authorization (ROA) and Route Origin Validation (ROV).

ROA and ROV

Route Origin Authorization is a cryptographic certificate structure, also known as a public key, that can fix an address to an AS. In this certificate structure, the public key is part of a key pair that also consists of a private key. 

ROAs contain a number of crucial routing parameters, such as origin ASN, specific prefix and maximum length. Certificate authorities (CAs or trust anchors), generate ROAs, and resource holders usually run them.

Resource certification authorities include the Internet Assigned Numbers Authority, Regional Internet Registries, Local Internet Registries or internet service providers, depending on the RPKI hierarchy.

Each regional internet registry has a trust anchor that can specify the route to the verified routing data of a particular RPKI repository. A trust anchor is a file that allows relying parties to retrieve RPKI data from the RPKI repository. 

Since RPKI data stands outside of BGP, network operators need to use Route Origin Validation to exchange information with RPKI architecture. An RPKI validator (relying party software) takes care of that. After RPKI extracts ROA data from every CA, RPKI validators present it to the paired routers. They also handle all the crypto processing of the received data. 

Flow chart of RPKI validator extracting ROA data from RIR and sending it to router.
RPKI validator extracts ROA data from RIRs and presents it to routers

For routers to query RPKI validators, the lightweight protocol called RTR (RPKI to Router Protocol) gets involved. Essentially, it receives aggregated ROA data and then transfers it to BGP.

Then, RTR compares a BGP route announcement with the collected data. If it appears invalid, the protocol rejects the announcement, stopping bad actors in their tracks.

Why should RPKI be used? 

The RPKI system solves several of BGP’s routing problems, such as initially distributed mistakes, human error (e.g., typos) and malicious agents. But RPKI’s primary focus is to provide the most efficient out-of-band BGP routing security currently available. 

For one, it plays a crucial role in preventing route hijacking. A route hijack is either a malicious or accidental unauthorized route origination, resulting in critical outages or fraudulent traffic manipulation.  

Furthermore, RPKI provides resource holders with proof of ownership to use and distribute resources through a signed resource certification.

But it’s not only the enterprises and other resource authorities who benefit from RPKI. Regular internet users do too. The framework can prevent personal data breaches and redirection to malicious sites.

Note that if you want RPKI deployed to secure BGP, you must choose an ISP provider that implements RPKI validation. 

Conclusion

The BGP protocol, originally intended to work on a trust-based model, is extremely vulnerable to potential threats, including route leaks, hijacks and initially distributed mistakes. That is because BGP lacks built-in security that could allow validating routing information by itself. 

To secure BGP, the Internet Engineering Task Force introduced the Resource Public Key Infrastructure (RPKI) framework. It acts as an additional security layer and ensures that all resources are validated cryptographically by verifying whether an AS legitimately originates its IP route announcements. 

So, is RPKI important? Undeniably, RPKI benefits both IP resource holders and regular internet users by preventing outages caused by BGP hijacks or human error and personal data leaks. 

While the RPKI framework is the most efficient tool at securing internet routing, unfortunately, it is still scarcely implemented. 


About the author

Ignas Anfalovas

Platform Engineering Manager

Ignas is a Platform Engineering Manager at IPXO with more than 7 years of experience in the IT sector. His expertise includes network design solutions and infrastructure maintenance. After working hours, you will find Ignas in Lithuanian folk-dance classes.