RPKI + ROA

XioNoX

4

A few weeks ago, Mozilla started to use RPKI+ROA, here is a quick introduction.

RPKI (Resource Public Key Infrastructure) is a first step to secure BGP (the routing protocol used on the Internet), it allows to certify (and verify) that a prefix is advertised by the good AS (in other words that an IP points to its legitimate owner) in order to prevent prefix hijacking (usually misconfiguration but can also be used in attacks) like the PakistanTelecom/Youtube story.

Based on that information (route valid/invalid/unknown) the router can act as configured, which is usually to lower the invalid route’s priority so the genuine route is used (so it doesn’t break anything if it’s miss-configured/expired).

Like DNSSEC, RPKI is made of 2 parts, the signing and the verification. The former is possible for us through ARIN (our RIR) the later is possible with Juniper since JunOS v12.2.

How it works (in our case but it seams to be similar with RIPE and probably others) is quite straightforward:

  1. Generate a public/private key pair,
  2.  Communicate the public key to ARIN,
  3. Write a ROA (Route Origination Authorization)
    • It’s basically a statement saying “I allow AS#x to advertise routes y and z”
  4. Sign it with our private key,
  5. Send the signed ROA request to ARIN,
  6. If everything is correct, ARIN will publish this ROA to its repository, publicly available to any validator

Steps 3 to 5 have to be done for each ASN, and before the ROAs expire.
Steps 2 to 6 can be done directly through ARIN’s website (step 4 is done on the client side using JavaScript).

By doing that, any entities validating the routes they receive will not (or less) be impacted if another AS advertises a prefix the same size or smaller than ours.

Probably latter this year, we will deploy the validator, which is made of 2 devices, the router and the validator itself. To not overload the router, the validator (called RTR server) is in charge of downloading the ROAs located in the RIRs’ repositories and telling the router (RTR client) if an AS has the right to advertises the route. Then, as said earlier the router decides what to do. That validator is usually a regular server installed in the same POP as the router.

To continue with the comparison with DNSSEC, right now we are signing our DNS zones, but our own name-servers aren’t validating DNSSEC, while Comcast’s do.

You can easily check the status of a prefix using whois, for instance:

whois -h whois.bgpmon.net " --roa 53371 63.245.217.105/24"
whois -h whois.bgpmon.net 63.245.209.0

The returned code will be one of the following:

0 - ROA correct
1 - No ROA found
2 - ROA incorrect - will tell you what the error is

It’s so easy that nobody with a RIR account has a valid excuse to not start using it!

4 responses

  1. Alex Band wrote on ::

    Thanks for setting this up and writing about it. I’d like to know which RPKI Validator software you are planning to use.

    1. XioNoX wrote on :

      Not yet, we will look at that when our routers gets updated to a version that supports validation.

  2. Bryan wrote on ::

    As someone who worked on RPKI it makes me smile that you found it easy to use. I worked with the team and we put a lot of hard work into making a very complex system manageable. We also tried to provide better than usual documentation given the complexity.

    I have some detailed documentation on my website if you’d like a more thorough walk through RPKI.

    One minor point about your post is that only ARIN and not the other RIRs require you to sign your ROA requests. At least the last I saw, Alex could correct me if that has changed at RIPE.

    Feel free to contact me if you want to talk more RPKI or BGPSec.
    I’m giving a talk on both in Reston, VA on January 23, 2013. Details can be found at blog.cobenian.com.

    Finally, I wrote an RPKI browser that enables you to view files in a published repository. It can be found at rpki.cobenian.com It is very basic right now, but if the community finds it useful I will add to it.

    1. XioNoX wrote on :

      I started by reading articles around the Internet before checking ARIN’s website, and I can confirm that it simplifies a lot the process.
      Your blogpost is interesting, I’d recommend it to anyone who wishes to learn more.
      I’m looking forward to test BGPsec, I’ll not hesitate to contact you if I have any questions, thanks.