The RPKI is eventually coming
The security of interdomain routing has been an important operational problem for many years and several BGP errors have affected the global Internet, including the famous AS7007 incident or the Youtube hijack. Many smaller BGP errors or misconfigurations occur regularly as shown in a blog post by Andrei Robachevsky.
The Internet community has considered various solutions to secure the announcement of BGP routes. A first approach was S-BGP that added cryptographic capabilities to the BGP protocol but it was considered to be too complex to implement and deploy on routers. Over the years, the networking community adopted a more pragmatic approach, the RPKI. This approach is inspired by the success of using X.509 certificates to authenticate TLS servers . In the RPKI, the Regional Internet Registries that allocate block of IP addresses serve as certificate authorities that authorise a given AS to advertise a block of IP addresses that they have allocated to this AS. The technical details are defined in RFC5280 and RFC3779, but the the RPKI Documentation is a much more readable document.
A growing number of ISPs have deployed RPKI. The Netherlands leads with 93 different ASes in 2018. Roland van Rijswijk-Deij presented a detailed overview of the evolution of the RPKI during almost the last decade with data collected by RIPE NCC at RIPE78. It will take some time to deploy the RPKI throughout the entire Internet, but the deployment progresses well.
One way to encourage the deployment of the RPKI is to use the RPKI web test to verify whether your ISP uses the RPKI. If not, do not hesitate to contact their customer support and ask them to deploy this useful technology. The networks that I use at home and at work do not yet use the RPKI, but I hope that this will change soon…
This blog post was written to inform the readers of Computer Networking : Principles, Protocols and Practice about the evolution of the field. You can subscribe to the Atom feed for this blog at https://obonaventure.github.io/cnp3blog/feed.xml.