Strengthening the Internet 13 June 2014

Resource Public Key Infrastructure (RPKI)

Securing BGPCurrently Border Gateway Protocol (BGP), the Internet’s core routing protocol, is susceptible to IP address hijacking attacks. Examples of this are when Pakistan accidentally blackholed all traffic to Youtube, and when traffic was rerouted through Belarus and Iceland in 2013. In response to these type of events, and to the continuing vulnerability in IP address hijacking, the IETF Secure Inter-Domain Routing (SIDR) working group developed the  Resource Public Key Infrastructure (RPKI).

Borrowing many concepts from other Public Key Infrastructure(PKI) implementations, RPKI establishes a hierarchy of trust for BGP routes. Currently, organizations receiving BGP routing updates simply trust that the organization they received the update from is authorized to send it. This is how bad actors and misconfigurations can cause massive traffic redirections. With BGP RPKI, the receiving organization will be able verify that the sending organization is authorized to send the routing update utilizing the RPKI hierarchy of trust.

Like other PKIs, RPKI uses x.509 certificates and a hierarchy of trust rooted at a trust anchor to ‘sign’ route updates. RFC 5280 specifies the usage of X.509 certificates for RPKI, and RFC 3779 defines the extensions to X.509 for IP addresses and Autonomous Systems(AS). However, unlike other PKIs, RPKI does not use Certificate Authorities as trust anchors. Instead RPKI uses Internet Assigned Numbers Authority(IANA) as the trust anchor, and Regional Internet Registries(RIR) as immediately subordinate nodes to that anchor. This not only alleviates load on the sole trust anchor, but increases security by distributing the signing authority by region.

For a more detailed look at BGP RPKI check out Geoff Huston’s and Randy Bush’s great introduction to the subject in the IETF journal.

The main RFCs defining RPKI are RFC 6810 and RFC 6811. In addition, here are other relevant RFCs relating to RPKI.
[table id=6 /]

For more information on Securing BGP, check out some of our other Securing BGP resources.

Related articles

Strengthening the Internet 9 March 2023

Homomorphic Encryption: What Is It, and Why Does It Matter?

Learn about the concept of homomorphic encryption, its practicalities and implications, in order to make smart choices about this...

Internet Way of Networking 14 February 2023

Internet Impact Brief: How Canada’s Online News Act Will Harm the Internet, Restricting Innovation, Security, and Growth of the Digital Economy

Read how Canada’s Online News Act contributes to fragmentation by undermining encryption and splintering the relationship and experiences of...

Strengthening the Internet 1 December 2022

Navigating Digital Sovereignty and Its Impact on the Internet

Dive into a study and learn about Digital Sovereignty and its Impact on the Internet around the world.