‹ Back
Strengthening the Internet 13 June 2014

Resource Public Key Infrastructure (RPKI)

Securing BGPCurrently Border Gateway Protocol (BGP), the Internet’s core routing protocol, is susceptible to IP address hijacking attacks. Examples of this are when Pakistan accidentally blackholed all traffic to Youtube, and when traffic was rerouted through Belarus and Iceland in 2013. In response to these type of events, and to the continuing vulnerability in IP address hijacking, the IETF Secure Inter-Domain Routing (SIDR) working group developed the  Resource Public Key Infrastructure (RPKI).

Borrowing many concepts from other Public Key Infrastructure(PKI) implementations, RPKI establishes a hierarchy of trust for BGP routes. Currently, organizations receiving BGP routing updates simply trust that the organization they received the update from is authorized to send it. This is how bad actors and misconfigurations can cause massive traffic redirections. With BGP RPKI, the receiving organization will be able verify that the sending organization is authorized to send the routing update utilizing the RPKI hierarchy of trust.

Like other PKIs, RPKI uses x.509 certificates and a hierarchy of trust rooted at a trust anchor to ‘sign’ route updates. RFC 5280 specifies the usage of X.509 certificates for RPKI, and RFC 3779 defines the extensions to X.509 for IP addresses and Autonomous Systems(AS). However, unlike other PKIs, RPKI does not use Certificate Authorities as trust anchors. Instead RPKI uses Internet Assigned Numbers Authority(IANA) as the trust anchor, and Regional Internet Registries(RIR) as immediately subordinate nodes to that anchor. This not only alleviates load on the sole trust anchor, but increases security by distributing the signing authority by region.

For a more detailed look at BGP RPKI check out Geoff Huston’s and Randy Bush’s great introduction to the subject in the IETF journal.

The main RFCs defining RPKI are RFC 6810 and RFC 6811. In addition, here are other relevant RFCs relating to RPKI.
[table id=6 /]

For more information on Securing BGP, check out some of our other Securing BGP resources.

‹ Back

Related articles

Strengthening the Internet 1 June 2022

Internet Impact Brief: India CERT-In Cybersecurity Directions 2022

Read how the draft regulation may affect Internet development in India, and more broadly, the health of the global...

Strengthening the Internet 12 May 2022

How To Protect the Internet from Becoming the Splinternet

The splinternet is the idea that the open, globally connected Internet we all use splinters into a collection...

Strengthening the Internet 11 May 2022

Internet Impact Brief: South Korea’s Interconnection Rules

Read how a series of enacted and proposed revisions of Telecommunications Business Act in South Korea affect further Internet...

Join the conversation with Internet Society members around the world