Donate
‹ Back
Securing Border Gateway Protocol (BGP) 13 June 2014

Resource Public Key Infrastructure (RPKI)

Securing BGPCurrently Border Gateway Protocol (BGP), the Internet’s core routing protocol, is susceptible to IP address hijacking attacks. Examples of this are when Pakistan accidentally blackholed all traffic to Youtube, and when traffic was rerouted through Belarus and Iceland in 2013. In response to these type of events, and to the continuing vulnerability in IP address hijacking, the IETF Secure Inter-Domain Routing (SIDR) working group developed the  Resource Public Key Infrastructure (RPKI).

Borrowing many concepts from other Public Key Infrastructure(PKI) implementations, RPKI establishes a hierarchy of trust for BGP routes. Currently, organizations receiving BGP routing updates simply trust that the organization they received the update from is authorized to send it. This is how bad actors and misconfigurations can cause massive traffic redirections. With BGP RPKI, the receiving organization will be able verify that the sending organization is authorized to send the routing update utilizing the RPKI hierarchy of trust.

Like other PKIs, RPKI uses x.509 certificates and a hierarchy of trust rooted at a trust anchor to ‘sign’ route updates. RFC 5280 specifies the usage of X.509 certificates for RPKI, and RFC 3779 defines the extensions to X.509 for IP addresses and Autonomous Systems(AS). However, unlike other PKIs, RPKI does not use Certificate Authorities as trust anchors. Instead RPKI uses Internet Assigned Numbers Authority(IANA) as the trust anchor, and Regional Internet Registries(RIR) as immediately subordinate nodes to that anchor. This not only alleviates load on the sole trust anchor, but increases security by distributing the signing authority by region.

For a more detailed look at BGP RPKI check out Geoff Huston’s and Randy Bush’s great introduction to the subject in the IETF journal.

The main RFCs defining RPKI are RFC 6810 and RFC 6811. In addition, here are other relevant RFCs relating to RPKI.
[table id=6 /]

For more information on Securing BGP, check out some of our other Securing BGP resources.

‹ Back

Related articles

BCOP: IPv6 Peering and Transit (NANOG)
Deploy3603 July 2014

BCOP: IPv6 Peering and Transit (NANOG)

Are you a network operator currently peering over IPv4 and want to start peering over IPv6? If so then the...

State of IPv6 Deployment 2017
IPv625 May 2017

State of IPv6 Deployment 2017

IPv6 deployment is increasing around the world, with over 9 million domain names and 23% of all networks advertising IPv6 connectivity.

IPv6 Address Planning: Guidelines for IPv6 address allocation
IPv624 September 2013

IPv6 Address Planning: Guidelines for IPv6 address allocation

1       Introduction IP address planning is certainly among the critical functions required within the overall process of planning and executing...

Join the conversation with Internet Society members around the world