What is RPKI?
The Resource Public Key Infrastructure (RPKI) is a set of systems and protocols to allow cryptographic verification of Internet routes. It’s being deployed across the Internet to increase routing security and prevent accidental and malicious disruptions to the network.
What does RPKI do for my campus?
The Internet’s core routing protocol, BGP, was designed without any inherent security. As a result, anyone on the Internet can advertise any route, and by doing so can hijack traffic away from its proper destination. Data can be captured for analysis, attempts can be made to attack existing connections, and legitimate use is blocked. There are ways to prevent this, but they require operators to implement filters and controls on all their connections that many do not (although NYSERNet does). RPKI is a way for every network to know whether a route advertisement is legitimate or not. It isn’t perfect – there are still ways to defeat RPKI, and it hasn’t yet been implemented everywhere – but it is a big improvement over the status quo. And RPKI is extremely effective against configuration errors, a common cause of routing problems.
What do I need to do if I want those benefits?
RPKI has two components: route signing and route validation. Validation can be done by anyone, but it’s most valuable for those who provide connections to other networks (like NYSERNet, for example). Campuses could validate, but since your providers will also be doing it, there’s relatively little to be gained. Route signing, on the other hand, is something that can only be done by the owners of the networks. The IPv4 and IPv6 routes that you have for your campus need to be signed in order for the rest of the Internet to know that you are the only place they should originate from.
What can go wrong?
The verification process with RPKI is similar in concept to using an SSL certificate to secure a web server. If you change the name of a website without updating the SSL cert, anyone who tries to connect will get a security warning in their browser. In the same way, if you make a change to your routing and don’t update the RPKI signature, other networks will refuse to accept the route. RPKI signatures also expire, like SSL certs, and need to be renewed periodically. It’s important to keep the private key secret and backed up, and make sure that more than one person in your organization has access to it and to the ARIN website where the signatures are submitted.
How do I get started?
Within the United States, network addresses are administered by ARIN (https://www.arin.net) and they also take care of RPKI. Their system is very well documented and works smoothly, but before it can be used to sign your routes, you need a couple of things.
The first is an ARIN Online account (https://www.arin.net/resources/guide/account/), which you or someone in your organization may already have. This is also a great time to check that all your contact information at ARIN is up-to-date. You should always make sure at least two of your technical staff have ARIN Online access as backups for each other.
After your account is created, you will need to verify your contractual status with ARIN. You may already have agreed to the ARIN Resource Sharing Agreement (RSA) for all of your addresses (both IPv6 and IPv4). In that case, you can move on to the signing step. Most campuses have not signed an agreement for their original IPv4 addresses though and will need to start the process with ARIN by opening a request for Legacy Resource Sharing Agreement (LRSA – https://www.arin.net/resources/guide/legacy/) The ARIN representative will guide you. However, it is critically important that you request Legacy status for any IPv4 address space that was issued prior to 1998. The process will give you the choice of RSA or LRSA, and you must choose LRSA to avoid paying the much higher RSA fees.
Unfortunately, it is likely your campus legal team will have a difficult time accepting the ARIN agreement. ARIN is unwilling to make any changes to the language, except in cases where state law requires it. Signing the LRSA is usually the longest step in the entire RPKI process, but it is necessary before anything else can proceed.
When that is done, you will have two ARIN Organization Identifiers, one for your RSA (which includes IPv6 space) and one for LRSA (older IPv4 space and AS numbers). You’ll create separate RPKI key pairs for each of them and use the appropriate key to sign each route.
I’m ready to sign, what’s next?
You should review how your routes are advertised to NYSERNet and your ISPs, which is something we’re happy to help with. The signatures that you create will need to match the advertisements.
The actual signing process is documented by ARIN (https://www.arin.net/resources/manage/rpki/) and is easiest if you have a computer with OpenSSL installed (any Linux or Mac, or Windows with WSL or a binary package).
The ARIN documentation will walk you through the process of creating a certificate (one for each of your Organization IDs) and the appropriate Route Origin Authorizations (ROAs) which you will sign, either manually or through the ARIN web tool. Note that as soon as you publish a ROA, it will take effect; many networks update their validation every 10 minutes.
Once you have your ROAs published, remember to back up and secure your certificates and make a note of when the ROAs will expire. ARIN will email you a reminder, as well.
I’m not ready to try this in production, can I test it somewhere?
ARIN provides an online testbed (https://www.arin.net/reference/tools/testing/) which you can use to work through the entire RPKI process without any connection to the production network.
How soon do I need to do all this?
There is no requirement to sign your routes with RPKI at this time. Of course, the security benefits will begin as soon as you sign your routes, so that’s the primary incentive. Some network and content providers are already asking for RPKI. For the most part they prefer it, but are willing to provide services even if your routes are not signed. The security standards being imposed by funding agencies are likely to include routing security at some point, since it impacts data integrity and confidentiality. We’ve heard that some cyber insurance providers are including routing security in their questionnaires, so there’s the possibility that deploying RPKI would reduce rates. And, as it becomes more widely used, there’s an expectation that insurers will be less willing to pay for damages which could have been prevented.
There’s one other reason why you may want to start the process now – ARIN is increasing the fees for Legacy networks at the end of 2023. However, anyone who agrees to the LRSA before that time will continue paying much lower rates. Having an LRSA doesn’t mean you have to sign your routes, but since it is the most difficult step for most campuses, it’s a good idea to get it out of the way. Depending on the process with your campus legal department, getting it done within the year may be a challenge. Even if you don’t intend to deploy RPKI right away, it’s worth looking at the cost difference. NYSERNet can help you figure out what that will be.
What help can NYSERNet provide?
We have already signed all of the NYSERNet routes, which required all the steps outlined above, and will be happy to talk with you about what was involved, review your current situation with respect to ARIN, answer any questions we can or help you to formulate the right questions for ARIN. We’re also happy to have general discussions about routing security and how RPKI fits into it, go into more detail about how the validation process works, talk about troubleshooting and monitoring, and anything else related to your connections to NYSERNet. You can contact your NYSERNet membership representative, or email our NOC at firstname.lastname@example.org any time.
Author: Bill Owens
Date: January 2023