Jump to content

Resource Public Key Infrastructure

From Wikipedia, the free encyclopedia

Resource Public Key Infrastructure (RPKI), also known as Resource Certification, is a specialized public key infrastructure (PKI) framework to support improved security for the Internet's BGP routing infrastructure.

RPKI provides a way to connect Internet number resource information (such as Autonomous System numbers and IP addresses) to a trust anchor. The certificate structure mirrors the way in which Internet number resources are distributed. That is, resources are initially distributed by the IANA to the regional Internet registries (RIRs), who in turn distribute them to local Internet registries (LIRs), who then distribute the resources to their customers. RPKI can be used by the legitimate holders of the resources to control the operation of Internet routing protocols to prevent route hijacking and other attacks. In particular, RPKI is used to secure the Border Gateway Protocol (BGP) through BGP Route Origin Validation (ROV), as well as Neighbor Discovery Protocol (ND) for IPv6 through the Secure Neighbor Discovery protocol (SEND).

The RPKI architecture is documented in RFC 6480. The RPKI specification is documented in a spread out series of RFCs: RFC 6481, RFC 6482, RFC 6483, RFC 6484, RFC 6485, RFC 6486, RFC 6487, RFC 6488, RFC 6489, RFC 6490, RFC 6491, RFC 6492, and RFC 6493. SEND is documented in RFC 6494 and RFC 6495. These RFCs are a product of the IETF's SIDR ("Secure Inter-Domain Routing") working group,[1] and are based on a threat analysis which was documented in RFC 4593. These standards cover BGP origin validation, while path validation is provided by BGPsec, which has been standardized separately in RFC 8205. Several implementations for prefix origin validation already exist.[2]

Resource Certificates and child objects

[edit]

RPKI uses X.509 PKI certificates (RFC 5280) with extensions for IP addresses and AS identifiers (RFC 3779). It allows the members of regional Internet registries, known as local Internet registries (LIRs), to obtain a resource certificate listing the Internet number resources they hold. This offers them validatable proof of holdership, though the certificate does not contain identity information. Using the resource certificate, LIRs can create cryptographic attestations about the route announcements they authorise to be made with the prefixes and ASNs they hold. These attestations are described below.

Route Origin Authorizations

[edit]

A Route Origin Authorization (ROA)[3] states which autonomous system (AS) is authorised to originate certain IP prefixes. In addition, it can determine the maximum length of the prefix that the AS is authorised to advertise.

Maximum prefix length

[edit]

The maximum prefix length is an optional field. When not defined, the AS is only authorised to advertise exactly the prefix specified. Any more specific announcement of the prefix will be considered invalid. This is a way to enforce aggregation and prevent hijacking through the announcement of a more specific prefix.

When present, this specifies the length of the most specific IP prefix that the AS is authorised to advertise. For example, if the IP address prefix is 10.0.0.0/16 and the maximum length is 22, the AS is authorised to advertise any prefix under 10.0.0.0/16, as long as it is no more specific than /22. So, in this example, the AS would be authorised to advertise 10.0.0.0/16, 10.0.128.0/20 or 10.0.252.0/22, but not 10.0.255.0/24.

Autonomous System Provider Authorizations

[edit]

An Autonomous System Provider Authorization (ASPA) states which networks are permitted to appear as direct upstream adjacencies of an autonomous system in BGP AS_PATHs.[4]

RPKI route announcement validity

[edit]

When a ROA is created for a certain combination of origin AS and prefix, this will have an effect on the RPKI validity[5] of one or more route announcements. They can be:

  • VALID
    • The route announcement is covered by at least one ROA
  • INVALID
    • The prefix is announced from an unauthorised AS. This means:
      • There is a ROA for this prefix for another AS, but no ROA authorising this AS; or
      • This could be a hijacking attempt
    • The announcement is more specific than is allowed by the maximum length set in a ROA that matches the prefix and AS
  • UNKNOWN
    • The prefix in this announcement is not covered (or only partially covered) by an existing ROA

Note that invalid BGP updates may also be due to incorrectly configured ROAs.[6]

Management

[edit]

There are open source tools[7] available to run the certificate authority and manage the resource certificate and child objects such as ROAs. In addition, the RIRs have a hosted RPKI platform available in their member portals. This allows LIRs to choose to rely on a hosted system, or run their own software.

Publication

[edit]

The system does not use a single repository publication point to publish RPKI objects. Instead, the RPKI repository system consists of multiple distributed and delegated repository publication points. Each repository publication point is associated with one or more RPKI certificates' publication points. In practice this means that when running a certificate authority, an LIR can either publish all cryptographic material themselves, or they can rely on a third party for publication. When an LIR chooses to use the hosted system provided by the RIR, in principle publication is done in the RIR repository.

Validation

[edit]

Relying party software will fetch, cache, and validate repository data using rsync or the RPKI Repository Delta Protocol (RFC 8182).[8] It is important for a relying party to regularly synchronize with all the publication points to maintain a complete and timely view of repository data. Incomplete or stale data can lead to erroneous routing decisions.[9][10]

Routing decisions

[edit]

After validation of ROAs, the attestations can be compared to BGP routing and aid network operators in their decision-making process. This can be done manually, but the validated prefix origin data can also be sent to a supported router using the RPKI to Router Protocol (RFC 6810),[11] Cisco Systems offers native support on many platforms[12] for fetching the RPKI data set and using it in the router configuration.[13] Juniper offers support on all platforms[14] that run version 12.2 or newer. Quagga obtains this functionality through BGP Secure Routing Extensions (BGP-SRx)[15] or a RPKI implementation[16] fully RFC-compliant based on RTRlib. The RTRlib[17] provides an open source C implementation of the RTR protocol and prefix origin verification. The library is useful for developers of routing software but also for network operators.[18] Developers can integrate the RTRlib into the BGP daemon to extend their implementation towards RPKI. Network operators may use the RTRlib to develop monitoring tools (e.g., to check the proper operation of caches or to evaluate their performance).

RFC 6494 updates the certificate validation method of the Secure Neighbor Discovery protocol (SEND) security mechanisms for Neighbor Discovery Protocol (ND) to use RPKI for use in IPv6. It defines a SEND certificate profile utilizing a modified RFC 6487 RPKI certificate profile which must include a single RFC 3779 IP address delegation extension.

References

[edit]
  1. ^ "Secure Inter-Domain Routing (SIDR)". datatracker.ietf.org.
  2. ^ Resource Public Key Infrastructure (RPKI) Router Implementation Report (RFC 7128), R. Bush, R. Austein, K. Patel, H. Gredler, M. Waehlisch, February, 2014
  3. ^ A Profile for Route Origin Authorizations (ROAs), M. Lepinski, S. Kent, D. Kong, May 9, 2011
  4. ^ Azimov, Alexander; Bogomazov, Eugene; Bush, Randy; Patel, Keyur; Snijders, Job; Sriram, Kotikalapudi (29 August 2023). "BGP AS_PATH Verification Based on Autonomous System Provider Authorization (ASPA) Objects". Internet Engineering Task Force.
  5. ^ Huston, Geoff; Michaelson, George G. (Feb 2012). Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations (ROAs) (Report). Internet Engineering Task Force.
  6. ^ M. Wählisch, O. Maennel, T.C. Schmidt: "Towards Detecting BGP Route Hijacking using the RPKI", Proc. of ACM SIGCOMM, pp. 103–104, New York:ACM, August 2012.
  7. ^ "GitHub - dragonresearch/rpki.net: Dragon Research Labs rpki.net RPKI toolkit". November 23, 2019 – via GitHub.
  8. ^ Bruijnzeels, Tim; Muravskiy, Oleg; Weber, Bryan; Austein, Rob (July 2017). "RFC 8182 - The RPKI Repository Delta Protocol". datatracker.ietf.org.
  9. ^ Kristoff, John; Bush, Randy; Kanich, Chris; Michaelson, George; Phokeer, Amreesh; Schmidt, Thomas C.; Wählisch, Matthias (2020-10-27). "On Measuring RPKI Relying Parties". Proceedings of the ACM Internet Measurement Conference. IMC '20. New York, NY, USA: Association for Computing Machinery. pp. 484–491. doi:10.1145/3419394.3423622. ISBN 978-1-4503-8138-3. S2CID 225042016.
  10. ^ Kristoff, John; Bush, Randy; Kanich, Chris; Michaelson, George; Phokeer, Amreesh; Schmidt, Thomas C.; Wählisch, Matthias (2020-10-27). "On Measuring RPKI Relying Parties". Proceedings of the ACM Internet Measurement Conference. ACM. pp. 484–491. doi:10.1145/3419394.3423622. ISBN 978-1-4503-8138-3. S2CID 225042016.
  11. ^ Bush, Randy; Austein, Rob (January 2013). "RFC 6810 - The Resource Public Key Infrastructure (RPKI) to Router Protocol". datatracker.ietf.org.
  12. ^ "RPKI Configuration with Cisco IOS". RIPE.
  13. ^ "Cisco IOS IP Routing: BGP Command Reference - BGP Commands: M through N [Support]". Cisco.
  14. ^ "Example: Configuring Origin Validation for BGP - Technical Documentation - Support - Juniper Networks". www.juniper.net.
  15. ^ "BGP Secure Routing Extension (BGP‑SRx) Prototype". NIST. August 15, 2016.
  16. ^ "Quagga with RPKI-RTR prefix origin validation support: rtrlib/quagga-rtrlib". May 10, 2019 – via GitHub.
  17. ^ "RTRlib - The RPKI RTR Client C Library". rpki.realmv6.org.
  18. ^ M. Wählisch, F. Holler, T.C. Schmidt, J.H. Schiller: "RTRlib: An Open-Source Library in C for RPKI-based Prefix Origin Validation, Proc. of USENIX Security Workshop CSET'13, Berkeley, CA, USA:USENIX Assoc., 2013.
[edit]