Despite RPKI’s crucial role in securing the Internet routing system, Resource Public Key Infrastructure (RPKI) deployment is still low, leaving the Internet exposed to traffic hijacking attacks and other threats.
As we increasingly turn to the Internet to manage every aspect of our lives, Internet security becomes an increasingly important topic. Since its creation, the Internet has been a network of networks that relied on a trust-based model to connect to each other. Today, with over 70,000 networks connected around the globe, the Internet lacks the built-in security needed to protect it from security risks posed by malicious hijacks and mistaken routing announcements, which create significant costs for users and network operators.
To make routing announcements more reliable and secure, Internet coordination bodies encourage network operators to adopt the Resource Public Key Infrastructure (RPKI) framework.
What is RPKI? RPKI is a community-driven security routing innovation developed to increase Internet security. It is a two-sided framework: networks must first sign and issue route origin authorisations (ROAs),which are records that bind an IP address block to the network (AS) that is allowed to advertise it in the Border Gateway Protocol (BGP).This is done by assigning private cryptographic keys to the holders of IP addresses. Second, networks must conduct route origin validation (ROV) based on these ROAs to ensure that routing announcements originate from the authorised parties.
In simple words, RPKI functions much like a police officer pulling you over to check your license and registration. Just as the officer wants to verify that you are not driving a stolen car, RPKI verifies that you are not advertising a route belonging to someone else.
In the last two years, we witnessed significant uptake among major international players, including tier 1 transit, cloud ISPs, Amazon, Cloudflare, Netflix, Google, Meta, AT&T and other network operators. European IXPs are also close to enabling RPKI in their networks.
In the Middle East region, on the side of issuing ROAs, the RIPE NCC’s efforts in collaboration with mobile operators, Internet Service providers and regulatory authorities in 2021 have paid off. Our numbers indicate that the percentage of address space covered by ROAs in the region has achieved a very good level compared to other regions (around 58%). However, that is not enough, as the number of networks in the region deploying ROV to filter invalid ROAs falls far below other regions. RPKI filtering is still low in all countries, including in the Gulf countries, with less than 10% RPKI validation, leaving the Internet largely exposed to traffic hijacking and other threats.
What are the root causes of slow adoption, and how can deployment be pushed forward? A network operator choosing to deploy RPKI now can immediately benefit because of the accelerated deployment of RPKI by CDNs, tier 1 providers and big operators. However, RPKI deployment requires careful planning and execution.
Fear of being disconnected from other networks due to incorrect ROA creation is the most common reason specified by operators for not creating ROAs. And the fear of being disconnected from other networks due to incorrect ROV configuration is also the most common reason for not performing ROV. Both come down to a lack of knowledge and technical expertise.
One of the RIPE NCC’s strategic goals is to support Internet growth and security by promoting the use of best practices for Internet Resources and standards such as IPv6, IPv6 security and RPKI. We have developed capacity-building initiatives like dedicated security courses and training for our members and different stakeholder groups, including governments. In addition, we launched the IPv6 Security Expert course and certification in 2021 and will launch the Routing Security Expert course and certification later this year. These are part of our strategy to empower network engineers and technical staff and to protect networks against routing and numbering threats.
How can governments and regulatory authorities contribute to these efforts? They should be aware that routing security, like IPv6, is an important topic from a strategic and economic perspective, as we all need the Internet to function. From a regulatory perspective, it is necessary to raise awareness among operators about RPKI.
IPv6 deployment success offers some important lessons in collaboration with network operators, Internet Service Providers and regulators that can be replicated for RPKI, where we have seen significant growth in both IPv6 traffic and adoption globally and regionally.