Sign in Subscribe

RPKI Resource Public Key Infrastructure

Last updated on 

RPKI (Resource Public Key Infrastructure) is a cryptographic framework that provides a means for validating the authenticity and integrity of internet routing information. It is designed to address security vulnerabilities and risks associated with the Border Gateway Protocol (BGP), which is used for exchanging routing information between autonomous systems (ASes) on the internet.

In the context of RPKI, resources refer to IP address blocks and Autonomous System Numbers (ASNs) that are allocated to network operators and internet service providers (ISPs). RPKI enables these organizations to digitally sign their IP address and ASN allocations, thereby creating a trust anchor for verifying the legitimacy of routing updates and preventing various forms of routing attacks, such as prefix hijacking and route leaks.

Here's an overview of the key components and processes involved in RPKI:

  1. Certificate Authority (CA): A CA is a trusted entity responsible for issuing and managing digital certificates within the RPKI infrastructure. CAs are typically operated by Regional Internet Registries (RIRs) or National Internet Registries (NIRs), which are responsible for managing IP address allocations. The CA signs digital certificates that bind the IP address blocks or ASNs to their respective holders.
  2. Route Origin Authorization (ROA): A ROA is a digitally signed object that associates a specific IP address prefix or ASN with its legitimate holder. It includes information such as the prefix or ASN, maximum prefix length, and an indication of the holder's authorization. ROAs are created and signed by the holder of the IP address or ASN and are stored in the RPKI repository.
  3. RPKI Repository: The RPKI repository is a distributed database that stores the signed objects, including certificates and ROAs, published by CAs and IP address/ASN holders. It provides a centralized location for retrieving and validating the cryptographic information necessary for RPKI-based verification.
  4. Relying Party: A relying party is an entity, typically an ISP or network operator, that relies on RPKI to validate the legitimacy of routing information received through BGP. Relying parties fetch signed objects (certificates and ROAs) from the RPKI repository and use them to verify the authenticity and authorization of routing updates.

The process of RPKI validation involves the following steps:

  1. Certificate Validation: Relying parties fetch the CA certificates from the RPKI repository and verify their authenticity using public key cryptography. This establishes trust in the CA's ability to issue valid certificates.
  2. ROA Validation: When a routing update is received, the relying party checks if there is a corresponding ROA for the advertised IP address prefix or ASN. The ROA is fetched from the RPKI repository, and its digital signature is verified using the CA's certificate. If the signature is valid, the relying party checks if the routing update matches the authorized prefix and maximum length specified in the ROA. If the validation succeeds, the route is considered legitimate; otherwise, it may be treated as invalid or suspicious.
  3. Route Filtering: Based on the validation results, relying parties can implement route filtering policies to accept or reject routing updates. They can choose to prefer routes with valid ROAs and discard or lower the priority of routes without valid ROAs, reducing the risk of routing attacks.

RPKI helps mitigate various routing security issues, including route hijacking, where an attacker illegitimately announces IP prefixes they don't own, and route leaks, where incorrect routing information is propagated due to misconfigurations or malicious intent. By using cryptographic mechanisms and validating the legitimacy of routing updates, RPKI enhances the security and integrity of the global routing system, improving the overall trustworthiness of internet routing.