With our increasing dependence on the Internet in every aspect of our lives, it is no surprise that Internet routing and security is more important than ever. A simple mistake from a network engineer can affect the Internet connection in a completely different location. And while the majority of suspicious activities or issues around routing are the result of human error, there is also scope for more malicious activity too. These outages can be detrimental for businesses, and the downtime can even make networks vulnerable to hackers intercepting Internet traffic.
We need stronger routing security by ISPs to create a safer Internet for all. But how do we get there?
Enter RPKI
Routing has until now relied on the trust-based model of Border Gateway Protocol (BGP), a system designed several decades ago. While BGP has enabled the growth of the modern Internet, it lacks the built-in security features needed today to protect against the risks of exponentially increases in Internet usage. Sadly, route leaks and hijacks are pervasive in today’s world of Internet routing. For example, in December 2017 eighty high-traffic prefixes normally announced by Google, Apple, Facebook, Microsoft, Twitch, NTT Communications, Riot Games, and others, were announced by a Russian Autonomous System (AS).
Resource Public Key Infrastructure (RPKI) is a method to secure Internet routing by cryptographically verifying routes. It functions in a similar fashion to a police car pulling you to the side of the road to check your license and registration plate, verifying that you are not driving a stolen car. RPKI connects IP addresses and AS Numbers to a trust anchor and requires two steps - Route Origin Authorization (ROA) and Route Origin Validation - to achieve digital verification. The end result is a method of verifying that traffic is using an authorized route.
Signs of RPKI progress
2021 has seen real progress for RPKI. We have observed a significant growth in RPKI adoption by networks around the world, both on the signing and on the validation side. RPKI certificates increased by 26 percent from 2020 to 2021, while ROAs increased by 38 percent from 2020 to 2021. In 2021, ISPs across the world have been taking up RPKI. Amazon Web Services signed their prefixes and deployed RPKI Origin Validation. Comcast, one of the largest Internet Service Provider in the US, has signed its prefixes. NOS Comunicações, a leading Internet Service Provider in Portugal, has signed its prefixes and is dropping invalids, as has Vocus, a leading Australian ISP.
Tier 2 ISPs hold the key
However, there is still some way to go. The RPKI model works at its best when as many players as possible are involved. Given the context of Covid-19, it is admirable that the industry has continued to make progress. Now that the tier 1s have made great progress, the onus is squarely on the tier 2 ISPs such as Virgin and BT, as well as Internet exchanges, to secure RPKI in 2021 and beyond. Their support is essential to help secure the entire routing path for all.
There are mitigating factors. Given the challenges of the pandemic, it is understandable that adoption amongst ISPs has been slow, favoring necessary upgrades rather than risk outages. Research from leading UK ISP Zen Internet revealed that Internet usage in the UK increased by 78 percent year-on-year. As bandwidth was pushed towards remote working, entertainment, and online shopping, daytime Internet usage increased by 75 percent and the evening peak by 65 percent.
However, we are now in a sufficiently stable position to resume working towards our shared common goal. With the known lack of security standards in BGP, there is an urgency to secure routing pathways for everyone. Upgrade-related network outages are may still be a risk, but they are slim compared to the ever-increasing risks posed by the exponential growth of Internet traffic, and the ever-present threat of hackers.
With the stakes so high, these are the outages that could be potentially lasting and have the greatest impact on lives and businesses. While ISPs might be erring on the side of caution following the pandemic, it’s important that they implement RPKI and the community-defined standards that protect the entire routing path as soon as possible. The pandemic has shown how much the Internet is now critical to our lives. By taking the necessary steps to unlock stronger routing security, the industry can create and keep the Internet safer for everyone.