For several years Internet routing has relied on a trust-based model. While this system has worked well in general, it is now struggling to deal with both the exponential growth of the Internet and an increasing number of cyber threat actors online. At present, the exploitable weaknesses in the trust-based system are developing into a major security concern.
The problems arising from trust-based routing were laid bare recently by a huge Cloudflare outage, triggered by Verizon. This outage saw many websites hosted on Cloudflare taken offline and rendered inaccessible for several hours. While not malicious in nature, this incident demonstrated how the current Internet routing model - built on the trust that all packets are being routed via the path advertised - can be exploited; and with devastating effect.
Today it is far from certain that Internet traffic is being routed via the path claimed, with the information it claims to hold. It is clear that a better system for routing validation is required.
Out with the old
With no means of verifying a route announcement at scale, the trust-based model of Internet routing is no longer equipped to effectively deal with the task of route validation. The problem here is that while many routing databases exist, some maintained by Regional Internet Registries (RIRs), the existing system lacks cryptographic signing for data. Over time, these Internet Routing Registry databases begin to hold data that is invalid - either because it is outdated, or because it contains typos that have not been fixed, or in more extreme cases because malicious actors deliberately insert incorrect information to lend the appearance of legitimacy to their hijacks.
As Internet traffic has increased and databases have become more outdated, the importance of routing validation has increased. This has led to the development of Resource Public Key Infrastructure (RPKI), developed together by RIRs, open source software developers and several major router vendors. RPKI is a community-driven routing innovation to help secure the Internet’s routing infrastructure in real time and at scale, by connecting IP addresses and AS numbers to a trust anchor (a digital certificate). For RPKI to work optimally, it requires three steps – route origin authorization, route origin validation and route filtering.
RPKI then cryptographically verifies route announcements to remove any doubt about where traffic is originating from. While RPKI is a promising solution, what does it mean in practice? Does it spell the end for concerns around the security of the Internet’s routing infrastructure?
The first step
RPKI undoubtedly delivers improved routing security, but it only protects routing close to the network using it. It doesn’t secure the whole path along which traffic has been routed. This means that RPKI is now the most effective way of preventing potential hijacks in the first hop of routing from your network.
However, it can’t stop Internet hijacks overall, because the invalid route may have already traveled down the routing line until it is stopped.
This isn’t to say that RPKI is not a vital step forward that organizations should (or can afford) to overlook. It’s role is a vital one; and the more widely it is deployed, the more effective it becomes.
Making the most of RPKI
To make RPKI its most effective, holders of IP addresses and ASNs need to create a cryptographic statement called a Route Origin Authorization (‘ROA’). A ROA can only be created by the legitimate holder of the prefix and states which AS number is authorized to announce this prefix on the Internet. This helps to validate that route announcements have come from the route they claim (Route Origin Validation) and then filters the request (Route Filtering), whereby any ‘invalid’ routes are dropped. Route filtering is really what prevents malicious actors from advertising routes that do not belong to them; or a simple misconfiguration from being transmitted and snowballing into a larger incident.
For route filtering to be effective more organisations need to start creating ROAs to ensure their routes are safe from hijacks, whether malicious or unintended. In short, ROAs help to digitally verify where a prefix should have originated from and who the legitimate holder of this should be (preventing a bad actor from progressing a fraudulent claim, or from innocent routing mistakes being made).
This cryptographical verification is vital to the entire routing process.
This verification prevents both malicious and accidental hijacking, which can cause network outages and allow hackers to intercept Internet traffic. For example, it’s like a highway policeman asking to see a driver’s license and registration to make sure they are not driving a stolen car. Crucially, data is also actively maintained and the cryptographic certificates must be renewed every year, and also every time a holder transfers IP addresses or ASNs to another party. RPKI supports the process of keeping databases accurate and up-to-date.
The next steps
The trust-based model of old can’t keep up with the development of the Internet. However, RPKI can by unlocking stronger routing security; and preventing potential hijacks in the first hop of routing in the network. However, RPKI does require organizations deploying it to create ROAs to support digital verification. The consequences of not doing this have resulted in some major incidents - which are just too costly for business to ignore.