Internet2: Network Routing Security and RPKI Adoption in Research and Education
One of the most important things to remember about network routing security is that it requires collective action. Protecting networks from common routing threats is in every institution's best interest. But you can't do it on your own. The full benefits of routing security best practices require widespread adoption — as we see with RPKI.
One of the most important things to remember about network routing security is that it requires collective action… you can't do it on your own.
Grush: Can you talk a bit more specifically about Resource Public Key Infrastructure — RPKI — how RPKI works as a key network routing security strategy?
Deaton: RPKI, Resource Public Key Infrastructure, is a framework that was introduced in 2008 to ensure the authenticity of Internet routing information. Network operators and IP address holders create cryptographically signed certificates — Route Origin Authorizations (ROAs), which are published in an RPKI registry. The registry serves to verify the identity of IP address holders, while the ROAs validate the Autonomous Systems (ASes) allowed to announce an organization's routing prefixes for those addresses. RPKI helps prevent issues with route configurations. Even simple errors and misconfigurations may disrupt services — it doesn't necessarily take a malicious attack.
RPKI helps prevent issues with route configurations. Even simple errors and misconfigurations may disrupt services — it doesn't necessarily take a malicious attack.
There's a lot of complex work going on in this space, with the development of RPKI standards coming from the Internet Engineering Task Force and others behind the framework and protocols. But I can offer a simple analogy to help illustrate how RPKI works.
The analogy that I'd like to borrow comes from AFRINIC, which is the Internet numbers registry for Africa. They put it this way: RPKI works much like a passport and visa system for Internet routing. Cryptographic certificates, provided by RPKI, act like passports, verifying the identity of IP address holders. And Route Origin Authorizations — ROAs — act as visas, authorizing the legitimate use of IP prefixes. It's like saying, "Here's who I am, and here's how I am authorized to operate." Without both elements, Internet routers won't announce route prefixes, thus preventing unauthorized traffic.
So by adopting RPKI-ROA, networked organizations can protect their IP addresses from hijacking and prevent route leaks. RPKI-ROA clearly contributes to the overall cybersecurity posture of connected networks — and more widespread adoption of RPKI means a more trusted and collaborative network ecosystem. RPKI adoption also lays the groundwork for Autonomous System Provider Authorization (ASPA) and Border Gateway Protocol security (BGPsec), future standards that will further enhance Internet security by leveraging RPKI's trusted infrastructure.
RPKI-ROA clearly contributes to the overall cybersecurity posture of connected networks — and more widespread adoption of RPKI means a more trusted and collaborative network ecosystem.
Grush: So is routing security with RPKI-ROAs becoming a recognized priority for most cybersecurity teams?
Deaton: With so many cybersecurity concerns facing any CIO or CISO, it can be understandably challenging to prioritize routing security. Furthermore, RPKI-ROA sometimes falls through the cracks between an organization's networking and cybersecurity teams. To address that problem, we need to provide increased focus on it.
Routing security incidents may not make news headlines like ransomware attacks or major data breaches, leading to a lack of urgency in addressing them. However, the impacts of routing security are real and significant.