Nathalie Trenaman is the Routing Security Programme Manager at RIPE NCC. Nathalie gave a workshop on the definition and purposes of RPKI during an online workshop for Euro-IX in August 2020. Watch the video to find out more about the topic.
“Resource Public Key Infrastructure (RPKI), is a specialised public key infrastructure (PKI) framework to support improved security for the Internet's BGP routing infrastructure. RPKI provides a way to connect Internet number resource information (such as Autonomous System numbers and IP addresses) to a trust anchor, and can be used by the legitimate holders of resources to control the operation of Internet routing protocols to prevent route hijacking and other attacks.
Our Route Servers perform Route Origin Validation (ROV), and will drop Invalid prefixes. We strongly encourage you to create Route Origin Authorisations (ROAs) for your resources."
ROUTE ORIGIN VALIDATION
With route origin validation (ROV), the RPKI system tries to closely mimic what route objects in the IRR intend to do, but then in a more trustworthy manner. It also adds a couple of useful features.
Origin validation is currently the only functionality that is operationally used. The five RIRs provide functionality for it, there is open source software available for creation and publication of data, and many major router vendors have implemented ROV in their platforms. Various router software implementations offer support for it, as well.
ROUTE ORIGIN AUTHORISATIONS
Using the RPKI system, the legitimate holder of a block of IP addresses can use their resource certificate to make an authoritative, signed statement about which autonomous system is authorised to originate their prefix in BGP. These statements are called Route Origin Authorisations (ROAs).
The creation of a ROA is solely tied to the IP address space that is listed on the certificate and not to the AS numbers. This means the holder of the certificate can authorise any AS to originate their prefix, not just their own autonomous systems.
ROUTE ANNOUNCEMENT VALIDITY
When a network operator creates a ROA for a certain combination of origin AS and prefix, this will have an effect on the RPKI validity of one or more route announcements. Once a ROA is validated, the resulting object contains an IP prefix, a maximum length, and an origin AS number. This object is referred to as validated ROA payload (VRP).
When comparing VRPs to route announcements seen in BGP, RFC 6811 describes their possible statuses:
The route announcement is covered by at least one VRP. The term covered means that the prefix in the route announcement is equal, or more specific than the prefix in the VRP.
The prefix is announced from an unauthorised AS, or the announcement is more specific than is allowed by the maxLength set in a VRP that matches the prefix and AS.
The prefix in this announcement is not, or only partially covered by a VRP.