BGP Origin Validation

Overview

At the beginning of 2011, the RIPE NCC launched a community-driven system that allows Local Internet Registries (LIRs) to request a digital certificate listing the Internet number resources they hold. This Resource Certification (RPKI) system uses open standards that were developed in the Secure Inter-Domain Routing (sidr) Working Group in the IETF. All Regional Internet Registries (RIRs) are committed to operating a resource certification system, making this a global effort.

A resource certificate offers validatable proof of holdership of a resource's allocation or assignment by an RIR. It allows the holder of the certificate to make statements – formally known as attestations – with regards to the resources listed on it.

These statements could be about anything related to the resources, but the practical application offered today is the ability to use the certificates to help secure Internet routing, particularly BGP origin validation.

BGP Origin Validation

There are about 500,000 route announcements on the Internet today. The most common routing error we see is the accidental mis-origination of a prefix, meaning someone unintentionally announces an IP prefix that they are not the holder of. RPKI offers BGP origin validation, so the question it tries to answer is:

Is this particular route announcement authorised by the legitimate holder of the address space?”

Using their resource certificate, network operators can create cryptographically validatable statements about the route announcements they authorise to be made with the prefixes they hold. These statements are called Route Origin Authorisations (ROAs).

A ROA states which Autonomous System (AS) is authorised to originate a certain IP address prefix. In addition, it can determine the maximum length of the prefix that the AS is authorised to advertise.

Based on this information, other network operators – also known as the relying party – can make routing decisions.

RPKI Route Announcement Validity

When a network operator creates a ROA for a certain combination of origin AS and prefix, this will have an effect on the RPKI validity of one or more route announcements. They can be:

  • VALID

    • The route announcement is covered by at least one ROA

  • INVALID

    • The prefix is announced from an unauthorised AS

    • The announcement is more specific than is allowed by the maximum length set in a ROA that matches the prefix and AS

  • UNKNOWN

    • The prefix in this announcement is not covered (or only partially covered) by an existing ROA

Summary

The Resource Certification (RPKI) system consists of two parts:

  1. Network operators use their certificates to create Route Origin Authorisations (ROAs), stating from which Autonomous Systems their prefixes will be originated and what the maximum allowed prefix length is

  2. Other network operators can set their routing preferences based on the RPKI validity of route announcements when compared to the ROAs that were created

 

Please note that the current RPKI functionality solely offers origin validation. However, it lays the foundation to offering true Secure BGP, including path validation. Work on creating the standards for this are currently being developed in the IETF.

More Information:
IETF Secure Inter-Domain Routing (sidr) Working Group