BGP Origin Validation
Overview
Resource Certification (RPKI) is a community-driven system in which all Regional Internet Registries, open source software developers and several major router vendors participate. It uses open standards that were developed in the Secure Inter-Domain Routing (sidr) Working Group in the IETF.
A resource certificate offers validatable proof of holdership of a resource's allocation or assignment by an RIR. Using their resource certificate, network operators can create cryptographically validatable statements about the route announcements they authorise to be made with the prefixes they hold. This is known as BGP Origin Validation.
BGP Origin Validation
There are about 550,000 route announcements on the Internet today. The most common routing error we see is the accidental mis-origination of a prefix, meaning someone unintentionally announces an IP prefix that they are not the holder of. RPKI offers BGP origin validation, so the question it tries to answer is:
“Is this particular route announcement authorised by the legitimate holder of the address space?”
RPKI allows network operators to create cryptographically validatable statements about the route announcements they authorise to be made with the prefixes they hold. These statements are called Route Origin Authorisations (ROAs).
A ROA states which Autonomous System (AS) is authorised to originate a certain IP address prefix. In addition, it can determine the maximum length of the prefix that the AS is authorised to advertise.
Based on this information, other network operators can make routing decisions.
RPKI Route Announcement Validity
When a network operator creates a ROA for a certain combination of origin AS and prefix, this will have an effect on the RPKI validity of one or more route announcements. They can be:
- VALID
- The route announcement is covered by at least one ROA
- INVALID
- The prefix is announced from an unauthorised AS
- The announcement is more specific than is allowed by the maximum length set in a ROA that matches the prefix and AS
- UNKNOWN
- The prefix in this announcement is not covered (or only partially covered) by an existing ROA
Summary
The Resource Certification (RPKI) system consists of two parts:
- Network operators use their certificates to create Route Origin Authorisations (ROAs), stating from which Autonomous Systems their prefixes will be originated and what the maximum allowed prefix length is
- Other network operators can set their routing preferences based on the RPKI validity of route announcements when compared to the ROAs that were created
Please note that the current RPKI functionality solely offers origin validation. However, it lays the foundation to offering true Secure BGP, including path validation. Work on creating the standards for this are currently being developed in the IETF.
More Information:
IETF Secure Inter-Domain Routing (sidr) Working Group