Featured image of post A Deep Dive into BGP Security: RPKI
Networking BGP Security

A Deep Dive into BGP Security: RPKI

A technical exploration of Resource Public Key Infrastructure (RPKI), a framework for securing the internet's routing infrastructure.

Introduction to BGP Security and RPKI

The Border Gateway Protocol (BGP) is the routing protocol that is used to exchange routing information between autonomous systems (ASes) on the internet. BGP is a very important protocol, but it is also a very insecure protocol. There are a number of different attacks that can be used to disrupt BGP, such as BGP hijacking and BGP route leaks.

Resource Public Key Infrastructure (RPKI) is a framework for securing the internet’s routing infrastructure. It is a public key infrastructure that is used to validate the authenticity of BGP route announcements. RPKI can be used to prevent BGP hijacking and BGP route leaks.

This article will provide a technical deep dive into BGP security and RPKI, exploring how RPKI works, how it is used, and the benefits that it provides.

How RPKI Works

RPKI works by using a public key infrastructure to create a chain of trust. The chain of trust starts with the Regional Internet Registries (RIRs). The RIRs are responsible for allocating IP addresses and AS numbers.

The RIRs issue digital certificates to the organizations that they have allocated IP addresses and AS numbers to. These certificates are used to sign Route Origin Authorizations (ROAs). A ROA is a digitally signed object that authorizes an AS to originate a particular prefix.

When a BGP router receives a BGP route announcement, it can use RPKI to validate the authenticity of the announcement. The router will first check to see if there is a ROA for the prefix in the announcement. If there is a ROA, the router will then check to see if the AS number in the ROA matches the AS number in the BGP route announcement. If the AS numbers match, the router will then check to see if the ROA is valid. If the ROA is valid, the router will then accept the BGP route announcement.

RPKI Components

The RPKI architecture is made up of a number of different components:

  • Regional Internet Registries (RIRs): The RIRs are the root of the RPKI chain of trust. They are responsible for issuing digital certificates to the organizations that they have allocated IP addresses and AS numbers to.
  • Certificate Authorities (CAs): CAs are responsible for issuing digital certificates.
  • Relying Parties (RPs): RPs are BGP routers that use RPKI to validate the authenticity of BGP route announcements.
  • RPKI Cache: The RPKI cache is a local copy of the RPKI repository. It is used by RPs to validate BGP route announcements.

Benefits of RPKI

RPKI provides a number of benefits, including:

  • Prevents BGP hijacking: RPKI can be used to prevent BGP hijacking by validating the authenticity of BGP route announcements.
  • Prevents BGP route leaks: RPKI can be used to prevent BGP route leaks by validating the authenticity of BGP route announcements.
  • Improves the security of the internet’s routing infrastructure: RPKI improves the security of the internet’s routing infrastructure by making it more difficult for attackers to disrupt BGP.

Challenges of RPKI

There are a number of challenges that need to be addressed in RPKI, including:

  • Deployment: RPKI is still a relatively new technology, and it is not yet widely deployed.
  • Complexity: RPKI is a complex technology, and it can be difficult to deploy and manage.
  • Orphans: An orphan is a prefix that is not covered by a ROA. Orphans can be a problem, as they can be hijacked by attackers.

Conclusion

RPKI is a framework for securing the internet’s routing infrastructure. It is a public key infrastructure that is used to validate the authenticity of BGP route announcements. RPKI can be used to prevent BGP hijacking and BGP route leaks. As RPKI becomes more widely deployed, it will help to make the internet’s routing infrastructure more secure.

© 2020 - 2026 My personal blog
Built with Hugo
Theme Stack designed by Jimmy