My new BGP book: 'Internet Routing with BGP' by Iljitsch van Beijnum BGPexpert My BGP book from 2002: 'BGP' by Iljitsch van Beijnum

Home · BGP Expert Test · What is BGP? · BGP Vendors · Links · Archives · Books · My New BGP Book

BGP (advertisement)
RPKI is ready for real-world deployment (posted 2015-04-30)

For some years now, the Regional Internet Registries have been rolling out RPKI. The Resource Public Key Infrastructure allows holders of IP addresses to authorize an autonomous system to inject those addresses in BGP. (See here for an overview of how RPKI works and more links.)

I've always thought it would be hard to deploy RPKI in the real world, because it's just way too easy for a certificate or ROA (route origination authorization) to expire. If that then leads to routes becoming invalid and the addresses in question being unreachable, that would be a good example of the cure being worse than the disease.

Fortunately, that's not the case: RPKI is ready for real-world deployment today.

The way to deploy RPKI that's suggested in RFC 6483 as well as the relevant Cisco and Juniper documentation is to assign different local preference values to the three possible RPKI states, such as:

  • Valid (RPKI checks out): local preference of 200 (highest)
  • Unknown (no RPKI for this prefix): local preference of 100 (normal)
  • Invalid (RPKI present but doesn't check out): local preference of 50 (lowest)

So packets will follow a path that is RPKI-validated if available. If not, they follow a path that isn't covered by RPKI if that's available. Only if there's no "valid" or "unknown" paths, the packets will be sent over an "invalid" path that is covered by RPKI, but validation failed. The trouble with this approach is that it still allows for invalid more specific prefixes to hijack traffic. For instance:

RIPE has a ROA for prefix 193.0.0.0/21 that allows AS 3333 to originate that prefix, with a maximum prefix length of /21. So if AS 4444 originates 193.0.0.0/21, that will result in the following BGP table: 

    Network       Next Hop       Metric LocPrf Weight Path
>*  193.0.0.0/21  19.11.111.244      10    200      0 3333 i
 *                29.249.178.10      10     50      0 4444 i

So effectively, the path through AS 4444 is ignored. However, AS 4444 could also do this: 

    Network       Next Hop       Metric LocPrf Weight Path
>*  193.0.0.0/21  19.11.111.244      10    200      0 3333 i
>*  193.0.0.0/24  29.249.178.10      10     50      0 4444 i
>*  193.0.1.0/24  29.249.178.10      10     50      0 4444 i
>*  193.0.2.0/24  29.249.178.10      10     50      0 4444 i
>*  193.0.3.0/24  29.249.178.10      10     50      0 4444 i
>*  193.0.4.0/24  29.249.178.10      10     50      0 4444 i
>*  193.0.5.0/24  29.249.178.10      10     50      0 4444 i
>*  193.0.6.0/24  29.249.178.10      10     50      0 4444 i
>*  193.0.7.0/24  29.249.178.10      10     50      0 4444 i

So even though the path towards the /21 is still routed to AS 3333, the packets flow to AS 4444 because of the longest match first rule. Solution: filter out "invalid" prefixes completely.

But then, what happens when RIPE forgets to renew their certificate or ROA in time? If their prefix would then revert to "invalid", it would disappear from routing tables everywhere, and RIPE would be unreachable: 

    Network       Next Hop       Metric LocPrf Weight Path

In this scenario, it would be very dangerous to filter "invalid" prefixes, as RPKI is still relatively immature and mistakes will happen.

However, it turns out that the results of expired certificates and ROAs aren't actually problematic. In a post to the NANOG list, Alex Band points out:

If ARIN (or another other RIR) went offline or signed broken data, all signed prefixes that previously has the RPKI status "Valid", would fall back to the state "Unknown", as if they were never signed in the first place. The state would NOT be "Invalid".

So what would happen is this: 

    Network       Next Hop       Metric LocPrf Weight Path
>*  193.0.0.0/21  19.11.111.244      10    100      0 3333 i

Obviously, in this case the protection against unauthorized origination of the prefixes in question would go away, but in the normal situation where nobody tries to hijack those prefixes, they would still be reachable and a mistake with certificate or ROA expiration wouldn't immediately lead to a network disappearing off of the internet.

In other words: deploy RPKI today. It doesn't protect against all forms of malicious address hijacking, but it does offer very robust protection against accidental unauthorized route origination, such as the infamous Youtube/Pakistan incident. Also, you can run an RPKI validator locally without the need for your upstream ISPs or peers to do the same.