RPKI is ready for real-world deployment (posted 2015-04-30)
For some years now, the Regional Internet Registries have been rolling out RPKI. The Resource Public Key Infrastructure allows holders of IP addresses to authorize an autonomous system to inject those addresses in BGP. (See here for an overview of how RPKI works and more links.)
I've always thought it would be hard to deploy RPKI in the real world, because it's just way too easy for a certificate or ROA (route origination authorization) to expire. If that then leads to routes becoming invalid and the addresses in question being unreachable, that would be a good example of the cure being worse than the disease.
Fortunately, that's not the case: RPKI is ready for real-world deployment today.
So packets will follow a path that is RPKI-validated if available. If not, they follow a path that isn't covered by RPKI if that's available. Only if there's no "valid" or "unknown" paths, the packets will be sent over an "invalid" path that is covered by RPKI, but validation failed. The trouble with this approach is that it still allows for invalid more specific prefixes to hijack traffic. For instance:
RIPE has a ROA for prefix 22.214.171.124/21 that allows AS 3333 to originate that prefix, with a maximum prefix length of /21. So if AS 4444 originates 126.96.36.199/21, that will result in the following BGP table:
Network Next Hop Metric LocPrf Weight Path >* 188.8.131.52/21 184.108.40.206 10 200 0 3333 i * 220.127.116.11 10 50 0 4444 i
So effectively, the path through AS 4444 is ignored. However, AS 4444 could also do this:
Network Next Hop Metric LocPrf Weight Path >* 18.104.22.168/21 22.214.171.124 10 200 0 3333 i >* 126.96.36.199/24 188.8.131.52 10 50 0 4444 i >* 184.108.40.206/24 220.127.116.11 10 50 0 4444 i >* 18.104.22.168/24 22.214.171.124 10 50 0 4444 i >* 126.96.36.199/24 188.8.131.52 10 50 0 4444 i >* 184.108.40.206/24 220.127.116.11 10 50 0 4444 i >* 18.104.22.168/24 22.214.171.124 10 50 0 4444 i >* 126.96.36.199/24 188.8.131.52 10 50 0 4444 i >* 184.108.40.206/24 220.127.116.11 10 50 0 4444 i
So even though the path towards the /21 is still routed to AS 3333, the packets flow to AS 4444 because of the longest match first rule. Solution: filter out "invalid" prefixes completely.
But then, what happens when RIPE forgets to renew their certificate or ROA in time? If their prefix would then revert to "invalid", it would disappear from routing tables everywhere, and RIPE would be unreachable:
Network Next Hop Metric LocPrf Weight Path
In this scenario, it would be very dangerous to filter "invalid" prefixes, as RPKI is still relatively immature and mistakes will happen.
If ARIN (or another other RIR) went offline or signed broken data, all signed prefixes that previously has the RPKI status "Valid", would fall back to the state "Unknown", as if they were never signed in the first place. The state would NOT be "Invalid".
So what would happen is this:
Network Next Hop Metric LocPrf Weight Path >* 18.104.22.168/21 22.214.171.124 10 100 0 3333 i
Obviously, in this case the protection against unauthorized origination of the prefixes in question would go away, but in the normal situation where nobody tries to hijack those prefixes, they would still be reachable and a mistake with certificate or ROA expiration wouldn't immediately lead to a network disappearing off of the internet.
In other words: deploy RPKI today. It doesn't protect against all forms of malicious address hijacking, but it does offer very robust protection against accidental unauthorized route origination, such as the infamous Youtube/Pakistan incident. Also, you can run an RPKI validator locally without the need for your upstream ISPs or peers to do the same.