RPKI: how contributing to interconnection security

Luca Cicchelli
Jul 1 · 3 min read

Network interconnection security is becoming more and more important nowadays and RPKI is the emerging framework to ensure it. If you have a look at last , you can see this is a trending topic. Also in other related events about peering and interconnection RPKI is widely discussed. Is this only marketing or is there anything more behind?

On June 6th Swiss data centre co-location company Safe Host (AS21217) leaked over 70,000 routes to China Telecom (AS4134) in Frankfurt, Germany, some for over two hours. You can read more details in this of Oracle Internet Intelligence. Often routing incidents like this only last for a few minutes, but in this case many of the leaked routes in this incident were in circulation for over two hours!

The argument started to be in the news in 2008 when YouTube went down because of Pakistan Telecom announced YouTube prefixes that were propagated by Pakistan Telecom Transit Provider. The security weakness lies in why those false instructions were believed by routers around the globe. That’s because Hong Kong-based PCCW, which provided the Internet transit to Pakistan Telecom, did not stop the misleading broadcast.

These are examples of a practice called prefix leaks or BGP leaks (from protocol used in inter domain routing) . And it isn’t always accidental. In April of 2018, attackers deliberately created bad BGP routes to redirect traffic that was meant for Amazon’s DNS service. The attackers were able to steal over $100,000 worth of cryptocurrency by redirecting this traffic to themselves. In such cases we talk about BGP (or prefix) hijacking.

On last June 24th it happened again: a small company in Northern Pennsylvania became a preferred path of many Internet routes through Verizon (AS701), a major Internet transit provider as reported in this . On same article you can find how such leaks can be prevented. All the suggestions are nicely condensed into MANRS () a global initiative, supported by the Internet Society, that provides crucial fixes to reduce the most common routing threats. Basically MANRS introduced four simple but concrete actions that ISPs should take:

  • Filtering
  • Anti-Spoofing
  • Coordination
  • Global Validation

Filtering can be performed in different ways, included:

  1. Using Internet Routing Registries (IRRs) and require the customers to register route objects
  2. Using Resource Public Key Infrastructure (RPKI) and require the customers to create Route Origin Authorizations (ROAs)

RPKI allows Local Internet Registries (LIRs) to request a digital certificate listing the Internet number resources they hold. It offers verifiable proof of holdership of resources’s registration by a Regional Internet Registry (RIR). The certificates are proof of the resource holder’s right of use of their resources and can be validated cryptographically therefore they are intrinsically safer and more reliable than just IRRs. More details on RPKI are available on .

Last year MANRS went further and carried out some specific actions for IXPs for their specific function in routing with Route Servers and as community (of ISPs) builders:

  • Prevent Propagation
  • Promote MANRS
  • Protect Peering Platform
  • Facilitate ISP Communication
  • Provide Monitoring Tools

In TOP-IX we care about interconnection security so immediately joined MANRS: to prevent propagation of non valid routes through Route Servers initially implemented filtering with IRRs, as it was easier to deploy. After many discussions within interconnection community and following other IXPs we’re now implementing RPKI (among other new features) on our Route Servers, in order to provide the best contribution to interconnection security against leaks or hijacks.


A random collection of projects, ideas and activities by TOP-IX and its employees

Luca Cicchelli

Written by

Interconnection Manager at TOP-IX, mountain passionate and other



A random collection of projects, ideas and activities by TOP-IX and its employees