Network interconnection security is becoming more and more important nowadays and RPKI is the emerging framework to ensure it. If you have a look at last RIPE78 agenda, you can see this is a trending topic. Also in other related events about peering and interconnection RPKI is widely discussed. Is this only marketing or is there anything more behind?
On June 6th Swiss data centre co-location company Safe Host (AS21217) leaked over 70,000 routes to China Telecom (AS4134) in Frankfurt, Germany, some for over two hours. You can read more details in this blog of Oracle Internet Intelligence. Often routing incidents like this only last for a few minutes, but in this case many of the leaked routes in this incident were in circulation for over two hours!
The argument started to be in the news in 2008 when YouTube went down because of Pakistan Telecom announced YouTube prefixes that were propagated by Pakistan Telecom Transit Provider. The security weakness lies in why those false instructions were believed by routers around the globe. That’s because Hong Kong-based PCCW, which provided the Internet transit to Pakistan Telecom, did not stop the misleading broadcast.
These are examples of a practice called prefix leaks or BGP leaks (from BGP protocol used in inter domain routing) . And it isn’t always accidental. In April of 2018, attackers deliberately created bad BGP routes to redirect traffic that was meant for Amazon’s DNS service. The attackers were able to steal over $100,000 worth of cryptocurrency by redirecting this traffic to themselves. In such cases we talk about BGP (or prefix) hijacking.
On last June 24th it happened again: a small company in Northern Pennsylvania became a preferred path of many Internet routes through Verizon (AS701), a major Internet transit provider as reported in this Cloudflare blog. On same article you can find how such leaks can be prevented. All the suggestions are nicely condensed into MANRS (Mutually Agreed Norms for Routing Security) a global initiative, supported by the Internet Society, that provides crucial fixes to reduce the most common routing threats. Basically MANRS introduced four simple but concrete actions that ISPs should take:
- Global Validation
Filtering can be performed in different ways, included:
- Using Internet Routing Registries (IRRs) and require the customers to register route objects
- Using Resource Public Key Infrastructure (RPKI) and require the customers to create Route Origin Authorizations (ROAs)
RPKI allows Local Internet Registries (LIRs) to request a digital certificate listing the Internet number resources they hold. It offers verifiable proof of holdership of resources’s registration by a Regional Internet Registry (RIR). The certificates are proof of the resource holder’s right of use of their resources and can be validated cryptographically therefore they are intrinsically safer and more reliable than just IRRs. More details on RPKI are available on RIPE related pages.
Last year MANRS went further and carried out some specific actions for IXPs for their specific function in routing with Route Servers and as community (of ISPs) builders:
- Prevent Propagation
- Promote MANRS
- Protect Peering Platform
- Facilitate ISP Communication
- Provide Monitoring Tools
In TOP-IX we care about interconnection security so immediately joined MANRS: to prevent propagation of non valid routes through Route Servers initially implemented filtering with IRRs, as it was easier to deploy. After many discussions within interconnection community and following other IXPs we’re now implementing RPKI (among other new features) on our Route Servers, in order to provide the best contribution to interconnection security against leaks or hijacks.