Strengthening the Internet 13 June 2014

Resource Public Key Infrastructure (RPKI)

Securing BGPCurrently Border Gateway Protocol (BGP), the Internet’s core routing protocol, is susceptible to IP address hijacking attacks. Examples of this are when Pakistan accidentally blackholed all traffic to Youtube, and when traffic was rerouted through Belarus and Iceland in 2013. In response to these type of events, and to the continuing vulnerability in IP address hijacking, the IETF Secure Inter-Domain Routing (SIDR) working group developed the  Resource Public Key Infrastructure (RPKI).

Borrowing many concepts from other Public Key Infrastructure(PKI) implementations, RPKI establishes a hierarchy of trust for BGP routes. Currently, organizations receiving BGP routing updates simply trust that the organization they received the update from is authorized to send it. This is how bad actors and misconfigurations can cause massive traffic redirections. With BGP RPKI, the receiving organization will be able verify that the sending organization is authorized to send the routing update utilizing the RPKI hierarchy of trust.

Like other PKIs, RPKI uses x.509 certificates and a hierarchy of trust rooted at a trust anchor to ‘sign’ route updates. RFC 5280 specifies the usage of X.509 certificates for RPKI, and RFC 3779 defines the extensions to X.509 for IP addresses and Autonomous Systems(AS). However, unlike other PKIs, RPKI does not use Certificate Authorities as trust anchors. Instead RPKI uses Internet Assigned Numbers Authority(IANA) as the trust anchor, and Regional Internet Registries(RIR) as immediately subordinate nodes to that anchor. This not only alleviates load on the sole trust anchor, but increases security by distributing the signing authority by region.

For a more detailed look at BGP RPKI check out Geoff Huston’s and Randy Bush’s great introduction to the subject in the IETF journal.

The main RFCs defining RPKI are RFC 6810 and RFC 6811. In addition, here are other relevant RFCs relating to RPKI.
[table id=6 /]

For more information on Securing BGP, check out some of our other Securing BGP resources.

Related articles

Strengthening the Internet 13 December 2023

Client-Side Scanning

Read about the Internet Society's recommendations to European Parliament proposed regulation on preventing and combating child sexual abuse.

Strengthening the Internet 30 October 2023

Civil Society Experts Voice Concern as New EU Digital Identity Regulation Finalized

Read the analysis and recommendations developed by the Internet Society, Center for Democracy and Technology, Electronic Frontier Foundation, and...

Strengthening the Internet 10 October 2023

How to Talk to Your Manager About Memory Safety

Learn about memory safety, memory-safe languages, common bugs and vulnerabilities, and the reasons for memory safe language adoption and...