Should I Care About RPKI and Internet Routing Security?

One of my subscribers sent me this question:

I’m being asked to enter a working group on RPKI and route origination. I’m doing research, listening to Jeff Tantsura, who seems optimistic about taking steps to improve BGP security vs Geoff Huston, who isn’t as optimistic. Should I recommend to the group that the application security is the better investment?

You need both. RPKI is slowly becoming the baseline of global routing hygiene (like washing hands, only virtual, and done once every blue moon when you get new IP address space or when the certificates expire). More and more Internet Service Providers (including many tier-1 providers) filter RPKI invalids thus preventing the worst cases of unintentional route leaks.

Things will get even better when we start using ASPA and eventually BGPsec. For a good overview of the differences between the two read the Fastly comments to FCC Secure Internet Routing inquiry by Job Snijders.

If you’re providing content or e-commerce services from your own infrastructure, you SHOULD read and implement MANRS recommendations for CDN/cloud providers, in particular if you care about a clueless fat-fingered router configurator accidentally advertising your IP address space (even better: more-specific prefixes) to the global Internet.

If you’re an ISP, then you MUST consider MANRS for Network Operators. Obviously you could also pretend you don’t need Internet routing security and blame everyone else1 (as in: The Internet is down today)… until your customers discover The Internet still works for everyone using your competitor.

Regardless of what your motivation might be, using RPKI will make the global routing infrastructure more secure – we might have to deal with fewer unintentional leaks and successful hijacks. Widespread implementation of MANRS guidelines would also reduce source IP address spoofing. Ideally, we’d get to a strict global clampdown on source IP address spoofing, but I don’t expect to see that in my lifetime2.

Unfortunately, infrastructure security won’t help much when another botnet exploits clueless organizations who can’t be bothered to configure ACLs in front of their public cloud workloads or VoIP gateways. For that you need application security.

In a Nutshell

Jeff Tantsura posted a great summary of this topic in a LinkedIn comment:

It is important to understand that BGP security has many interrelated features, with different requirements with regard to full vs partial support and ROI, e.g BGPSEC benefits in a mixed environment are rather questionable (politely put), basic hygiene (read MANRS) will immediately bring better results, BGP RPKI benefits from “network effect” phenomenon - it brings value added even with a limited number of participants, however as the number grows, every participant benefits more and more. There’s no “green day” BGP will suddenly become completely secure, there are many steps to get there.

Want to Learn More

Revision History

Added a summary by Jeff Tantsura, removed mention of AS Cones, and a link to Fastly response to FCC inquiry

  1. That strategy worked extremely well for some tier-1 providers in the past. See also: YouTube hijack↩︎

  2. I also didn’t expect to have a reasonable conversation with an AI bot, so feel free to apply Clarke’s First Law↩︎

Add comment