Resource Public Key Infrastructure

Resource Public Key Infrastructure (RPKI), also known as Resource Certification, is a specialized public key infrastructure (PKI) framework to support improved security for the Internet's BGP routing infrastructure.

RPKI provides a way to connect Internet number resource information (such as Autonomous System numbers and IP addresses) to a trust anchor. The certificate structure mirrors the way in which Internet number resources are distributed. That is, resources are initially distributed by the IANA to the regional Internet registries (RIRs), who in turn distribute them to local Internet registries (LIRs), who then distribute the resources to their customers. RPKI can be used by the legitimate holders of the resources to control the operation of Internet routing protocols to prevent route hijacking and other attacks. In particular, RPKI is used to secure the Border Gateway Protocol (BGP) through BGP Route Origin Validation (ROV), as well as Neighbor Discovery Protocol (ND) for IPv6 through the Secure Neighbor Discovery protocol (SEND).

The RPKI architecture is documented in RFC 6480. The RPKI specification is documented in a spread out series of RFCs: RFC 6481, RFC 6482, RFC 6483, RFC 6484, RFC 6485, RFC 6486, RFC 6487, RFC 6488, RFC 6489, RFC 6490, RFC 6491, RFC 6492, and RFC 6493. SEND is documented in RFC 6494 and RFC 6495. These RFCs are a product of the IETF's SIDR ("Secure Inter-Domain Routing") working group,[1] and are based on a threat analysis which was documented in RFC 4593. These standards cover BGP origin validation, while path validation is provided by BGPsec, which has been standardized separately in RFC 8205. Several implementations for prefix origin validation already exist.[2]

Resource Certificates and child objects

RPKI uses X.509 PKI certificates (RFC 5280) with extensions for IP addresses and AS identifiers (RFC 3779). It allows the members of regional Internet registries, known as local Internet registries (LIRs), to obtain a resource certificate listing the Internet number resources they hold. This offers them validatable proof of holdership, though the certificate does not contain identity information. Using the resource certificate, LIRs can create cryptographic attestations about the route announcements they authorise to be made with the prefixes and ASNs they hold. These attestations are described below.

Route Origin Authorizations

A Route Origin Authorization (ROA)[3] states which autonomous system (AS) is authorised to originate certain IP prefixes. In addition, it can determine the maximum length of the prefix that the AS is authorised to advertise.

Maximum prefix length

The maximum prefix length is an optional field. When not defined, the AS is only authorised to advertise exactly the prefix specified. Any more specific announcement of the prefix will be considered invalid. This is a way to enforce aggregation and prevent hijacking through the announcement of a more specific prefix.

When present, this specifies the length of the most specific IP prefix that the AS is authorised to advertise. For example, if the IP address prefix is 10.0.0.0/16 and the maximum length is 22, the AS is authorised to advertise any prefix under 10.0.0.0/16, as long as it is no more specific than /22. So, in this example, the AS would be authorised to advertise 10.0.0.0/16, 10.0.128.0/20 or 10.0.252.0/22, but not 10.0.255.0/24.

Autonomous System Provider Authorizations

An Autonomous System Provider Authorization (ASPA) states which networks are permitted to appear as direct upstream adjacencies of an autonomous system in BGP AS_PATHs.[4]

RPKI route announcement validity

When a ROA is created for a certain combination of origin AS and prefix, this will have an effect on the RPKI validity[5] of one or more route announcements. They can be:

  • VALID
    • The route announcement is covered by at least one ROA
  • INVALID
    • The prefix is announced from an unauthorised AS. This means:
      • There is a ROA for this prefix for another AS, but no ROA authorising this AS; or
      • This could be a hijacking attempt
    • The announcement is more specific than is allowed by the maximum length set in a ROA that matches the prefix and AS
  • UNKNOWN
    • The prefix in this announcement is not covered (or only partially covered) by an existing ROA

Note that invalid BGP updates may also be due to incorrectly configured ROAs.[6]

Management

There are open source tools[7] available to run the certificate authority and manage the resource certificate and child objects such as ROAs. In addition, the RIRs have a hosted RPKI platform available in their member portals. This allows LIRs to choose to rely on a hosted system, or run their own software.

Publication

The system does not use a single repository publication point to publish RPKI objects. Instead, the RPKI repository system consists of multiple distributed and delegated repository publication points. Each repository publication point is associated with one or more RPKI certificates' publication points. In practice this means that when running a certificate authority, an LIR can either publish all cryptographic material themselves, or they can rely on a third party for publication. When an LIR chooses to use the hosted system provided by the RIR, in principle publication is done in the RIR repository.

Validation

Relying party software will fetch, cache, and validate repository data using rsync or the RPKI Repository Delta Protocol (RFC 8182).[8] It is important for a relying party to regularly synchronize with all the publication points to maintain a complete and timely view of repository data. Incomplete or stale data can lead to erroneous routing decisions.[9][10]

Routing decisions

After validation of ROAs, the attestations can be compared to BGP routing and aid network operators in their decision-making process. This can be done manually, but the validated prefix origin data can also be sent to a supported router using the RPKI to Router Protocol (RFC 6810),[11] Cisco Systems offers native support on many platforms[12] for fetching the RPKI data set and using it in the router configuration.[13] Juniper offers support on all platforms[14] that run version 12.2 or newer. Quagga obtains this functionality through BGP Secure Routing Extensions (BGP-SRx)[15] or a RPKI implementation[16] fully RFC-compliant based on RTRlib. The RTRlib[17] provides an open source C implementation of the RTR protocol and prefix origin verification. The library is useful for developers of routing software but also for network operators.[18] Developers can integrate the RTRlib into the BGP daemon to extend their implementation towards RPKI. Network operators may use the RTRlib to develop monitoring tools (e.g., to check the proper operation of caches or to evaluate their performance).

RFC 6494 updates the certificate validation method of the Secure Neighbor Discovery protocol (SEND) security mechanisms for Neighbor Discovery Protocol (ND) to use RPKI for use in IPv6. It defines a SEND certificate profile utilizing a modified RFC 6487 RPKI certificate profile which must include a single RFC 3779 IP address delegation extension.

References

  1. ^ "Secure Inter-Domain Routing (SIDR)". datatracker.ietf.org.
  2. ^ Resource Public Key Infrastructure (RPKI) Router Implementation Report (RFC 7128), R. Bush, R. Austein, K. Patel, H. Gredler, M. Waehlisch, February, 2014
  3. ^ A Profile for Route Origin Authorizations (ROAs), M. Lepinski, S. Kent, D. Kong, May 9, 2011
  4. ^ Azimov, Alexander; Bogomazov, Eugene; Bush, Randy; Patel, Keyur; Snijders, Job; Sriram, Kotikalapudi (29 August 2023). "BGP AS_PATH Verification Based on Autonomous System Provider Authorization (ASPA) Objects". Internet Engineering Task Force.
  5. ^ Huston, Geoff; Michaelson, George G. (Feb 2012). Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations (ROAs) (Report). Internet Engineering Task Force.
  6. ^ M. Wählisch, O. Maennel, T.C. Schmidt: "Towards Detecting BGP Route Hijacking using the RPKI", Proc. of ACM SIGCOMM, pp. 103–104, New York:ACM, August 2012.
  7. ^ "GitHub - dragonresearch/rpki.net: Dragon Research Labs rpki.net RPKI toolkit". November 23, 2019 – via GitHub.
  8. ^ Bruijnzeels, Tim; Muravskiy, Oleg; Weber, Bryan; Austein, Rob (July 2017). "RFC 8182 - The RPKI Repository Delta Protocol". datatracker.ietf.org.
  9. ^ Kristoff, John; Bush, Randy; Kanich, Chris; Michaelson, George; Phokeer, Amreesh; Schmidt, Thomas C.; Wählisch, Matthias (2020-10-27). "On Measuring RPKI Relying Parties". Proceedings of the ACM Internet Measurement Conference. IMC '20. New York, NY, USA: Association for Computing Machinery. pp. 484–491. doi:10.1145/3419394.3423622. ISBN 978-1-4503-8138-3. S2CID 225042016.
  10. ^ Kristoff, John; Bush, Randy; Kanich, Chris; Michaelson, George; Phokeer, Amreesh; Schmidt, Thomas C.; Wählisch, Matthias (2020-10-27). "On Measuring RPKI Relying Parties". Proceedings of the ACM Internet Measurement Conference. ACM. pp. 484–491. doi:10.1145/3419394.3423622. ISBN 978-1-4503-8138-3. S2CID 225042016.
  11. ^ Bush, Randy; Austein, Rob (January 2013). "RFC 6810 - The Resource Public Key Infrastructure (RPKI) to Router Protocol". datatracker.ietf.org.
  12. ^ "RPKI Configuration with Cisco IOS". RIPE.
  13. ^ "Cisco IOS IP Routing: BGP Command Reference - BGP Commands: M through N [Support]". Cisco.
  14. ^ "Example: Configuring Origin Validation for BGP - Technical Documentation - Support - Juniper Networks". www.juniper.net.
  15. ^ "BGP Secure Routing Extension (BGP‑SRx) Prototype". NIST. August 15, 2016.
  16. ^ "Quagga with RPKI-RTR prefix origin validation support: rtrlib/quagga-rtrlib". May 10, 2019 – via GitHub.
  17. ^ "RTRlib - The RPKI RTR Client C Library". rpki.realmv6.org.
  18. ^ M. Wählisch, F. Holler, T.C. Schmidt, J.H. Schiller: "RTRlib: An Open-Source Library in C for RPKI-based Prefix Origin Validation, Proc. of USENIX Security Workshop CSET'13, Berkeley, CA, USA:USENIX Assoc., 2013.

Read other articles:

Penggergajian kayu

Penggergajian kayu Amerika, 1920 Penggergajian kayu yang berdiri pada awal abad ke 20 yang masih bertahan, di Jerome, Arizona Penggergajian kayu adalah fasilitas di mana kayu yang telah ditebang dipotong-potong menjadi kayu untuk bahan bangunan atau keperluan lainnya. Penggergajian kayu adalah tahap awal kayu bulat diolah menjadi kayu gergajian. Kegiatan utama dalam penggergajian adalah membelah dan memotong kayu menggunakan gergaji sehingga hasil yang diperoleh disebut kayu gergajian. Proses...

 

Oseberg

Kapal Oseberg (Musium Kapal Viking, Norwegia) Oseberg atau yang dikenal dengan Kapal Oseberg adalah kapal pejuang bangsa Viking yang biasa digunakan untuk menjelajahi lautan. Kapal ini terbuat dari kayu ek yang kuat dengan 12 palang di masing-masing sisinya, panjangnya 70 kaki (21 meter) dan hampir 17 kaki (5,1 meter) sepanjang rangka tengah utamanya. Kapal ini membawa 30 dayung dan sebuah layar yang dipasang pada salah satu tiangnya. Papan kemudinya yang dirancang dengan bagus memanjang jauh...

 

Napoleon Bonaparte

Napoleon beralih ke halaman ini. Untuk kegunaan lain, lihat Napoleon (disambiguasi). Untuk polisi Indonesia, lihat Napoleon Bonaparte (polisi). Napoleon BonaparteKaisar PrancisPeriode PertamaBerkuasa18 Mei 1804 – 11 April 1814Penobatan2 Desember 1804PendahuluDirinya sebagai Konsul PerdanaPenerusLouis XVIII (de jure pada 1814)Periode KeduaBerkuasa20 Maret 1815 – 22 Juni 1815PendahuluLouis XVIIIPenerusNapoleon II (dipertentangkan)Raja ItaliaBerkuasa17 Maret 1805 – 11 April ...

Bumban zaitun

Kotinos, hadiah dari ajang Olimpiade Kuno Bumban zaitun, juga dikenal dengan nama kotinos (Yunani: κότινος),[1] adalah hadiah yang dianugerahkan kepada pemenang ajang Olimpiade Kuno. Hadiah ini merupakan cabang pohon zaitun liar[2] Kallistefanos Elea[3] (juga disebut Elaia Kallistephanos)[4] yang tumbuh di Olimpia,[5] dan dibentuk lingkaran atau tapal kuda. Cabang pohon zaitun liar yang suci di dekat kuil Zeus dipotong oleh seorang “pais am...

 

Ida Bagus Rai Dharmawijaya Mantra

Dr.Ida Bagus Rai Dharmawijaya MantraS.E, M.Si. Wali Kota Denpasar ke-4Masa jabatan17 Februari 2016 – 17 Februari 2021GubernurI Made Mangku PastikaI Wayan KosterWakilI.G.N Jaya Negara PendahuluA.A. Gede Geriya (Pj.)PenggantiI.G.N. Jaya NegaraMasa jabatan24 Oktober 2008 – 28 Agustus 2015GubernurI Made Mangku PastikaWakilI.G.N. Jaya Negara PendahuluA.A.G. Ngurah PuspayogaPenggantiA.A. Gede Geriya (Pj.)Wakil Wali Kota Denpasar ke-2Masa jabatan28 Agustus 2005 –...

 

2022 Victorian state election

Election for the 60th Parliament of Victoria 2022 Victorian state election ← 2018 26 November 2022[a] 2026 → All 88 seats in the Victorian Legislative AssemblyAll 40 seats in the Victorian Legislative Council45 Assembly seats are needed for a majorityOpinion polls   First party Second party Third party   Leader Daniel Andrews Matthew Guy Samantha Ratnam Party Labor Liberal/National Coalition Greens Leader since 3 December 2010 7 September 2021...

R. A. Cross, Viscount Cross I

The Right HonourableThe Viscount CrossGCB GCSI PC FRS DL Menteri Dalam Negeri InggrisMasa jabatan21 Februari 1874 – 23 April 1880Penguasa monarkiVictoriaPerdana MenteriBenjamin Disraeli PendahuluRobert LowePenggantiSir William Vernon HarcourtMasa jabatan24 Juni 1885 – 1 Februari 1886Penguasa monarkiVictoriaPerdana MenteriThe Marquess of Salisbury PendahuluSir William Vernon HarcourtPenggantiHugh ChildersKanselir Kadipaten LancasterMasa jabatan29 Juni ...

 

Kalinago genocide

Massacre of 2,000 Kalinago in 1626Part of a series onGenocideof Indigenous peoples Issues Ecocide Ethnic cleansing Ethnic relations Forced assimilation / conversion Genocide Denial Rape Response Settler colonialism Sub-Saharan Africa Atrocities in the Congo Free State Darfur genocide Effacer le tableau Gukurahundi Herero and Nama​ genocide Ikiza Maji Maji Rebellion Mfecane Americas (history) Beothuk extinction Canadian residential schools Conquest of the Desert Depopulatio...

 

Marie Antoinette

Marie AntoinetteLukisan oleh Élisabeth Vigée Le Brun, 1785Permaisuri Kerajaan Prancis dan NavarraPeriode10 Mei 1774 – 4 September 1791Permaisuri PrancisPeriode4 September 1791 – 10 Agustus 1792Informasi pribadiKelahiran(1755-11-02)2 November 1755Istana Hofburg, Vienna, AustriaKematian16 Oktober 1793(1793-10-16) (umur 37)Place de la Révolution, Paris, PrancisPemakaman21 Januari 1815Basilika St DenisWangsaHabsburg-LorraineNama lengkapJerman: Maria Antonia Josepha Johannacode: de is ...

Kingdom of Kotte

Sinhalese kingdom in southwestern Sri Lanka from 1412 to 1597 This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages) This article may need to be rewritten to comply with Wikipedia's quality standards. You can help. The talk page may contain suggestions. (January 2021) This article needs additional citations for verification. Please help improve this article by adding citations to reliable source...

 

Catherine Sforza

Pour les autres membres de la famille, voir Famille Sforza. Catherine SforzaPortrait de Catherine Sforzaou La Dame aux jasminsœuvre de Lorenzo di CrediFonctionReine d'ItalieTitre de noblesseComtesseBiographieNaissance Vers 1463MilanDécès 28 mai 1509FlorenceSépulture Le Murate (d)Nom dans la langue maternelle Caterina SforzaActivité Femme politiqueFamille Famille SforzaPère Galéas Marie SforzaMère Lucrezia LandrianiFratrie Jean Galéas Sforza (frère consanguin)Blanche-Marie Sfor...

 

The Social Contract

1762 book by Jean-Jacques Rousseau This article is about Jean-Jacques Rousseau's 1762 treatise. For social contract as a political and philosophical concept, see Social contract. For other uses, see Social Contract (disambiguation). The Social Contract; or, Principles of Political Right Title page of the first octavo editionAuthorJean-Jacques RousseauOriginal titleDu contrat social; ou, Principes du droit politiqueCountryFrance (edited in Amsterdam)LanguageFrenchPublication date1762Origi...

Eighteenmile Island

Island on the Oregon side of the Columbia River, Oregon, United States Eighteenmile IslandEighteenmile Island from an observation point on the Oregon sideGeographyLocationWasco County, near Mosier, OregonCoordinates45°41′23″N 121°25′17″W / 45.68972°N 121.42139°W / 45.68972; -121.42139Area9.89 acres (4.00 ha)AdministrationUnited StatesStateOregonCountyWasco Eighteenmile Island is a 9.89 acre (4 ha) island on the Oregon side of the Columbia River at rive...

 

IIT Mandi

Public technical and research university in India This article contains content that is written like an advertisement. Please help improve it by removing promotional content and inappropriate external links, and by adding encyclopedic content written from a neutral point of view. (January 2022) (Learn how and when to remove this message) Indian Institute of Technology MandiOther nameIITMD[citation needed]MottoScaling the heights!TypePublic technical universityEstablished2009; ...

 

Évreux

Disambiguazione – Se stai cercando l'omonima famiglia, vedi Évreux (famiglia). ÉvreuxcomuneÉvreux (dettagli) Évreux – VedutaVeduta con la cattedrale LocalizzazioneStato Francia Regione Normandia Dipartimento Eure ArrondissementÉvreux CantoneÉvreux-1Évreux-2Évreux-3 AmministrazioneSindacoGuy Lefrand TerritorioCoordinate49°01′N 1°09′E49°01′N, 1°09′E (Évreux) Altitudine92 m s.l.m. Superficie26,46 km² Abitanti53 870[1] (2009) D...

Campionato europeo maschile di pallacanestro Under-20 2017

FIBA EuroBasket 2017 Sport Pallacanestro Zona FIBAFIBA Europe Paese ospitante Grecia Periodo15 - 23 luglio Squadre16 (da 48 federazioni) Campi3 (in 2 città) Podio Grecia (3º titolo) Israele Francia MVP Vasilīs Charalampopoulos Statistiche torneo GiocatoriSquadre Media punti Mychajljuk 20,4 Serbia 86,0Rimbalzi Birgander 13,8 Svezia 45,7Assist Blatt 9,3 Israele 19,1 Il 20º Campionato Europeo maschile Under-20 di Pallacanestro FIBA (noto anche come FIBA EuroBasket Under-2...

 

صفيحة الكاريبي

موقع صفيحة الكاريبي باللون البرتقالي. صفيحة الكاريبي هي إحدى الصفائح التكتونية الفرعية، غاليبة أجزائها محيطية تتواجد في أمريكا الوسطى وبحر الكاريبي.[1][2][3] مساحة الصفيحة بالتقريب 3.2 مليون كيلومتر مربع، ويحدها من الشمال الغربي صفيحة أمريكا الشمالية ومن الجنوب ...

 

Estadio Feliciano Cáceres

This article uses bare URLs, which are uninformative and vulnerable to link rot. Please consider converting them to full citations to ensure the article remains verifiable and maintains a consistent citation style. Several templates and tools are available to assist in formatting, such as reFill (documentation) and Citation bot (documentation). (August 2022) (Learn how and when to remove this message) Estadio Feliciano CáceresFull nameEstadio Feliciano CáceresLocationLuque, ParaguayOwnerSpo...

Andrew Carnegie

Andrew Carnegie nel 1919 Andrew Carnegie (Dunfermline, 25 novembre 1835 – Lenox, 11 agosto 1919) è stato un imprenditore e filantropo scozzese naturalizzato statunitense. Andrew Carnegie è l'industriale dell'acciaio del '900: è ricordato per avere costruito una delle più influenti aziende della storia degli Stati Uniti. Negli ultimi anni di vita fu celebre per la sua filantropia, che permise la fondazione di università, biblioteche e musei (sia negli Stati Uniti che all'estero). Indice...

 

Persimmon

Edible fruit This article is about the edible fruit. For other uses, see Persimmon (disambiguation). Oriental persimmon fruit, whole and halved, of the firm cultivar 'fuyu'. Persimmon fruit seed Persimmons on a tree at Bilpin, New South Wales. The persimmon (/pərˈsɪmən/) is the edible fruit of a number of species of trees in the genus Diospyros. The most widely cultivated of these is the kaki persimmon, Diospyros kaki[1]  – Diospyros is in the family Ebenaceae, and...