You could earn up to $300 by adding new articles!

Get Started Now

RPKI

Published on: Fri, Nov 2, 2018 at 11:30 am EST

RPKI (Resource Public Key Infrastructure) is a way to help prevent BGP hijacking. It uses cryptographic signatures to validate that an ASN is allowed to announce a particular subnet.

ROAs (Route Origination Authorizations) are the key components of RPKI. ROAs only contain a few items: ASN, subnet, and max length. The ROA is then cryptographically signed and is published publicly. Any router can then use the ROA to verify that a particular announcement is authorized by the owner of the IP space.

{
    "asn" : "AS64496",
    "prefix" : "192.0.2.0/24",
    "maxLength" : 29,
    "ta" : "ARIN"
}

This states that ASAS64496 is authorized to announce 192.0.2.0/24 and any smaller subnets down to /29s.

In contrast to this, the following would only allow AS64496 to announce 192.0.2.0/24 exactly. Smaller subnets from this range would not be permitted.

{
    "asn" : "AS64496",
    "prefix" : "192.0.2.0/24",
    "maxLength" : 24,
    "ta" : "ARIN"
}

RIPE offers a public service where you can look up individual ROAs.

Vultr checks the RPKI status of every customer subnet nightly. You can view the status here. There are a few different states you'll see here:

  • Valid: We were able to verify that an ROA exists for the ASN/prefix pair. This is the state you want to have.
  • Unknown: No ROA exists for the given prefix. This is what you will see for the vast majority of space. You will not generally see any problems with this state, as no ISPs are really requriring RPKI these days.

These states can cause your IP space to be unavailable to various parts of the internet, and should be corrected. Notably, you may not be able to reach Cloudflare from IP space with invalid RPKI signatures. Also, many ISPs in Africa have committed to enabling RPKI on 2019-04-01, which means that invalid prefixes will not be reachable there.

There are a few different types of invalid signatures:

  • Invalid ASN: At least one ROA exists for this prefix, however none of the ASNs match what your account is configured for. If you're using a private ASN, your ROAs should list our ASN (20473).
  • Invalid Prefix Length: We found an ROA that matches this prefix/ASN, however the maximum allowed prefix length is not correct. This generally means you would need to issue a new ROA with the max prefix length set to 24 for IPv4 or 48 for IPv6. You could also issue a new ROA for the smaller prefix.

RPKI can be set up via your RIR (RIPE, ARIN, APNIC and so on). Only the owner of IP space can manage RPKI ROAs. If you are leasing IP space, you would need to contact the company you are leasing from for assistance configuring RPKI.

See the following documentation for more information:

Want to contribute ?

You could earn up to $300 by adding new articles!

Get started in the SSD Cloud!