BGP security: why it's important that every provider implements RPKI

RPKI (Resource Public Key Infrastructure) is a way to improve Border Gateway Protocol security. An important nuance is that all internet service providers must implement this standard for it to be 100% effective.

The “Border Gateway Protocol” or BGP was established in 1994. It is the basis of internet routing. The protocol ensures that the massive quantity of individual networks that make up the internet can ‘talk’ to each other.

However, the BGP wasn't developed with security in mind. It's still possible for an Autonomous System (AS), a subnet of the internet with its own routing agenda, to announce IP addresses that it doesn't own legitimately. This is called BGP hijacking or prefix hijacking. It occurs for two crucial reasons: due to an incorrect configuration or with malicious intent.

A possible effect of a “hijacked” prefix is that an internet user who tries to reach an IP address within the hijacked range doesn't arrive at the legitimate destination. Instead, the user loses connectivity or, even worse, arrives on a malicious website. In the latter case, the data traffic is intentionally diverted to a different platform.

Digital signature of prefixes

Several improvements have been applied over the years to improve BGP security. RPKI (Resource Public Key Infrastructure) is one of those improvements. This framework makes it possible to add a digital signature to prefixes so BGP routers can reject invalid prefixes. A ROA (Route Origin Authorisation) record links a prefix to an AS number and provides verifiable proof that the internet service provider is the owner of that prefix.

RPKI helps reduce the BGP security risk but still isn't common practice. Less than 20% of the current IPv4 prefixes are currently marked as legitimate.

 Circle with a locked padlock in the center

Collective effort is required

A CDN provider (content delivery network) recently launched an online tool that allows users to check their internet provider for BGP security problems. Users connected to Belnet received the notification that Belnet was not implementing BGP securely.

The tool is somewhat misleading because it doesn't mean that the Belnet network is less secure. Implementing RPKI prevents hijacked prefixes from being routed through Belnet but it will not prevent Belnet prefixes (and those of its customers) from being ‘hijacked’.

In other words, BGP will only be safer if all internet service providers implement RPKI. They must all sign their prefixes digitally, check the validity of received prefixes, and refuse invalid prefixes. It is, therefore, a question of collective effort.

Belnet has been contributing to this collective effort since 2013. All Belnet prefixes are covered by a ROA, and we are about to complete the RPKI implementation by filtering invalid routes that enter our network.

A continuous process of improvement

At Belnet we have already taken lots of measures to contribute to internet security. We have also protected our network from spoofing attacks (whereby data packages are sent with a fake sender address) (“BCP 38”). We monitor new security developments closely and evaluate how we can apply them to continually make our network more secure for our customers.

Copyright © 2020 Belnet.