Knowledgebase

About Resource Public Key Infrastructure (RPKI) at Rcs Print

  • 0

Introduction

RPKI (Resource Public Key Infrastructure) is a way to help prevent BGP hijacking. It uses cryptographic signatures to validate that an ASN is allowed to announce a particular subnet.

About ROAs

ROAs (Route Origination Authorizations) are the key components of RPKI. ROAs only contain a few items: ASN, subnet, and max length. The ROA is then cryptographically signed and is published publicly. Any router can then use the ROA to verify that a particular announcement is authorized by the owner of the IP space.

{
    "asn" : "AS64496",
    "prefix" : "192.0.2.0/24",
    "maxLength" : 29,
    "ta" : "ARIN"
}

This states that ASAS64496 is authorized to announce 192.0.2.0/24 and any smaller subnets down to /29s.

In contrast to this, the following would only allow AS64496 to announce 192.0.2.0/24 exactly. Smaller subnets from this range would not be permitted.

{
    "asn" : "AS64496",
    "prefix" : "192.0.2.0/24",
    "maxLength" : 24,
    "ta" : "ARIN"
}

RIPE offers a public service where you can look up individual ROAs.

RPKI Status

Rcs checks the RPKI status of every customer subnet nightly. You can view the status in the BGP section of your customer portal. There are a few different states you'll see here:

  • Valid: We were able to verify that an ROA exists for the ASN/prefix pair. This is the state you want to have.
  • Unknown: No ROA exists for the given prefix. This is what you will see for the vast majority of space. You will not generally see any problems with this state, as no ISPs are really requiring RPKI these days.

There are a few different types of invalid signatures. These states will prevent your IP space from being available to a very large percentage of the internet, and should be corrected:

  • Invalid ASN: At least one ROA exists for this prefix, however none of the ASNs match what your account is configured for. If you're using a private ASN, your ROAs should list our ASN (20473).
  • Invalid Prefix Length: We found an ROA that matches this prefix/ASN, however the maximum allowed prefix length is not correct. This generally means you would need to issue a new ROA with the max prefix length set to 24 for IPv4 or 48 for IPv6. You could also issue a new ROA for the smaller prefix.

RPKI can be set up via your RIR (RIPE, ARIN, APNIC and so on). Only the owner of IP space can manage RPKI ROAs. If you are leasing IP space, you would need to contact the company you are leasing from for assistance configuring RPKI.

More Information

See the following documentation for more information:

Introduction RPKI (Resource Public Key Infrastructure) is a way to help prevent BGP hijacking. It uses cryptographic signatures to validate that an ASN is allowed to announce a particular subnet. About ROAs ROAs (Route Origination Authorizations) are the key components of RPKI. ROAs only contain a few items: ASN, subnet, and max length. The ROA is then cryptographically signed and is published publicly. Any router can then use the ROA to verify that a particular announcement is authorized by the owner of the IP space. { "asn" : "AS64496", "prefix" : "192.0.2.0/24", "maxLength" : 29, "ta" : "ARIN" } This states that ASAS64496 is authorized to announce 192.0.2.0/24 and any smaller subnets down to /29s. In contrast to this, the following would only allow AS64496 to announce 192.0.2.0/24 exactly. Smaller subnets from this range would not be permitted. { "asn" : "AS64496", "prefix" : "192.0.2.0/24", "maxLength" : 24, "ta" : "ARIN" } RIPE offers a public service where you can look up individual ROAs. RPKI Status Rcs checks the RPKI status of every customer subnet nightly. You can view the status in the BGP section of your customer portal. There are a few different states you'll see here: Valid: We were able to verify that an ROA exists for the ASN/prefix pair. This is the state you want to have. Unknown: No ROA exists for the given prefix. This is what you will see for the vast majority of space. You will not generally see any problems with this state, as no ISPs are really requiring RPKI these days. There are a few different types of invalid signatures. These states will prevent your IP space from being available to a very large percentage of the internet, and should be corrected: Invalid ASN: At least one ROA exists for this prefix, however none of the ASNs match what your account is configured for. If you're using a private ASN, your ROAs should list our ASN (20473). Invalid Prefix Length: We found an ROA that matches this prefix/ASN, however the maximum allowed prefix length is not correct. This generally means you would need to issue a new ROA with the max prefix length set to 24 for IPv4 or 48 for IPv6. You could also issue a new ROA for the smaller prefix. RPKI can be set up via your RIR (RIPE, ARIN, APNIC and so on). Only the owner of IP space can manage RPKI ROAs. If you are leasing IP space, you would need to contact the company you are leasing from for assistance configuring RPKI. More Information See the following documentation for more information: https://www.arin.net/resources/rpki/index.html https://www.apnic.net/get-ip/faqs/rpki/ https://blog.cloudflare.com/rpki/ https://nlnetlabs.nl/projects/rpki/faq/ https://afnog.org/pipermail/afnog/2018-November/003532.html

Was this answer helpful?
Back

Powered by WHMCompleteSolution