RPKI Dimension
BGP is the routing protocol that makes the internet work—it is the language spoken by routers on the Internet to determine how packets can be sent from one router to another to reach their final destination.
However, route leaks and hijacks happen semi-frequently and usually result in part of the internet being unreachable.
An improved routing security mechanism is needed to make the Internet routing world safer. Enter RPKI…
Resource Public Key Infrastructure (RPKI), defined by RFC6480, is a cryptographic method that was designed to sign BGP route prefix announcements with the originating AS number. One way to think about what RPKI: RPKI is to BGP is what DNSSEC is to DNS. It offers a way to validate the origination of BGP prefixes against an official, signed list of prefixes by origin ASN.
Kentik has now integrated RPKI support via new dimensions, to allow users to precisely determine what would happen to the existing network traffic if they were to turn on RPKI validation on their networking equipment.
More details about these dimensions:
RPKI Validation Status: Contains the full RPKI state for a given flow, including the values shown in the table below:
RPKI Validation Status | Value Description | |
---|---|---|
RPKI Unknown | No Route Origin Authorization (ROA) has been found to associate with the routes being analyzed. | |
RPKI Valid | There is a valid Route Origin Authorization (ROA) found for that destination prefix, and the BGP announcements for it are announced by the correct, authorized ASN. | |
RPKI Invalid |
| The validation state of the prefix is invalid, but there is a larger supernet or covering route that is RPKI Valid or RPKI Unknown that would be used to forward traffic to the destination prefix. |
Prefix length out of bounds | Traffic under this label will be dropped in case of strict route validation. | |
Incorrect Origin ASN | The preferred BGP route for a specific prefix isn’t originated by the ASN specified by the ROA. | |
Explicit ASN 0 | The RPKI standard allows statically defining prefixes that shouldn’t at all be trusted. A Route Origin Authorization (ROA) with ASN = 0 means that any traffic coming from that prefix and all the prefixes contained in it as per maxLength will be considered explicitly invalid. |
RPKI Quick Status: Tells how traffic is going to behave globally by aggregating the RPKI validation Statuses. See the table below:
RPKI Quick Status | Corresponding RPKI Validation Status | Route Validation Behavior |
---|---|---|
RPKI Unknown | RPKI Unknown | Will be forwarded |
RPKI Valid | RPKI Valid | Will be forwarded |
RPKI Invalid - Covering Valid/Unknown |
| Will be forwarded |
RPKI Invalid - Will be dropped |
| Will be dropped |
Empty value | Empty value | Undetermined behavior:
|
Furthermore, using RPKI dimensions with multiple other dimensions can provide a very detailed picture of potentially invalid or malicious traffic, to help network operators make informed decisions about turning on/off RPKI Route Validation selectively. For example, you can cross check with connectivity types, such as PNIs, IX peerings, transit and so on; or cross check with Routers and Sites; or cross check with end customers’ IDs.
For more information, please see our blog post with an introduction to RPKI, our blog post with a technical walkthrough of how RPKI features can be used in Kentik, and the BGP Dimension Reference in our Knowledge Base and look for “RPKI”, or contact our Customer Success team.
Lastly, stay tuned for more news concerning chfAgent as it now embeds both an RPKI validator and an RTR-speaking server, that can be leveraged by routers to perform route validation based on the aggregated global list of ROAs.