As part of AARNet’s commitment to improving the security and reliability of internet routing, we implemented Resource Public Key Infrastructure (RPKI) validation across all our upstream peering, transit and R&E connections on 17 June 2024. This initiative is pivotal in our ongoing network security enhancements in line with the Mutually Agreed Norms for Routing Security (MANRS).
What is RPKI?
RPKI is a set of standards and tools designed to secure the internet's routing infrastructure by using public key cryptography to validate route origins. It was established by RFC 6480 in 2012 and is supported by open-source communities, router vendors, and all five Regional Internet Registries (RIRs) — ARIN, APNIC, AFRINIC, LACNIC, and RIPE NCC. RPKI serves two main functions:
- Creation of Route Origin Authorisations (ROA): This allows network holders to specify which Autonomous Systems (AS) are authorised to announce a particular IP address prefix.
- Routing policy enforcement: Networks use the ROA information to validate and enforce routing decisions, effectively filtering out unauthorised route announcements.
Implementation at AARNet
Starting from the specified date, AARNet enabled routing policy enforcement based on RPKI on all international transit, NREN and R&E connections, and peering exchanges. This involves:
- Rejecting invalid routes: Routes that fail RPKI validation checks will be rejected. This is crucial in preventing route hijacking and misdirection, common threats in the BGP environment.
- Route Origin Validation (ROV): By performing ROV, AARNet will enhance the integrity of the routing information and ensure that only valid routes are accepted and propagated.
Benefits of RPKI implementation
- Improved security: Validates and ensures the legitimacy of the route origin, reducing the risk of route hijacking and leaks.
- Increased transparency: Allows network operators to verify and validate prefixes against authoritative sources, enhancing trust in routing information.
- Supports global routing security initiatives: Complements other security measures under the MANRS guidelines, such as anti-spoofing and coordination.
Responsibilities of network operators and institutions
Network operators and institutions connected to AARNet must adopt RPKI. Key responsibilities include:
- Ensuring that all prefixes are accurately registered.
- ROAs are correctly generated and maintained. See this APNIC article for more information on ROAs.
By adopting RPKI and rejecting invalid routes, AARNet not only enhances its network security but also contributes to a more stable and trustworthy global internet infrastructure. Our expectation is that all network operators and institutions connected to AARNet will collaborate in these efforts, ensuring a collective improvement in internet routing security.
We also recommend adopting MANRS practices and engage with global routing security initiatives by implementing recommended practices such as filtering, anti-spoofing, and global validation.
More Information
If you’d like more information about how AARNet is implementing RPKI or have any questions, please contact us at support@aarnet.edu.au.