Mastering RPKI Implementation: Best Practices and Key Insights

Resource Public Key Infrastructure (RPKI) is quickly becoming a cornerstone in securing the global internet routing system. The implementation of RPKI is designed to enhance route origin validation (ROV) and mitigate risks such as prefix hijacking and BGP errors. However, successfully deploying RPKI requires a clear understanding of various best practices tailored to specific operational needs. This comprehensive guide will walk you through essential RPKI strategies, offering actionable insights for network operators and stakeholders worldwide.

Choosing Between Hosted and Delegated RPKI

The first step in adopting RPKI is deciding between hosted mode and delegated mode. For beginners, hosted RPKI is highly recommended due to its simplicity and ease of use. This option is typically managed by a parent Certification Authority (CA), streamlining operations and offering a smoother introduction to RPKI. On the other hand, delegated RPKI, commonly referred to as self-hosted mode, is more suitable for advanced users and organizations with specific technical requirements. If you opt for delegated mode, leveraging an RPKI publication server provided by your CA is advised to minimize operational complexities. Notably, regional agencies like ARIN, APNIC, and RIPE NCC offer publication services for their members.

Creating Optimal Route Origin Authorizations (ROAs)

ROAs play a pivotal role in RPKI by authorizing which IP prefixes a certain Autonomous System (AS) can announce. To maximize security, it is best to align your ROAs precisely with the prefixes you are advertising in the Border Gateway Protocol (BGP). This strategy reduces the risk of misconfigurations and minimizes exposure to forged-origin sub-prefix hijacking. In scenarios where black-holing services are required, such as mitigating Distributed Denial-of-Service (DDoS) attacks, creating specific ROAs outside of your BGP advertisements may be necessary. Additionally, pay close attention to the maxLength field in each ROA. While it provides flexibility, liberal usage can introduce vulnerabilities; always reference RFC 9319 for informed configurations.

Handling Overlapping Prefixes and Upstream Providers

Network operators dealing with overlapping prefixes should prioritize specificity when creating ROAs. Start by defining ROAs for the most granular prefixes and then layer them with broader aggregates. This hierarchical approach ensures better routing precision and avoids unnecessary validation errors. If your organization lacks a public Autonomous System Number (ASN), the process becomes a bit different. Hosted RPKI services allow you to create ROAs under your upstream provider’s ASN, enabling seamless integration and protection without requiring proprietary ASNs.

Implementing Route Origin Validation (ROV)

Route Origin Validation (ROV) is an essential component of RPKI deployment. To strike the right balance between cautious implementation and security, network operators can start by monitoring existing BGP announcements against their ROAs. Gradually, you can begin tagging announcements and notifying customers about future changes before transitioning to dropping invalid BGP routes. For redundancy, it is crucial to use multiple RPKI validators from different publishers and, if possible, operate them on separate subnets to maximize reliability. In addition, trusted tools like NTT Monitor, BGPmon, or LACNIC’s validator can help verify the impact and effectiveness of your ROA setup.

RPKI and AS0 ROAs: A Word of Caution

Some Regional Internet Registries (RIRs) use AS0 ROAs to manage unallocated IP space. While these Trust Anchors are invaluable for advisory purposes, automatic filtering based on AS0 ROAs carries risks. Operators are encouraged to treat AS0 ROAs as informational and utilize them to bolster monitoring, not as a basis for immediate action. For additional guidance, consulting RFC 7115 is recommended.

The adoption of RPKI presents a significant step forward in addressing security challenges within the internet’s routing infrastructure. As these practices evolve, continuous feedback from the technical community will play a vital role in refining recommendations to serve diverse operational environments better. For comments, questions, or suggestions, stakeholders can reach out via email to rpki_program [at] nro.net. Collaborative efforts like these will ensure RPKI’s long-term impact and efficacy in safeguarding internet connectivity.