RIPE NCC Secures Internet Routing With Certification Service

The independent, not-for-profit RIPE Network Co-ordination Centre (NCC) has released a resource certification scheme to verify the identity of Internet resources held by its registered members. This will secure the network’s pathways around the world so that traffic hijacking will, hopefully, become a thing of the past.

The system will be based on public key infrastructure (PKI) certificates that will be issued to anyone requesting IP numbers or autonomous system numbers from RIPE or any of the other four Regional Internet Registries (RIR) that govern the worldwide routing of Internet traffic.

It may be seen as a reaction to the recent re-routing of network traffic through China but the move has been in the planning stage for the past decade. The Chinese incident merely showed how vulnerable Internet traffic is to malicious or accidental hijacking.

Addressing the insecurity of the Border Gateway

For 18 minutes last April, a chunk of global Internet traffic was briefly rerouted through a single ISP, China Telecom. Whether the redirection was intentional or accidental is not as important as the fact that it happened at all. The interception could have allowed the Chinese authorities to examine emails sent by foreign government agencies to gain intelligence.

The incident underlined that the Border Gateway Protocol (BGP) is insecure and the alarm bell has merely proved that the RIR engineers were right to have shown their concern at the lack of in-built security in the Internet’s routing protocol.

Even so, the introduction of the new encrypted Resource PKI (RPKI) certification system is being criticised. Dissenters point out that it will have to be rolled out to all the registration bodies and major ISPs before it shows the kind of resilience required.

On the positive side, the standard has been developed by some of the big names in Internet infrastructure provision. Companies such as Cisco, Deutsche Telecom, Equinix, Google, NTT and Sprint, among others, have all played a part in the design of RPKI and are expected to be the initial adopters and evangelists driving the uptake.

Geoff Huston, chief scientist at the Asia Pacific Network Information Centre (APNIC), said, “The intent of the overall work – which involves the RPKI as the underlying security platform and secure BGP as a way of introducing signed credentials into the routing system – is to make the routing system automatically detectable and, therefore, automatically removable. It will eliminate a large class of problems… Such a system would directly address the [China Telecom] incident.”

The RPKI development effort was funded in part by the US Department of Homeland Security, which has made bolstering the security of the Internet’s routing system a key cybersecurity initiative.

Adoption of RPKI will not only allow routing through acceptable, registered equipment but also allow secure re-routing if a problem occurs, be it deliberate or accidental.

IPv4 exhaustion makes the time ripe for change

Andrew de La Haye, chief operations officer at the RIPE NCC, explained why the moves are so critical at the moment. He said, “As the unallocated pool of IPv4 addresses runs out, the need for reliable registration will be greater than ever, with a greater incentive for illegitimate operators to use addresses that are not registered to them. A lack of available, unused IPv4 addresses may also see people wishing to sell or trade their IPv4 address holdings – in such cases, it will be vital to be able to verify the legitimate registrant of those resources.”

He added that resource certification will prevent “route hacking” and help ensure that any transfers of Internet address spaces will be reliable and secure. RPKI means recipients can be certain resources have been legitimately allocated or assigned by a genuine RIR.

The RIPE NCC will initially offer its resource certification service with a limited feature set; this will be expanded over time, as the system evolves. Router manufacturers are also planning to incorporate resource certification into their products, meaning that route verification and filtering will be done in the hardware itself.