RPKI
Resource Public Key Infrastructure (RPKI) is a solution for validating BGP route announcements. RPKI uses a cryptographically signed Route Origin Authorization (ROA) record to prove the association between specific IP address blocks and ASNs, and the holders of those Internet number resources. The mechanism is similar to secure web browsing, and employs a third-party verification process. Note that RPKI does not secure the entire route; it only authorizes the origin AS to announce specific IP prefixes.
To be an effective solution for preventing route leaks in a given path, RPKI has to be implemented across all networks. When an origin AS and IP prefix pair is not secured with RPKI, any services relying on that route could be impacted by route leaks. ThousandEyes RPKI monitoring brings visibility to RPKI implementation across critical network paths.
Why RPKI?
When a BGP route is announced, there is no guarantee that the originating AS has the rights to announce that route. ASN and IP prefix pairs are registered by Regional Internet Registries (RIRs). Each geographical region has its own registry: ARIN (North America), RIPE NCC (Europe, Central Asia, Middle East), APNIC (Asia Pacific), LACNIC (South America, Caribbean), and AFRINIC (Africa). This allows one network to filter another network's routes. Route filtering is used to manipulate how traffic flows through the network. For more information about BGP route filtering, see BGP Fundamentals: Route Filtering and Manipulation.
However, this coverage isn’t perfect. Route leaks can and do still happen more frequently than they should. There is very little control over RIR record creation, and they can contain invalid data.
How RPKI Validation Works
To authorize an AS to announce certain prefixes, the operator creates a record in the RIR that associates a ROA with a given ASN and IP prefix pair. The ROA record contains an IP prefix, the maximum prefix length that the AS is allowed to announce (maxLength), and the origin AS number. The ROA can then be verified through a third-party application by ROV-enabled routers. This entire mechanism is called Route Origin Validation (ROV).
Once the ROA is verified by the third-party application, it can be used to generate route filters using a Validated ROA Payload (VRP). Each VRP is a tuple of an ASN, a single IP prefix, and its maxLength. The router can then compare VRPs to route announcements received from neighboring routers. If the route announcement's IP prefix matches or is more specific (up to maxLength) than the prefix in the VRP, and the origin ASN is correct, the route status is Valid. If the route announcement's IP prefix matches or is more specific than the prefix in the VRP, but either the origin ASN of the route announcement is inconsistent with the ASN of the ROA, or the prefix length is larger than maxLength, the route status is Invalid. If no ROA/VRP entry exists for the ASN/IP prefix pair in the RIR registries, the status is NotFound. If an ROV-enabled router detects an Invalid ROA status, the router drops the corresponding route announcements which originate from that AS.
RPKI Status | Description |
Valid | Prefix matches or is more specific up to maxLength and origin ASN is correct |
Invalid | Incorrect origin ASN, or prefix length is larger than maxLength |
NotFound | No ROA entry exists for the ASN/IP prefix pair in the RIR registries |
To learn more about RPKI, see:
Using ThousandEyes to Monitor RPKI
ThousandEyes collects RPKI data automatically with every BGP test. You do not need to modify test settings in order to enable this feature.
With ThousandEyes BGP RPKI monitoring you can:
View propagation of RPKI statuses in real time and in the form of a timeline
Be alerted when the ROA status of any AS and prefix of interest association in the RIR is changed
Viewing RPKI Status
You can view RPKI status results in the BGP route visualization layer. If an invalid ROA status is detected, a small red exclamation point appears on the AS. Hovering over the AS shows additional details.
To show only the paths with an RPKI Invalid status, select Warning towards the right in the Select area in the path visualization view. The text reports the number of monitors with an RPKI Invalid status. Click on this text to filter the path visualization to only show the paths impacted by a route announcement with RPKI Invalid status.
Alerting on RPKI Status
To alert on RPKI status for a test that is configured to monitor routing, set the alert condition to RPKI Status in a new or existing BGP alert rule associated with the test. You can set the RPKI Status to Valid
, Invalid
, or NotFound
. You can also specify what AS prefix sets you want to monitor.
For more information about working with alert rules, see Creating and Editing Alert Rules.
Last updated