RPKI

Resource Public Key Infrastructure (RPKI) is a solution for validating BGP route announcements. RPKI uses a cryptographically signed Route Origin Authorization (ROA) record to prove the association between specific IP address blocks and ASNs, and the holders of those Internet number resources. The mechanism is similar to secure web browsing, and employs a third-party verification process. Note that RPKI does not secure the entire route; it only authorizes the origin AS to announce specific IP prefixes.

Our platform syncs every 10 minutes with upstream RPKI repositories, ingesting ROAs that are newly registered in these repositories. Subsequent BGP updates (including RPKI status) are validated in real-time. The global RPKI system can take additional time to be fully in sync with these changes.

To be an effective solution for preventing route leaks in a given path, RPKI has to be implemented across all networks. When an origin AS and IP prefix pair is not secured with RPKI, any services relying on that route could be impacted by route leaks. ThousandEyes RPKI monitoring brings visibility to RPKI implementation across critical network paths.

Why RPKI?

When a BGP route is announced, there is no guarantee that the originating AS has the rights to announce that route. ASN and IP prefix pairs are registered by Regional Internet Registries (RIRs). Each geographical region has its own registry: (North America), (Europe, Central Asia, Middle East), (Asia Pacific), (South America, Caribbean), and (Africa). This allows one network to filter another network's routes. Route filtering is used to manipulate how traffic flows through the network. For more information about BGP route filtering, see .

However, this coverage isn’t perfect. Route leaks can and do still happen more frequently than they should. There is very little control over RIR record creation, and they can contain invalid data.

How RPKI Validation Works

To authorize an AS to announce certain prefixes, the operator creates a record in the RIR that associates a ROA with a given ASN and IP prefix pair. The ROA record contains an IP prefix, the maximum prefix length that the AS is allowed to announce (maxLength), and the origin AS number. The ROA can then be verified through a third-party application by ROV-enabled routers. This entire mechanism is called Route Origin Validation (ROV).

Once the ROA is verified by the third-party application, it can be used to generate route filters using a Validated ROA Payload (VRP). Each VRP is a tuple of an ASN, a single IP prefix, and its maxLength. The router can then compare VRPs to route announcements received from neighboring routers. If the route announcement's IP prefix matches or is more specific (up to maxLength) than the prefix in the VRP, and the origin ASN is correct, the route status is Valid. If the route announcement's IP prefix matches or is more specific than the prefix in the VRP, but either the origin ASN of the route announcement is inconsistent with the ASN of the ROA, or the prefix length is larger than maxLength, the route status is Invalid. If no ROA/VRP entry exists for the ASN/IP prefix pair in the RIR registries, the status is NotFound. If an ROV-enabled router detects an Invalid ROA status, the router drops the corresponding route announcements which originate from that AS.

To learn more about RPKI, see:

Using ThousandEyes to Monitor RPKI

ThousandEyes collects RPKI data automatically with every BGP test. You do not need to modify test settings in order to enable this feature.

With ThousandEyes BGP RPKI monitoring you can:

• View propagation of RPKI statuses in real time and in the form of a timeline

• Be alerted when the ROA status of any AS and prefix of interest association in the RIR is changed

Viewing RPKI Status

You can view RPKI status results in the BGP route visualization layer. If an invalid ROA status is detected, a small red exclamation point appears on the AS. Hovering over the AS shows additional details.

To show only the paths with an RPKI Invalid status, select Warning towards the right in the Select area in the path visualization view. The text reports the number of monitors with an RPKI Invalid status. Click on this text to filter the path visualization to only show the paths impacted by a route announcement with RPKI Invalid status.

Alerting on RPKI Status

To alert on RPKI status for a test that is configured to monitor routing, set the alert condition to RPKI Status in a new or existing BGP alert rule associated with the test. You can set the RPKI Status to Valid, Invalid, or NotFound. You can also specify what AS prefix sets you want to monitor.