Cybersecurity best practices and DDoS defence strategies
As we depend on the Internet more and more to manage our lives, securing internet routing infrastructure becomes vitally important. It has for a long while relied on the trust-based model of Border Gateway Protocol (BGP), developed several decades ago. The threat landscape was very different in the early days of Internet development compared to today, and no security mechanisms were integrated into the protocol. However, owing to the lack of authentication in BGP, it has become increasingly vulnerable not only to configuration mistakes, but also abuse by bad actors seeking to redirect routes to achieve criminal objectives.
With no means of verifying route announcements, the internet routing model of BGP is flawed, as evidenced by thousands of routing incidents, from accidental route leaks to malicious route hijackings over the years, clearly outlining the need for a more secure system for route validation.
RPKI (Resource Public Key Infrastructure) has emerged as a framework to help secure internet routing by cryptographically verifying route announcements, removing any concerns surrounding the origin of IP prefixes. RPKI verifies that a specific system is authorized to use its stated IP prefixes. Known as Route Origin Authorizations (ROAs), these authorizations are collected in a repository at the Regional Internet Registry (RIR) level, so that IP addresses are certifiably linked to a trust anchor.
Holders of IP addresses publish their RIR-certified ROAs, stating which autonomous system is authorized to originate certain IP prefixes, as well as the length of those prefixes. RPKI then validates the ROAs using BGP Route Origin Validation (ROV) - a process that verifies the originating system and prefix length announced in the ROA. BGP announcements are compared with the repository, where valid announcements are permitted and invalid announcements are dropped. This is the key to stopping accidental errors from being transmitted, as well as preventing cyber criminals from falsely originating routes that they have no ownership of.
We will get back to you shortly.
With RPKI enabled, Nexusguard ensures configuration mistakes and abuse by bad actors are eliminated, and BGP sessions for our customers and peers are fully validated.