By
Steven Wallace - Director, Internet2 Routing Integrity
Estimated reading time: 4 minutes
As early adopters of internet technology, many network operators in the research and education (R&E) community use IP numbers allocated to them before ARIN (American Registry for Internet Numbers) came into existence. ARIN is one of the five Regional Internet Registries (RIRs) that coordinate the use of IP numbers in the operation of the internet.
Pre-ARIN IP numbers are known as “legacy resources.” ARIN continues to provide Whois services to legacy resource holders. ARIN’s Whois service is essential for maintaining transparency, accountability, and stability of the internet infrastructure. It helps network operators, researchers, law enforcement, and other stakeholders identify the responsible parties for IP addresses and AS numbers, allowing them to communicate effectively when addressing issues such as network abuse, routing problems, or security threats.
Filling Critical Gaps for Routing Security
As the internet has become a critical infrastructure for society, it has become increasingly important to ensure the security of the internet itself. A major aspect of internet security is routing security. Routing security’s goal is to ensure data on the internet arrives at its destination reliably and without detours or outages. In 2014 a group of network operators created a project organized under the Internet Society called Mutually Agreed Norms for Routing Security (MANRS) to ensure the global internet could coordinate its routing security efforts. To meet the needs of routing security, the RIRs (in our case, ARIN) have introduced new services that fill critical gaps in the internet’s routing security.
For example, until ARIN introduced its new routing security services, there wasn’t a reliable method for internet transit operators (the large ISPs) to ensure that IP addresses were being used by their rightful owners. IP numbers are frequently used by unauthorized parties, sometimes accidentally, and sometimes for nefarious purposes. For example, bad actors might temporarily use some of a university’s IP numbers to host an email phishing scam. The university might not notice until much later when parts of its network are flagged for hosting such activities.
One of the routing security services now offered by ARIN is Hosted Resource Public Key Infrastructure – Route Origin Authorization (RPKI-ROA). Its complex name belies a simple and powerful capability. RPKI-ROAs allow an owner of IP numbers to cryptographically assert which networks are permitted to use those IP numbers. Network operators such as commercial ISPs and the Internet2 network can use these assertions to identify and remove unauthorized use of IP addresses.
The adoption of RPKI-ROAs has grown quickly in the last few years, with over 40% of all IP numbers now benefiting from its protection. Unfortunately, the Internet2-connected community has been much slower to adopt this feature, with only 10% of our IP addresses benefitting from RPKI-ROA protection.
I call RPKI-ROAs the easy button for routing security. Creating an RPKI-ROA is little more than completing a short web form, and its benefits start immediately. No new equipment or configuration changes are required to benefit from an RPKI-ROA. It’s literally little more than completing a web page. To use ARIN’s RPKI-ROA service, an organization must have a Registration Services Agreement (RSA) with ARIN. Many in our community have IP numbers that are legacy resources and have never signed ARIN’s RSA.
ARIN has always offered highly discounted fees for legacy resource holders, at only $175/yr for any number of IP numbers. Unfortunately, these discounted fees end in 2023. Organizations that sign their RSA this year lock in these legacy fees. After this year, the fees may be 20-40 times greater. Across the entire Internet2 community, the difference between the legacy fees discount and the regular fees will exceed $2M a year!
Routing security has become an important initiative for our federal government, as can be seen in the National Cybersecurity Strategy, NSF awardee requirements, and FCC inquiries. Not only has the commodity internet already surpassed our community in RPKI-ROA adoption by a factor of four, but its rate of adoption continues to outpace ours two-fold. In other words, we have a lot of catching up to do.
I believe basic routing security protection such as RPKI-ROAs will be considered a “duty of care” for interconnected network operators, including those that make up the Internet2 community. To ensure the community can use these routing security protections and lock in ARIN’s legacy fees, I urge members of our community to consider covering their IP numbers with an ARIN agreement this year.
If you have questions about this topic, please email manrs@internet2.edu.
ICYMI
About the Author(s)
Steve Wallace promotes the adoption and improvement of routing security and integrity throughout the Internet2 community. He has been an active community member for over 24 years, having started as the engineer responsible for the team that built Abilene, Internet2's first network.