Front Range GigaPoP Moves the Needle on Routing Integrity: Boosting Member Participation in RPKI
By Amber Rasche - Senior Communications Specialist, Internet2
Q&A with John Hernandez, Front Range GigaPoP
We’ve said it before, but it bears repeating: Routing integrity is an end-to-end challenge that requires the participation of the entire Internet2-networked community and beyond.
So, what does that mean? It’s in everyone’s best interest to work together to ensure our research and education (R&E) networks are protected from common routing threats that impact security and resiliency. The path forward to strong routing integrity requires collaboration, and the benefits ripple far beyond any one network’s border.
This blog series puts the spotlight on R&E community members and organizations who are moving the needle on routing integrity by implementing best practices and capabilities – and supporting their constituents in doing the same. Among those organizations is the Front Range GigaPoP (FRGP), which is managed by the University Corporation for Atmospheric Research (UCAR). The FRGP connects Colorado and Wyoming with hundreds of gigabits to the Internet2 national network via the Western Regional Network (WRN) partnership to advance the R&E goals of government, nonprofit, research, and educational participants in the region.
In this Q&A, John Hernandez, network engineering supervisor at UCAR and assistant manager for the FRGP, discusses the FRGP’s initiative to encourage all its members to participate in the American Registry for Internet Numbers (ARIN) Resource Public Key Infrastructure (RPKI) effort to better secure members’ IP resources. He shares the challenges and opportunities driving that effort, along with the progress they’ve made and lessons they’ve learned thus far.
Tell us more about the FRGP’s member and participant community. What is the scope of the institutions and communities your organization serves?
John Hernandez: The FRGP has participants composed primarily of institutions of higher education and federal research organizations in Colorado and Wyoming. These include the University of Colorado and Colorado State University systems, the University of Wyoming, the Air Force Academy, the Colorado Community College System, NOAA, NREL, NEON, and UCAR, among others. We also serve state, county, and municipal governments, and there are a small number of K-12 public school systems connected to the FRGP network.
With that scope in mind, let’s talk about the FRGP’s routing integrity efforts – specifically your initiative to improve the use of RPKI Route Origin Authorizations (ROAs) among FRGP members. What was the impetus behind that initiative, and what are you hoping to achieve?
John Hernandez: The FRGP prides itself in fostering collaborative technical discussion and providing a community forum for all aspects of networking in support of our participants’ needs. To that end, we have discussed BCP-38 and MANRS many times over the years, and routing security is something we believe in strongly as an organization. Routing security is often ignored in practice, but various high-profile route hijacking events have demonstrated that we cannot continue to ignore it without risking serious consequences. One of the simplest and most effective ways to ensure a reliable internet presence for our community is to engage in RPKI and encourage its use.
What process is the FRGP implementing to support its members in this effort, and what resources have you and your members found most valuable?
John Hernandez: About a year ago, Google’s efforts in the space were highlighted at some Internet2 meetings. We identified a deficiency in FRGP’s collectively held ARIN resources. The majority of the customer prefixes we announce (particularly IPv4) were not covered under any ARIN Registration Services Agreements (RSAs). This poses a risk because IPv4 is quite valuable today, and the lack of RSAs can make proving ownership more difficult in the face of an ownership challenge.
We constructed an outline of an FRGP-led RPKI effort in early 2022, and we subsequently had the good fortune of hiring Alex Hsia as a part-time consultant to help us build a project website and coordinate communications. Alex has been a long-standing participant in the FRGP community through his affiliation with the National Oceanic and Atmospheric Administration (NOAA) and its N-Wave network, so he knows our community well.
The rpki.ucar.edu website, although simple, is very valuable because it gathers resources and discusses the topic in a way that makes it easy for our community to understand the benefits and the process.
What progress have you made thus far? What challenges and wins (big or small!) have you encountered, and what are the lessons learned that you can pass along to the community?
John Hernandez: Just two months into our effort, we have coordinated ROAs with four of our participants. We also have dialogue established with at least 15 others who have indicated a commitment to completing the task. There’s a long way to go, but I’m extremely encouraged by the response, and progress has been very smooth so far.
What advice would you offer to network operators and network engineers in the R&E community who are new to routing integrity efforts and aren’t sure where to start?
John Hernandez: I recommend taking some time to understand the nuances of ARIN’s policy with regard to RSAs and routing security. Don’t be afraid to open tickets with ARIN and ask for what you want. They have friendly, knowledgeable staff, and they are generally understanding of the cost sensitivities that many legacy resource holders face.
Is there anything else you would like to add?
John Hernandez: I would like to thank Steve Wallace at Internet2 for inspiring us to take action and being a great resource.
Join the Conversation
Want to learn more about routing integrity and RPKI? Join us for TechEX22, Dec. 5-9 in Denver! The program includes a session on Protecting Your Resources with RPKI, presented by John Curran, president and CEO of ARIN. Register today!
If you have questions about community efforts to move the needle on routing integrity or would like to share about your own routing integrity initiatives, please contact us at firstname.lastname@example.org.
Read the other Q&As in the “Moving the Needle on Routing Integrity” series.