NYSERNet Moves the Needle on Routing Integrity: Implementing Peer-Facing RPKI Route Origin Validation
By Amber Rasche - Senior Communications Specialist, Internet2
Estimated reading time: 7 minutes
A Q&A with Bill Owens, NYSERNet
We’ve said it before, but it bears repeating: Routing integrity is an end-to-end challenge that requires the participation of the entire Internet2-networked community and beyond.
So, what does that mean? It’s in everyone’s best interest to work together to ensure our research and education (R&E) networks are protected from common routing threats that impact security and resiliency. The path forward to strong routing integrity requires collaboration, and the benefits ripple far beyond any one network’s border.
This blog series puts the spotlight on R&E community members and organizations who are moving the needle on routing integrity by implementing best practices and capabilities – and supporting their constituents in doing the same. Among those organizations is NYSERNet, which provides a state-wide fiber optic network offering colleges, museums, healthcare facilities, primary and secondary schools, and research institutions from Buffalo to New York City access to 100-gigabit speeds.
In this Q&A, Bill Owens, chief network architect at NYSERNet, discusses NYSERNet’s recently launched initiative to implement peer-facing RPKI Route Origin Validation (ROV) to better protect its members’ routing infrastructure. He shares the challenges and opportunities driving that effort, along with the progress they’ve made and lessons they’ve learned thus far.
Tell us more about NYSERNet’s member and participant community. What is the scope of the institutions and communities your organization serves?
Bill Owens: NYSERNet services are driven by our members’ needs, and we work in many areas – we operate colocation and data center facilities, provide dark fiber, offer security and education, and hold conferences – but our core has always been the network. We connect around 60 member institutions to our statewide network, which runs throughout New York state on our fiber facilities and extends on the Internet2 optical backbone down to Ashburn, Virginia. There’s a wealth of educational institutions in New York, and we’ve always connected those who are most heavily research-oriented. In the last few years, we’ve dramatically increased our ability to serve schools for whom education is the primary driver, as well as healthcare and cultural institutions. And we connect many of the K-12 schools in the state through their own networks.
With that scope in mind, let’s talk about NYSERNet’s routing integrity efforts – specifically your initiative to implement peer-facing RPKI Route Origin Validation (ROV). What was the impetus behind that initiative, and what are you hoping to achieve?
Bill Owens: As our emphasis has grown from providing high bandwidth for research to encompassing educational and administrative uses of the network, we’ve seen a big change in our campuses’ reliance on our network. It still needs the performance they have come to expect but has to be solid and secure. A disruption to their NYSERNet connection will affect cloud and content services, as well as research data transfers; it’s amazing how quickly people become concerned about the network when their video calls are interrupted!
We know that most of the routing ‘hijacks’ that take place on the network are accidental and not malicious, but they still cause major problems. Anything we can do to make the network more stable and robust is worth looking at, and the effort to implement RPKI is small by comparison to the benefits of making the infrastructure resistant to routing problems. There’s always the possibility that someone will decide to launch an attack as well, and we owe it to our members to provide them with the best defenses. And finally, as a good net citizen and member of MANRS, we should not allow routes to leave NYSERNet if they’re not correct. So we will be doing our part to keep the global network clean.
What process is NYSERNet implementing to support members in this effort, and what resources have you and your members found most valuable?
Bill Owens: We split the RPKI effort into two activities. The first was to enable RPKI route signing for all the NYSERNet IP space. That represents a tiny component of our network but gave us the experience to be able to talk with our members about the process, point out hurdles they might face, and provide a realistic idea of what they’ll be required to do. That’s where most of the member support will come, and we’ve already had conversations with a half dozen campuses. We know they will need support in the long term, as well, since this isn’t something most engineers will do every day. We will be there to help them remember how it works in a year or two when changes are required.
Our second activity is the validation of routes on our backbone as part of the complete picture of routing security. We don’t expect many of our campuses to do their own validation since their providers (including NYSERNet) will do it for them. But we’re documenting the process as we go and will be happy to consult with any of our members who want to take that step.
The Internet2 community has helped us a great deal, as has the excellent documentation at ARIN and other online resources. With the openness that is a hallmark of the R&E community, I hope we will all be able to help each other as RPKI adoption spreads.
What progress have you made thus far? What challenges and wins (big or small!) have you encountered, and what are the lessons learned that you can pass along to the community?
Bill Owens: We signed the NYSERNet routes a few months ago, and we turned on validation across the network during the holiday break. We haven’t had too many issues so far: some extra paperwork to get the RPKI process started with ARIN and a couple of stumbles with the extremely precise syntax that is required for the signatures. One thing we discovered is the old lint and dust that gathers in the corners of the network, which is suddenly quite obvious when you are trying to validate routes. There have been a few things we always meant to clean up but never got around to – the new configuration has forced us to get that done, or else we would break our own routes. A lot of lab time was needed to get to the point where we were comfortable putting the configuration into the production network, and so far it’s been fine.
What advice would you offer to network operators and network engineers in the R&E community who are new to routing integrity efforts and aren’t sure where to start?
Bill Owens: Everyone can sign their routes now, and that will have a real impact. Once you have signed your space, it is much more difficult for someone to accidentally break your routing. It encourages other networks to join in as well, both signing and validating routes. I expect to see major network providers requiring signed routes from their customers in the next couple of years. Enabling validation is a larger step, in some respects, but has significant rewards as well and should be on everyone’s roadmap if you’re providing transit connections.
Look at MANRS for more things you can do beyond RPKI to complete your routing security picture. And if you don’t already participate in the Internet2 Network Technical Advisory Committee, join up to get the benefit of experience from the whole community.
Join the Conversation
If you have questions about community efforts to move the needle on routing integrity or would like to share about your own routing integrity initiatives, please contact us at firstname.lastname@example.org.
Read the other Q&As in the “Moving the Needle on Routing Integrity” series.