Preparing for Resource Public Key Infrastructure Route Origin Validation
By Steven Wallace - Director, Internet2 Routing Integrity
An increasing number of network providers are implementing Resource Public Key Infrastructure Route Origin Validation (RPKI-ROV) to identify and mitigate false routing information that might arise by accident or attempted route hijacking. This trend includes Internet Service Providers and non-profit organizations like Internet2 that provide connectivity for the research and education community.
It’s one of many routing integrity best practices the community is adopting to strengthen the resilience and reliability of our networks and to contribute to a safer internet for all.
|RPKI-ROV Service Coming to Internet2 Network March 2023|
|Internet2 will implement the RPKI Route Origin Validation service on its network infrastructure on March 16. If you have questions, please contact us at firstname.lastname@example.org.|
RPKI-ROV only applies to IP addresses with corresponding RPKI Route Origin Authorizations (RPKI-ROAs). That distinction is important for IP address holders in our community who are considering how to prepare for the implementation of RPKI-ROV – and considering the protections they might lack without an RPKI-ROA in place.
What to Expect and How to Prepare
IP address holders can publish RPKI-ROAs to tell network operators the valid source(s) of a route. If a route with a published RPKI-ROA comes from an invalid source, a network implementing RPKI-ROV knows to reject the route. The network will treat the route normally if there’s no RPKI-ROA for a route.
But the fact that RPKI-ROV only affects IP addresses with RPKI-ROAs creates a potential moral hazard.
On the one hand, IP address holders can prepare for their network provider to implement RPKI-ROV by taking no action. Even if they do nothing, when their provider turns on RPKI-ROV, they’ll immediately benefit, as their path to internet sites is less likely to take an unwanted detour. They benefit because others have created RPKI-ROAs to protect their IP networks. When Google protects its network, you can have higher confidence that traffic to Google isn’t intercepted.
But when IP address holders also create and maintain RPKI-ROAs for their networks, they increase the confidence that others can reliably access their resources without unwanted detours.
And that’s ultimately the goal of adopting routing integrity best practices: no detours, no delays, and no outages.