One of America’s largest broadband providers has now deployed RPKI on its network to defend against BGP hijacks and route leaks.
BGP route hijacks are a networking problem that BGP can cause a drastic surge in misdirected internet traffic and a Denial of Service (DoS). While a major BGP leak can disrupt thousands of networks globally.
This week, telecom giant Comcast has deployed Resource Public Key Infrastructure (RPKI) on its network to strengthen its security and robustness, and in particular, to prevent BGP attacks.
The RPKI framework has been designed to primarily secure Border Gateway Protocol (BGP). Jason Livingood, Vice President of Technology Policy & Standards at Comcast Cable commented on the move in a blog post this week:
“In practical terms, it means that Comcast now both cryptographically signs route information and validates the cryptographic signatures of other networks’ route information… This helps to ensure that packets get to their intended destinations intact and cannot be hijacked or leaked to other destinations, making the network – and Internet traffic more generally – more secure and resilient for all users.”
BGP or Border Gateway Protocol is a “postal system” for the internet, it is what keeps the Internet run. Its purpose is to route internet traffic correctly between various paths and systems to the destination.
But, BGP is fragile, and any disruptions or anomalies in even a few intermediary systems can have a lasting impact on many.
For the Internet to work, different devices (autonomous systems) advertise the IP prefixes they manage and the traffic they are able to route. However, this system largely is based on trust assuming devices are telling the truth. Hence it is possible to perform BGP route hijacking when a malicious entity tells other routers that it owns certain IP addresses when they don’t. This leads to misdirected traffic.
In the past, for one example, such erroneous BGP routing configuration caused IBM’s global outage. Prior to that, in 2008, YouTube had gone offline globally when some traffic had been redirected through Pakistani servers. There have been reported multiple other incidents.
By using public-key cryptography for validation, measures like RPKI help alleviate the problem considerably.
“RPKI allows network operators to digitally encrypt and sign routing advertisements in Border Gateway Protocol (BGP) by using a system of private and public keys… Digitally signing information provides assurance that routing advertisements seen in the routing system can be verified and are authentic,” states APNIC’s guide on RPKI.
By deploying RPKI Origin Validation, Comcast ensures that its customers are less likely to be impacted by BGP-related hijacking and leaking on the Internet.