Avatar

Securing the Critical Internet Infrastructure is an ongoing challenge for operators that require collaboration across administrative boundaries. Last September something exceptional happened in Ecuador, a small South American country. The entire local network operation community got together to be pioneers in securing its local Internet infrastructure by registering its networks in the Resource Public Key Infrastructure (RPKI) system and implementing secure origin AS validation. This project is a great example on how a global technology change can be accelerated by maximizing its value to local communities.

The global inter-domain routing infrastructure depends on the BGP protocol that was initially developed in the early 90s. Operators know that a number of techniques are needed to improve BGP security (a good reference can be found here). Although these improvements, it is still possible to impersonate the entity with the right of use of Internet resources and produce a prefix hijack as the famous attack in 2007. The IETF, vendors and Regional Internet Registries have been working inside the SIDR working group to create technologies that allow the cryptographic validation. The initial outcomes of this effort have been the RPKI and the BGP origin AS validation; two complementary technologies that work together to improve inter-domain routing security.

RPKI is a public key infrastructure (similar to the one used for email security called S/MIME) exclusively for Internet resources (IP addresses and Autonomous Systems Numbers or ASNs). Inside the RPKI infrastructure, cryptographically signed objects called Route Origin Authorization (ROA) allow to connect an IP prefix with origin ASN allowed to originate a BGP announcement.

BGP origin AS validation is a new feature in routers to check, classify or filter announcement based on the information received from the RPKI infrastructure. Cisco has been a pioneer in the implementation of BGP origin AS validation in IOS/IOS-XE and IOS-XR.

RPKI and BGP origin AS validation depend on each other and thus suffer from the chicken and egg problem: to validate BGP announcement you need the RPKI material available and to make RPKI valuable you need operators to be using it.

Ecuador’s IXP topology. BGP origin AS validation was implemented at the two ASR1001 routers in the center of the figure.
Ecuador’s IXP topology. BGP origin AS validation was implemented at the two ASR1001 routers in the center of the figure.

To address this problem, we got together with a number of partners and took the initiative to create a success story where we could learn important lessons. We chose Ecuador as the place to create an island of trust where all its networks would be registered in the RPKI and where local announcement will be validated against that information. There were a number of reasons why we chose Ecuador: first it has a local Internet Exchange Point (IXP) where almost all the countries’ networks are available at its route-server. Secondly, the local partner had the trust of the local community that secured the sustainability of the project and finally, but not least, a strong and entrepreneur local operator community.

The project consisted on a series of preparatory activities (such as equipment refresh, community awareness and material preparation), a live two days event and the definition of long-term activities. I had the pleasure to lead the technical team together with my colleague Alvaro Retana.

Graph of the RPKI adoption in Ecuador for IPv4 before and after the event. Ecuador is the first country to show near 100% adoption. LACNIC Labs publishes detailed daily statistics.
Graph of the RPKI adoption in Ecuador for IPv4 before and after the event. Ecuador is the first country to show near 100% adoption. LACNIC Labs publishes detailed daily statistics.

Before we started the project, the objective was to reach a 70-80% of the local IP address space to be covered in RPKI ROA objects. The local event was very animated with a number of interactions between operators that included big Telcos, small enterprises, government agencies and academic networks. We also had a virtual laboratory that allowed operators to practice this technology in case they would like to implement it in their own networks.

At the end of the event, we were overwhelmed by reaching more than 90% of the local IPv4 and IPv6 address space covered and by the enthusiast of the local community in using this technology to manage their customers’ connections.

We can see the impact of the project at the graphs that we built to monitor progress (we had an identical result for IPv6). This activity also had effects on the regional adoption for the Latin American region as it reached 18% and jumped as a global leader.

 

Full_Attendance_2
Event attendant included all network administrators with public IP resources in the country.

The Way Forward:
Since the event in early September, we have been working in documenting the lessons learned and to create the conditions to make this experience sustainable in time. A number of unexpected and unknown announcements, even inside a small country, demonstrated operators the benefits from a more secured operation of inter-domain routing. We will continue working with our partners to repeat this experience in other communities.

To learn more about the technology and the project, you can join us during the following sessions at Cisco Live Milan in January 2014:
Route Security for Inter Domain Routing – MIL1415166
Advance inter-domain BGP routing Laboratory – MIL141518