06 Dec 18

Netnod to deploy RPKI in new route server platform

By the end of H1 2019, Netnod will deploy a new route server platform at the Netnod Stockholm and Copenhagen IXes.

The new platform will provide a looking glass available for networks using the route server and a public list of networks currently exchanging routes on the route server. It will also provide support for Resource Public Key Infrastructure (RPKI). This is part of Netnod’s efforts to ensure secure routing and prevent BGP hijacking. We encourage customers connecting to Netnod’s route servers to ensure they have signed their prefixes with RPKI and that their AS-SETs are up-to-date.

This is important because by the end of H1 2019, once RPKI is deployed on Netnod’s route servers, they will by default reject Route Origin Authorisations (ROAs) marked as ‘INVALID’. ROAs marked as ‘VALID’ will be accepted, while those marked as ‘UNKNOWN' will be checked in the customer AS-SET. If the prefix is present there, it will be accepted, otherwise it will be rejected by the route server.

What is RPKI?

Resource Public Key Infrastructure (RPKI) has been designed to help secure Internet routing, especially the Border Gateway Protocol (BGP). Using RPKI, network operators are able to sign their IP address prefixes using a trust anchor system. Using RPKI, legitimate holders of IP address prefixes can make route announcements about the IP prefixes they hold. These statements are called Route Origin Authorisations (ROAs) and state which Autonomous System (AS) is authorised to originate a specific IP address prefix. These statements, which can be cryptographically validated, enable network operators to make routing decisions based on verifiable proof that the network announcing a specific IP prefix is entitled to originate this prefix. This helps to secure Internet routing and prevent BGP hijacking.

Why is RPKI important?

Securing Internet routing has clear benefits not just for networks peering at an IX and their customers but for end users and the global Internet community as a whole. Deploying RPKI on our route servers is part of Netnod’s mission to ensure robust and resilient Internet services and to support the critical infrastructure of the Internet in the Nordics and beyond.

More information

More detailed information about RPKI, including tools to help networks set up ROAs for their IP prefixes, is available from the RIPE NCC, the Regional Internet Registry that acts as the trust anchor for the RPKI system in the Netnod region.