Looking Glass

Resource Public Key Infrastructure

What is happening?

While many of the ISPs that make up the internet filter routes advertised to them by their customers, there is nothing to stop an ISP accepting routes that belong to someone else and advertising them to the internet. This can make devices hosted on those IP ranges unreachable. It is called route hijacking. To combat this, the global routing registrars are introducing a system called Resource Public Key Infrastructure (RPKI). In this, organisations that own address space can "sign" their routes with a Route Origin Authorization (ROA). This just involves logging into the management web site of the registrar ( http://myapnic.net in the case of APNIC) and creating the record for your address ranges, then selecting the option to enable ROA.

Once this is done, Vocus and other ISPs will be able to verify that your routes should have a particular origin Autonomous System Number (ASN) and use that to determine your routes are the correct one. It will also allow us to reject routes that don't match the ROA signed route, so that your routes will be safer from interference.

What is RPKI?

Resource Public Key Infrastructure (RPKI) is a system where each of the routing registrars allows their customers to specify the origin Autonomous System Number (ASN) that the route will be coming from. ISPs then run a special server that subscribes to these databases, downloading a list of "ROA valid" routes. The ISP then links these routers that make up our network to this server. This means that the routers know a list of valid routes. Any route that is receives that doesn't match the correct ASN origin of a listed valid route is marked as "ROA invalid", then dropped.

Routes that are not signed are marked as "ROA unknown". Fore now, these routes are still accepted and treated as normal, but it is difficult for the ISPs to determine if they are valid or not and we have no way to prevent them from being hijacked.

How do I verify if my route has been signed correctly?

Once you have selected the ROA option for your routes with your registrar, you can check what Vocus is seeing to confirm the routes are correct. This is done using the Vocus looking glass ( http://tools.vocus.com.au/lg). You need to select the BGP option and enter the subnet you are interested in:

for example 121.200.224.0

Type of Query

Additional parameters

Node

	bgp
	bgp summary
	trace

This will show you the BGP information for the route:

Router: Sydney
Command: show ip bgp 121.200.224.0


BGP routing table entry for 121.200.224.0/20
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Not advertised to any peer
, (aggregated by 38809 38809.121.200.225)4
    175.45.72.1 from 175.45.72.1 (172.45.72.1)
      Origin IGP, metric 0, localpref 400, valid, internal, atomic-aggregate, best
      Community: 4826:500 4826:1000 (Export to all) 4826:5204 (NSW site 4) 4826:7000 4826:52041
      Last update: Thu Dec  3 02:46:57 2020

The routes will have different communities, one of which is used to show if the route is ROA valid or not as per this table:

Community Purpose

4826:500 ROA Valid
4826:501 ROA Unknown

4826:502 ROA Invalid

4826:503 Private AS, void RPKI ROA processing

When will Vocus start dropping ROA invalid routes?

Vocus will start filtering out ROA invalid routes on 11/01/2021. Please contact your account manager or the Vocus support staff on 1300 855 845 for help if this date is going to cause your organisation problems.

You can also send an email to rpki@vocus.com.au for assistance with route filtering.

Common questions relating to route signing:

What if I don't have my own ASN?

Many organisations that own IP address space don't have their own ASN. In this case they will be using a private ASN provided by their ISP or using static routing. In either case, the origin ASN will be the ASN of the ISP. In Vocus' case this will be AS4826. **** Note this will be different for nuWeb customers – nuWeb customers will use AS38809 ****. If you are using multiple ISPs to advertise you ranges, see "How do I advertise my routes from different AS numbers?" below.

How do I advertise my routes from different AS numbers?

Each route can be registered multiple times with the route registrar, so a particular range can have many entries for it, if it needs to be moved around. This can be useful for tracing the

Can't you sign my routes for me?

Sorry, but we cannot. Only someone with the access to the registrar account can do this. This is key to the security of the system.

Why do I have to register my routes with you as well as with my registrar?

The filtering Vocus does with customer routes is different from the filtering that is created with the RPKI system. There are situations where what is in the Vocus filtering and what is in the routing registrar will need to be different. As a result we still need to maintain different systems.

How do I split my routes to different subnets?

Many organisations how have a large block of IP addresses want to split them into different subsections or subnets. The best option for this is to create a route record for each subnet that you want to advertise. This is particularly true if you want to advertise different subnets with different providers.

Do I have to do this for my IPv6 space?

Yes, this applies equally to IPv4 and IPv6 ranges.

More information can be found about this in other locations like:

https://rpki.readthedocs.io/en/latest/rpki/introduction.html

https://blog.apnic.net/2019/09/11/how-to-creating-rpki-roas-in-myapnic/

https://www.apnic.net/community/security/resource-certification/

We recommend looking at the below publicly available RPKI validators to check your ASN

https://rpki-validator.ripe.net

https://rpki.cloudflare.com/

https://bgp.he.net