Perhaps you have heard of MANRS (Mutually Accepted Norms for Guidance Safety) before. MANRS is a community that works to make more secure to the Internet. They have rules to be able to join their community.
If you are the ISP ( Network Operator);
1. Rule; You have to make the structure of the Internet more secure.
2. Rule; You become a Participant of MANRS, helping to maintain and improve the document. That's all
How can I make my internet infrastructure more secure?
Compulsory Actions for participating in MARNS Community;
Action 1: Prevent propagation of incorrect routing information
Action 2: Prevent traffic with spoofed source IP addresses – Filtering
Action 3: Facilitate global operational communication and coordination
Action 4: Facilitate routing information on a global scale – IRR
The above steps are very important but the most important part of the above steps is 4. Action. Because we are checking route (ROAs: Route Origin Authorisations) validity. A Route Origin Authorisation (ROA) is a cryptographically signed object that states which Autonomous System (AS) is authorized to originate a certain prefix. This means ROAs say something about the BGP announcements that are done with your address space. You can find how to create ROAs by ISP and LIR registered from this link.
Network Operators have to adapt their network infrastructure to check ROAs validity. It is needed a few types of equipment.
Why are all these needed? Because of routing threats that include BGP hijacking and route leak. These attacks are very dangerous and cause a long service outage.
There is a nice tool to watch the events for BGP Stream at this link.
RPKI validation is the best method to prevent BGP hijacking and Route Leak but is not widely deployed yet. MANRS provides an observatory for State of Routing Security.
RPKI LAB; I have installed a small lab for better understanding. The topology is below.
I only used Cisco CSR IOS XE Software Version 16.06.05 on Eve-ng. You can use different vendors which support RPKI.
You can find the device configurations in the attachment at the bottom of this page.
Firstly before I configure RPKI on the ISP router. I will check the route(188.8.131.52/22) which is announced from the BGP_AS router.
We see the route in the routing table of the ISP router.
Also, we see the route in the routing table of the RTR-1 router.
We have seen the route in the routing table of the ISP and RTR-1 router because there is no rpki validation on the ISP router.
Now, we add the following command for the RPKI configuration to the ISP router.
router bgp 64400
bgp rpki server tcp 192.168.28.129 port 8323 refresh 600
Everything is Ok Let's start to check the connection between the routinator and the ISP router.
The connection between Routinator and ISP router is ready.
Also, we see the rpki-table;
I will check the route(184.108.40.206/22) which is announced from the BGP-AS router on ISP and RTR-1 router.
The route (220.127.116.11/22) doesn't exist in the routing table of ISP and RTR-1 routers.
Why doesn't the route(18.104.22.168/22) exist in the routing table? But the route exists in the BGP table.
Why doesn't the route enter from the BGP table to the routing table? The answer is simple. The routinator does not approve the ROAs.
What's mean is INVALID?
RPKI Route Announcement Validity;
When a network operator creates a ROA for a certain combination of origin AS and prefix, this will affect the RPKI validity of one or more route announcements. They can be:
The route announcement is covered by at least one ROA
The prefix is announced from an unauthorized AS
The announcement is more specific than is allowed by the maximum length set in a ROA that matches the prefix and AS
The prefix in this announcement is not covered (or only partially covered) by an existing ROA
For Now, this method is not widely deployed yet. If you want to see if our ISP accepts invalid routes. The following link will be useful for you.