Global validation (on the networking scale)

Picture this scenario: It’s a few days before Christmas. You awaken in a panic and rush to the airport. While running through the terminals, you unknowingly take a wrong turn, and instead of boarding a plane to Miami, you instead board a plane to New York City. Is this the plot to Home Alone 2: Lost in New York, or is this a case of a misrouted network?

The internet is built upon trust. A lot of trust. Adjacent networks pass on their traffic to each other, and trust that it will then end up in the right location, similar to how you trust that the airplane you’re boarding will take you to the right destination. But just like how boarding the wrong plane will take you to the wrong city, bad routing on the internet can also happen. Sometimes it’s accidental, and sometimes it’s malicious. 

The Mutually Agreed Norms for Routing Security (MANRS) initiative was established to help increase foundational routing security and reduce misrouted traffic. MANRS focuses on four key areas: Filtering, Anti-Spoofing, Coordination, and Global Validation. 

Cybera is actively involved in all four areas — our Senior Network Engineer, Samir Rana, is a member of CANARIE‘s MANRS working group. While each area offers actionable items, in this post, we’ll only be focusing on Global Validation.

Global Validation

Global Validation involves proving that an entity on the internet is who they say they are. Cybera is Cybera. Google is Google. Shady Internet Company is not the Government of Canada. 

There are two ways to implement Global Validation:

  1. Publishing information about yourself in an Internet Routing Registry (IRR), and/or
  2. Publishing a Route Origin Authorization (ROA) record in a Resource Public Key Infrastructure (RPKI) system.

The latter is the newer method I will be focusing on here.

Resource Public Key Infrastructure

So, how do you prove to someone else that you’re you? One easy way is to find a mutually trusted friend who can vouch for you. On the internet, there are five of these friends, known as the Regional Internet Registries (RIRs): AFRINIC, APNIC, ARIN, LACNIC, and RIPE. Your location in the world will depend on which friend you pick. And if you’re already routing traffic on the internet, you would have already had to interact with this friend — they’re also the entities who assign your network an Autonomous System Number (ASN — your unique network ID on the internet) and, sometimes, IP addresses. For Cybera, this is ARIN.

Let’s say we give ARIN our ASN and the list of IP addresses we own. Now, if anyone wants to make sure we’re really Cybera, they just ask ARIN, right? Not yet. Maybe someone else has tricked ARIN into believing they’re using the same IPs as Cybera. So instead, we take our ASN and our list of IP addresses and encrypt them in such a way that proves to ARIN this information came from Cybera. This encrypted result is known as a Route Origin Authorization (ROA) record. So now, ARIN can validate the real Cybera. We’ve created an “anchor of trust”. 

Still with me? We’re halfway through.

Next, let’s say CANARIE wants to configure their network router to always make sure that Cybera is Cybera. They can do this by setting up an RPKI “Validation Server” alongside their router. The Validation Server’s job is to contact the RIRs (the five friends) for a list of known ROAs. Then, when Cybera connects to CANARIE as a downstream client, CANARIE’s router contacts the Validation Server to validate that Cybera is Cybera.

The setup looks like this:

Assuming CANARIE had gone through the same process of creating an ROA, and Cybera had gone through the same process of setting up an RPKI server, Cybera can also now verify that CANARIE is CANARIE.

And now we’ve established fully trusted and validated routing. At least between two parties.

RPKI Route Categories

With an RPKI Validation Server in place, it will report the following three types of routes to a router:

  • Valid: The organization that owns this route is participating in RPKI and has a valid ROA entry.
  • NotFound: The organization that owns this route is not participating in RPKI.
  • Invalid: The organization that owns this route is participating in RPKI but the ROA entry does not match the route.

Invalid routes are a difficult situation. It could mean that a malicious party is trying to hijack the traffic. In this situation, configuring routers to drop the traffic from the invalid routes is a good idea. This protects the users on the network from having their traffic hijacked. However, the invalid route could be due to an accidental RPKI ROA mis-configuration. In this case, legitimate traffic would now be dropped.

Going forward, close observation of the invalid routes is going to be important for anyone implementing RPKI.

Status of RPKI at Cybera

As described before, there are two main steps to participate in RPKI:

  • Create ROA records with an RIR
  • Deploy an RPKI server 

Overseen by Samir, Cybera has completed both steps. We’re now finalizing our testing and observing how our core routers and Validation Server work together. This should ensure that no legitimate traffic is accidentally dropped. 

The next phase, which should start in a few weeks, will be to deploy a RPKI Validation Server on the Peering portion of our network. We plan to implement a policy to drop “invalid” routes. As detailed earlier, this could create some tricky scenarios, so close observation will be needed. However, from our initial testing, no invalid routes have been detected — and that’s good!

Here are the preliminary results from our testing on the Peering portion of our network:

  • Valid Routes: 3,226
  • Unknown: 1,205
  • Invalid Routes: 0

Conclusion

Misrouted traffic, whether accidental or malicious, has been the cause of some of the largest outages on the internet in recent years. By publishing ROAs with ARIN, we can make sure that other networks around the world can verify that Cybera is, in fact, Cybera. Additionally, by having our routers use an RPKI Validation Server, we can validate other participants of the RPKI.

That last part is important. Resource Public Key Infrastructure isn’t useful if nobody participates. As more organizations join, the more beneficial it becomes. This is a new and innovative network technology that helps ensure the integrity of the National Research and Education Network (NREN). We will definitely continue to participate, and we hope you do, too.

Leave a Comment

Your email address will not be published.