Border Gateway Protocol (BGP) lacks built-in trust, leaving the Internet routing layer exposed to accidental or malicious prefix hijacks. Resource Public Key Infrastructure (RPKI) addresses that problem by letting address space holders cryptographically authorize which Autonomous System (AS) may originate their prefixes, via Route Origin Authorizations (ROAs) published through a chain of trust anchored at the five Regional Internet Registries (RIRs).
While most ROAs are published directly by the RIRs, a long tail of smaller, independently operated publication servers (run by cloud providers, ISPs, hobbyists, educational institutions, and RPKI as a Service (RPKIaaS) companies) also contributes to the global RPKI dataset. In this post, we investigate who operates those small servers and why.
What is RPKI and why should you care?
Every time you open a website, your traffic hops across dozens of routers guided by BGP. BGP is the glue of the Internet: It tells routers where to send packets to reach any IP address on the planet. The trouble is that BGP was designed for an era when networks trusted each other, and misbehaviour was still uncommon. Any network can (accidentally or maliciously) announce that it owns an IP prefix it does not actually control. That is called a routing incident, and it can cause your traffic to be silently redirected to the wrong destination.
RPKI is (one of) the Internet’s answers to that problem. It works by letting the rightful owners of IP address blocks cryptographically sign a ROA; a small record that says: ‘IP prefix X is authorized to be announced by Autonomous System Number (ASN) Y.’ Routers that implement Route Origin Validation (ROV) then use those signed records to check incoming BGP announcements and drop the ones that don’t match.
The entire system rests on a chain of trust anchored at the five Regional Internet Registries (RIRs): ARIN (North America), RIPE NCC (Europe/Middle East/Central Asia), APNIC (Asia Pacific), LACNIC (Latin America) and AFRINIC (Africa). Those bodies issue IP address space to networks and operate the top-level RPKI Certification Authorities (CAs). ROA objects can be published directly from the RIR servers, or from smaller, independent publication servers.
Small RPKI publication servers
Most ROA objects are published by the five RIRs, which are well-resourced, professionally maintained and globally trusted. But alongside those giants sits a long tail of smaller publication servers run by cloud providers, hobbyists, educational institutions, Internet Service Providers (ISPs) and RPKIaaS companies. During the research described in this post, we examined these ‘small’ servers to see what we can learn from them, why they operate and why they exist in the first place.
Defining ‘small’
The first methodological challenge was defining what makes a server ‘small’. We used a straightforward, ROA-count-based definition:
... continue reading