Resource Public Key Infrastructure and Route Origin Authorization

Details

Resource Public Key Infrastructure (RPKI) is a best-practice security framework designed to enhance the security of Border Gateway Protocol (BGP) routing. It uses cryptographic methods to verify the authenticity and ownership of IP address prefixes, ensuring only legitimate networks can announce routes.

Cox highly recommends Dedicated Internet Access (DIA) / Cox Optical Internet (COI) customers with BGP Routing adopt RPKI.

Most Cable Internet providers are dedicated to ensuring secure and reliable internet service. Companies like Cox, Charter, and Comcast have successfully implemented RPKI signing across all their residential networks, enhancing security. Additionally, adopting best practices for Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG) to protect against Distributed Denial of Service (DDoS) attacks.

The FCC has advised Internet providers to enforce RPKI requirements starting January 1, 2025.

Understanding RPKI and Route Origin Authorization (ROA)

RPKI and ROA benefits you in the following ways.

Preventing Route Hijacking: RPKI helps prevent route hijacking by ensuring that only authorized networks can announce IP prefixes. This reduces the risk of malicious actors redirecting traffic through unauthorized routes.
Enhances Route Validation: With RPKI, we can validate the authenticity of BGP route announcements. This ensures that the routes we accept are legitimate and come from verified sources, improving the overall integrity of our routing infrastructure.
Mitigating Misconfigurations: RPKI can help mitigate the impact of accidental misconfigurations by providing a mechanism to verify route announcements. This reduces the likelihood of routing errors that can lead to network outages or degraded performance.
Compliance and Best Practices: Implementing RPKI aligns with industry best practices and compliance requirements. It demonstrates our commitment to maintaining a secure and reliable network infrastructure.

Implementing BGP RPKI and ROA

Review the general outline of the process to implement BGP RPKI and ROA in the table below.

Task	Process
Set Up RPKI Infrastructure	Choose an RPKI Validator: Select a software validator that will create a local cache of validated ROAs. Examples include Routinator, OctoRPKI, and Fort. Install and Configure the Validator: Download the RPKI repository from the Regional Internet Registry (RIR) and validate the chain of trust for all ROAs and associated Certificate Authorities (CA).
Create Your ROAs	Register with Your RIR: Make sure your IP prefixes are registered with your RIR, for example, ARIN, RIPE NCC, APNIC. Generate ROAs: Use your RIR's website or Application Programming Interface (API) to create ROAs for your IP prefixes, specifying the Autonomous System (AS) numbers authorized to announce them.
Deploy RPKI on Your Routers	Configure Routers to Use RPKI: Update your router configurations to fetch validated ROAs from the local cache created by your RPKI validator. This typically involves using the RPKI to Router (RPKI-RTR) protocol. Implement Route Filtering: Set up route filters to prefer or reject BGP announcements based on the validity of the ROAs.
Monitor and Maintain	Regularly Update ROAs: Ensure your ROAs are up-to-date with any changes in your IP prefixes or AS numbers. Monitor RPKI Validation: Continuously monitor the validation process and the status of your ROAs to detect and resolve any issues promptly.

For further information on implementing RPKI, see American Registry for Internet Numbers (ARIN) and Protecting your Routes with RPKI Overview Video.

Resource Public Key Infrastructure and Route Origin Authorization

Details

Understanding RPKI and Route Origin Authorization (ROA)

Implementing BGP RPKI and ROA

Cox Business MyAccount Updates

Search Cox Business Support