What is an Incorrect ROA and Where Can I Verify My Information?
Guillermo Cicileo
@ssrlac
Recent years have seen an increase of global RPKI adoption. This increase is due to the fact that users are signing their resources and generating their ROAs, as well as to the fact that organizations are performing BGP origin validation. In addition, a larger number of RPKI validation software implementations have appeared in the past year and potential extensions to the basic functions of RPKI have been proposed at the IETF. These are all signs of the acceptance RPKI is gaining among operators seeking to guarantee global routing security.
Large operators such as NTT or AT&T and important content providers such as Cloudflare have recently started to drop BGP announcements based on their RPKI validity status. This practice is also extending to the majority of IXPs worldwide. Verifying that the information defined by each organization in the RPKI is correct is of the utmost importance – if an ROA has not been properly created, certain prefixes might be dropped, making it impossible to reach the networks performing validation and eventually losing connectivity to major operators.
This situation has been noted and explained on the LACNOG mailing list (https://mail.lacnic.net/pipermail/lacnog/2018-September/006484.html) as well as on the following website: https://nusenu.github.io/RPKI-Observatory/index.html
A detailed description of these issues is provided below.
What is an ROA?
Route Origin Attestations (ROAs) are digitally signed objects that describe an association between a set of prefixes (IPv4 or IPv6) and the autonomous system authorized to originate a route for these prefixes in BGP advertisements. ROAs also specify the maximum length with which these prefixes can be advertised.
This makes it possible to compare the information received by BGP against the definitions contained in RPKI ROAs – when a BGP prefix advertisement is received, we can check the autonomous system that originated the advertisement and the prefix length against the information contained in the RPKI. If this information matches, the BGP advertisement will be considered valid. On the contrary, if the information does not match (either because the advertisement originated in another autonomous system or because it exceeds the maximum specified prefix length), the advertisement will be considered invalid. A third status is added if the advertisement is not covered by any ROA, i.e., if there is no information in the RPKI; in this case, its status will be “unknown” or “not found”.
Further information on this topic is available in RFC 6482 and RFC 6483.
Why is it important to deploy RPKI?
Internet routing is based on the BGP protocol, which does not include any mechanisms to verify an organization’s right of use IP resources. Over time, different techniques have been used to check that the information received by BGP is legitimate, from Letters of Authorization (LoA) to Internet Routing Registries (IRR) to declare the set of prefixes that an autonomous system will announce to another. RPKI is the most recent method specified as an IETF standard for verifying BGP information (see RFC 6480 et seq.).
By using RPKI, an organization can certify its resources and BGP advertisements, protecting themselves against the unauthorized use of their resources and route hijacking.
What is origin validation?
Origin validation consists of verifying which autonomous system is authorized to originate a BGP prefix advertisement. This verification allows preventing unauthorized advertisements, discarding any routes originated in autonomous systems other than those explicitly authorized to do so. Because the BGP protocol does not have any built-in mechanisms to do this, performing origin validation requires an external source of information. One of the most popular ways to perform origin validation is by comparing the advertisements that are received against the information available in the RPKI database (RPKI repositories, detailed in RFC 6481).
What is an incorrect ROA?
An incorrect ROA is one that does not adequately cover the BGP announcements of an organization.
- An ROA that declares an origin autonomous system different from the autonomous system that actually originates the prefix in BGP.
- An ROA that specifies a maximum prefix length that is shorter than the one in the BGP announcement (the BGP route is more specific than the maximum length declared in the ROA).
In both cases, the announced prefixes that do not match the ROA mat be dropped by organizations performing origin validation. This can cause connectivity issues if there is no other route covering those prefixes.
An incorrect ROA may have been generated due to a configuration error or because of outdated information in the repository (e.g., a change of provider, a new autonomous system, incorrect disaggregation, etc.). For this reason, it is very important to verify that the ROAs declared in the MiLACNIC system match the BGP announcements that are to be made.
Where can I check my information?
The MiLACNIC system shows the IPv4 and IPv6 blocks assigned to an organization. The RPKI tab also allows verifying the ROAs that have been created. It is important to check that the ROAs cover all the prefixes that the organization is announcing (or plans to announce) to the Internet. It is also advisable to have all IP blocks covered by an ROA so that, if an attacker attempts to use a prefix that is part of those blocks, the BGP announcement will be declared invalid.
The RPKI Observatory (https://nusenu.github.io/RPKI-Observatory/unreachable-networks.html) allows you to check for incorrect ROAs by ROA, by prefix or by autonomous system. This website uses the term “RPKI unreachable network” to refer to prefixes whose BGP announcements do not match the created ROAs. It can be used to check whether the IP prefixes of our organization are affected.
References