Major ANZ operators at risk of traffic hijack as they lag on RPKI

This article originally appeared on CommsDay, which has kindly let us republish it.

Major operators in Australia and New Zealand are at risk of having their traffic hijacked because they are yet to deploy Resource Public Key Infrastructure — the specialized framework designed to secure the Internet’s routing system.

Research by Internet Society Technical Engagement Manager Aftab Siddiqui has revealed that while a number of operators, led by Telstra, have actively deployed or are deploying the technology, Optus and TPG have yet to start deploying, while no major operator has done so in New Zealand.

Siddiqui told CommsDay that RPKI can play a significant role in preventing route hijacking by validating the legitimate origin of a traffic route while not accepting a route with an unverified origin Autonomous System – a very large network or group of networks with a single routing policy. “Not deploying RPKI means that you are not giving other operators the opportunity to verify your routes and hence protect your route from being hijacked,” he said. “For example, you are saying by putting a sign on your car – and this can be verified through a cryptographically signed certificate, which can’t be tampered – that only the designated licence holder can drive your car and if the police find someone else driving this car then they are the miscreants. Not putting a sign means if someone takes your car with-out permission then it’s impossible for anyone to verify if they have the right to drive it or not.”

He said there was a global consensus that every network operator should be able to verify “who is authorized to advertise what?” He said Internet Routing Registries were used originally to manage these flows but it soon became evident some information held was fake or not up-to-date. “RPKI, through cryptographically signing information, provides assurance that routing advertisements seen in the routing system can be verified,” he said.

Two-stage development

Siddiqui said there were two stages to RPKI. The first is creating the Route Origin Authorization or ROA – providing cryptographically verifiable proof that an AS number is authorized to announce these prefixes. The ROA basically says: “it is valid for the following AS number to originate the announcement of the following prefix list.”

The second is implementing Route Origin Validation or ROV, which means checking the ROA of every route (prefix with origin AS number) and not accepting those routes with “invalid” ROAs, preventing devastating attacks such as IP prefix hijacking.

Siddiqui confirmed Optus and TPG had not yet started creating ROAs for the IP resources they hold. “Vocus (AS4826) has ROAs covering almost 36% of their address space which is really good compared to Optus and TPG,” he added.

An Optus spokesperson told CommsDay it had a team: “currently undertaking an impact assessment for the first implementation, which is likely to be complete by mid next year. We are working with other service providers to better understand the systems and assist in our selection [of vendors].”

Siddiqui said that since many Tier 1 operators such at AT&T, NTT, Telstra, Telia Global, Hurricane Electric were implementing ROV and dropping the invalids, it has become very important to make sure that all carriers have valid ROAs – and that’s why operators in ANZ need to deploy. “Yes, [a carrier] not creating ROA means that their routes will be marked as ‘not found’ rather ‘invalid’ and still be accepted by those operators who are dropping invalids; but it means if a miscreant operator tries to hijack the prefix then that hijack will not be marked as ‘invalid’ and everyone will accept that hijack because there is no way to verify the genuine origin of those prefixes. If carriers want to protect their prefixes from hijacking, then the easiest way to do so is to create ROAs.” He added the service to do so is offered by every regional Internet registry, which means APNIC in APAC.

Telstra’s RPKI boost

Telstra’s implementation and validation significantly im-proved Internet security in the Asia-Pacific region as currently, 1,560 autonomous systems interconnect with Telstra’s AS1221, making it one of the most interconnected networks in Asia-Pacific.

Telstra started monitoring and dropping invalid routing messages in June – it also started signing route origin authorizations for all domain prefixes managed by the company’s AS1221 name server host. All networks connecting with AS1221 have been urged to create ROAs for their own address space to prevent any legitimate unsigned or incorrectly signed routing requests to be dropped.

A spokesperson told CommsDay work was underway to complete ROV validation on its global network. “We also have ROV validation on AS1221 routers that have connectivity with AS4637. AS4637 is currently in the process of deploying RPKI ROV validation in their global network; due to the size of their network the deployment time-frame is longer but they are continuing to progress.”

Others have deployed as well. In July, Aussie Broadband (AS4764) completed its installation of RPKI and was dropping invalids on all its links. In September, IX Australia implemented RPKI ROV. Exetel is reportedly in the process of rolling it out.     

“IX Australia implementing ROV and dropping invalids is going to play a crucial role in Australia as almost 600Gbps traffic passes through [it]. The list is growing, Telstra, Superloop, AussieBB, Exetel and IX-AU but unfortunately none in NZ that I’m aware of,” said Siddiqui.

Cloudflare’s head of ANZ Raymond Maisano said: “The Border Gateway Protocol – [which manages how packets get routed from network to network] – was built entirely on a trust basis and is the glue that makes different networks speak to each other. There was no authentication built into the protocol at all, which is why deploying RPKI is essential. We need to keep that conversation going.”

New Zealand lagging

Siddiqui said that in 2017 1.2% of Australia’s 16,794 prefixes had valid ROAs – the first step towards RPKI. In the past three years, the number of valid prefixes in Australia has increased to around 21.5%. Similarly, New Zealand’s number of prefixes has also risen from 9% to 19.5% over the same time. However, there are more than four times more AS numbers registered in Australia than New Zealand — as well as the providers that have correctly signed their ROAs.     

He said in New Zealand, three of its largest carriers, Spark (AS4648), Vodafone NZ (AS4768) and Snap Internet (AS23655) have 99% or 100% of unknown ROAs. “One can only assume that they are still in their ‘testing’ stages but at least they aren’t con-tributing to the rise of invalid ROAs that still plague the APNIC region,” he said.      

He added that while signing is one thing, validating is another. “As noted, Telstra (AS1221) has implemented ROV; which, as you could imagine for a Tier 1, has had a significant effect on Australia’s overall validation figure,” he said. “In New Zealand, this figure is a lot less; no great surprise, because if you don’t have valid routes then you won’t be practicing ROV.”

Leave a Comment