Route Origin Authorization: Enhancing Network Security and Unveiling Critical Insights

IPXO, the next-gen IP address management platform, has embraced Route Origin Authorization (ROA) since January 2023, gaining valuable insights about its benefits to the Internet ecosystem.

ROA is a cryptographically signed object that states which Autonomous System (AS) is authorized to originate a certain prefix – a portion of the IP address space. It is a method for verifying that the specific prefix or IP address holder has authorized an AS to originate route objects in the inter-domain routing environment for that prefix. ROA has been gradually adopted by network operators and Internet service providers (ISPs) to reinforce the security and trustworthiness of route announcements.

Global Adoption of ROA

The adoption of ROAs has influenced network security practices worldwide. Based on the MANRS Community Report 2022, the global adoption of ROAs is 34%, reflecting the collective commitment of Internet service providers worldwide to embrace ROAs.

According to Cloudflare statistics, as of July 2023, there have been 449,808 ROAs in the global RPKI system, and the numbers are steadily growing. This widespread adoption of ROA has improved network security practices globally in several ways.

Preventing Route Hijacking

ROAs help prevent route hijacking, a type of attack in which an attacker takes control of a legitimate IP address block by announcing it from a different AS. This can be done by exploiting vulnerabilities in the BGP, which is used to exchange routing information between Autonomous Systems. By using ROAs, network operators can verify that a BGP announcement is legitimate and authorized by the address holder, preventing unauthorized announcements from being propagated worldwide.

Improving Routing Security

ROAs are a critical step forward in securing the global BGP system to prevent mis-originations and errors from propagating invalid routing information globally. By validating BGP route announcements, ROAs enable network operators to classify BGP announcements as valid, invalid, or not found, thus improving routing security.

Enhancing Network Resilience

Additionally, ROAs can enhance network resilience by providing a mechanism for detecting and mitigating routing anomalies, such as route leaks and hijacks. By filtering unauthorized BGP announcements, network operators can prevent malicious routing information from being propagated, thus improving the overall resilience of the network.

ROA Evolution: Insights from IPXO

Throughout the last six months, IPAM platform IPXO has engaged deeply in the realm of ROA. IPXO issues ROA following the Manually Agreed Norms for Routing Security (MANRS) ideology and recommendations. The latter advocates issuing ROAs according to exact needs rather than using a single large ROA to cover multiple smaller announcements.

As IPXO began delegating RPKI, the volume of delegations to the company steadily grew. The company consistently and promptly generated and revoked RPKI (ROA) in accordance with authorized announcements.

Currently, out of 3.2 million subnets in IPXO Marketplace, Delegated RPKI encompasses 38.4% of them (Figure 2). This demonstrates the substantial influence of ROA implementation and its positive effects on IPXO’s network management and security.

Additionally, it also allows clients to activate their leased subnets quickly, as they receive immediate authorization as soon as an ASN is assigned to them. This streamlined process ensures a smoother experience for clients and further enhances the efficiency of the company’s services.

In Figure 3, you can see that the delegated Regional Internet Registries are primarily RIPE NCC and ARIN, which offer the Delegated RPKI Management option. On the other hand, some other RIRs, such as AFRINIC, provide the standard Hosted RPKI option.

Demonstrating the Benefits of ROA

Drawing from recent experiences, IPXO has witnessed firsthand how ROA enhances network security and performance, leading to several notable benefits.

Secure Internet Routing

With ROA, IPXO can authorize the origin of their IP address prefixes, effectively ensuring subnets are promptly returned to the marketplace upon lease termination.

Figure 4 clearly indicates a positive trend over the last six months, with a decrease in late subnet returns. This improvement can be attributed to the increased implementation of RPKI and RPKI Delegation at IPXO, which has enabled automated and expedient handling of ROA revocation when leases conclude. This facilitates the timely return of subnets to the marketplace for new leasing.

Moreover, with each new delegation, IPXO gains better control over the numbers and supplements it with its quarantine system. This system ensures that after revocation, subnets are not immediately reintroduced to the Marketplace until all announcements are fully sorted out.

To address this, IPXO has an automatic email mechanism that requests assistance from IP holders and clients to resolve any lingering announcements, resulting in a crucial role played by the quarantine system in decreasing the workload for our Abuse and Support teams.

Improved Efficiency

Furthermore, ROA enables IPXO to streamline its routing policies through the origin validation of announced routes, leading to reduced routing table size, faster convergence, and overall improved network efficiency. The substantial impact of this implementation is demonstrated by the two graphs below, which reveal a significant trend in the successful parking of previously unleased subnets.

Parking involves reserving or holding IP address space for future use, primarily to protect the subnet from potential hijacks after it has been leased. Some individuals actively search for unused IP addresses and may use or announce them illegally.

By implementing parking and having a valid ROA in place, IPXO disrupts this hijacking process and may even prevent it entirely by revoking the hijacker’s authorization through ROA. This practice of parking enhances IPXO’s network security and contributes to a more robust and reliable routing infrastructure.

The substantial impact can be attributed to two key factors:

1. Implementation of Automation. Automation allows for faster identification and revocation of non-authorized announcements within the network, ensuring prompt removal of unauthorized routes. This directly aligns with the improved network efficiency, as unauthorized announcements can be promptly detected and addressed, reducing unnecessary routing table entries.
2. Delegation of ROA to IPXO with AS834. The delegation of authorization to IPXO plays a crucial role in enabling ISPs to effectively announce and park subnets online until they are leased again. This efficient authorization process contributes to improved network efficiency and management.

Overall, our experience shows that the combination of ROA implementation, parking practices, and automation at IPXO has resulted in notable improvements in network efficiency and security.

Further Advancements

ROA has emerged as a crucial component in fortifying the security and efficiency of Internet networks. IPXO’s half-year journey with ROA has provided valuable insights showcasing the benefits it brings to the Internet ecosystem. In our journey, we will anticipate further advancements in network security and the broader adoption of this critical technology.

Adapted from the original post which first appeared on RIPE Labs Blog.