The Challenges of RPKI-ROA Diffusion in Research and Education
The ARIN 52 Public Policy and Members Meeting, held 19-20 October 2023 in San Diego, California, and online, began with an insightful keynote address titled “The Challenges of RPKI-ROA Diffusion Within the U.S. Research and Education Community.” This presentation, delivered by Internet2 ’s Director of Routing Integrity, Steve Wallace, shed light on the complexities surrounding Resource Public Key Infrastructure (RPKI) adoption in Internet2’s community of higher education, research institutions, government entities, corporations, and cultural organizations. Read on for a recap of this keynote and the critical issues, barriers, and potential solutions discussed.
Watch the recording of Steve Wallace’s keynote address.
The Easy Button
Steve, whose role at Internet2 is to promote routing security and improve the routing security posture of their community, opened his keynote by sharing his “elevator pitch” for RPKI. Assuming a basic knowledge of RPKI and the creation of Route Origin Authorizations (ROAs), Steve explained how he refers to them as the “routing security easy button.” ROAs, created through a short and simple web form, are a powerful tool for mitigating network outages due to misconfigurations and certain hijack attempts. Emphasizing the ease of creating ROAs, Steve stressed that “everyone should be doing it.”
The Global Perspective
Steve then delved into a global perspective on RPKI and ROA adoption, presenting a graph comparing ROA coverage on the global Internet versus in U.S. research and education (R&E). “This is the kind of data I look at to motivate me,” he said. “I also share this data with our community to motivate them.”
Noting that approximately 46% of routes in the global table have covering ROAs today, Steve explained how that represents a significant success story. Over the past five years, this coverage rate experienced a remarkable 35% year-over-year growth from 10 to 46%. However, he pointed out that the U.S. R&E community needs to catch up to this global trend, with only 15-18% of prefixes covered by ROAs.
The U.S. Research and Education Community
Before exploring the causes of this lag in the R&E community, Steve explained what R&E networking entails. Internet2 is a nonprofit organization responsible for operating the U.S. National Research and Education Network (NREN). It connects 46 regional and state networks, serving organizations in all 50 states: More than 330 research universities and tens of thousands of Community Anchor Institutions. Steve clarified that Internet2 doesn’t provide full transit, so all those regional and state networks or campuses have full transit providers.
Internet2 also interconnects with 70 NRENs representing more than 100 countries worldwide, and it isn’t the only one experiencing slow RPKI adoption. About 20% of the global NREN routing table has ROA coverage — slightly higher than the U.S. R&E community but less than half that of the global Internet.
MANRS and the IRR
Steve noted that a considerable portion of the Internet2 community participates in the Mutually Agreed Norms for Routing Security (MANRS) initiative, signaling their relatively strong interest in routing security. However, even within this group, the percentage of routes covering ROAs fell short of the global Internet standard, raising questions about the remaining barriers to RPKI adoption.
Regarding Internet Routing Registry (IRR) records, Internet2 recently experienced a very successful boost in participation within its community. When Google announced it would stop accepting routes without good IRR information for settlement-free peerings like the one Internet2 uses to provide high-speed access to cloud providers, IRR coverage jumped from about 60% of routes to more than 95%. Steve’s investigation of why — if creating the IRR records themselves is no more difficult than creating a ROA — they were so successful in this situation but are still having difficulties with ROAs kicked off his list of barriers to RPKI-ROA adoption:
Technical Burden
While the IP address holder can share the responsibility for creating and maintaining IRR records with their state or regional network (Table 1), Steve described how RPKI-Route Origin Validation (ROV) transfers some of the technical burden for routing security from the Internet Service Provider (ISP) to the IP address holder. This works for well-resourced IP address holders (for example, cloud providers and ISPs) but not for K-12 school districts, community colleges, and even some universities that need more resources to shoulder that burden.
| Control | Origin Network | Transit network |
|---|---|---|
| Filter Routes From Customer | ✓ | |
| Publish policy via IRR | ✓ | ✓ |
| Publish policy via auth-IRR | ✓ | |
| Publish RPKI-ROA | ✓ | |
| Publish ASPA | ✓ | |
| Publish origin router cert (BGPsec) | ✓ |
Legacy Resources
The Internet2 community comprises mostly early adopters of the Internet; more than 80% of the IP address assignments are legacy resources. More than 45% are legacy resources not covered by an ARIN Registration Services Agreement (RSA); an RSA is required to access ARIN’s advanced services like RPKI.
Navigating the ARIN Agreement
Most institutions Internet2 connects are public institutions, which are frequently subject to local law requiring changes to the RSA. Steve commended ARIN for significantly improving the agreement and the process for making and accommodating changes for public institutions.
However, while ARIN provides clear instructions and policies for requesting and approving changes, the process still generates friction due to the technical and legal aspects involved. Network engineers must be convinced of the value of this new security feature (RPKI), and then leadership must be convinced of the importance of allocating an attorney to go back and forth.
Myths About the RSA
Steve highlighted some misconceptions he has encountered regarding signing ARIN agreements, such as the fear that ARIN might reclaim IP addresses if they’re not efficiently used and the belief that it hinders IP address monetization — neither of which is the case.
He also applauded ARIN for its recent user interface and reporting updates that have made it vastly easier to address the frequent lack of clarity about whether an RSA covers an organization’s resources. In many cases, institutions in the Internet2 community have some IP addresses or Autonomous System Numbers (ASNs) under an RSA, but they assume that the bills they receive and the resources they see in ARIN Online mean that all their resources are covered. ARIN Online now clearly indicates which resources are and are not covered. ARIN publishes a daily Resources Under Registration Services Agreement (RSA) Report that lists each organization and whether they are receiving the full suite of ARIN’s registry services (meaning the resources are under the agreement) or basic legacy services (meaning the resources are not under the agreement).
“ARIN has worked with Internet2 to help us understand who in our community doesn’t have the agreements,” Steve said. “And that’s been very valuable because we can reach out to those people with a high degree of certainty and be able to tell them the status of those agreements and what that means. Now that ARIN is publishing that information, I think there’s an opportunity for other Internet service providers to use that information to inform their outreach to their customers.”
No Natural Champion
While “Chief Information Security Officer” (CISO) refers to “security,” Steve shared that in his experience, CISOs and security teams have not yet integrated routing security into their organizations’ standards of cybersecurity care, instead seeing it as the network team’s responsibility.
“I think it’s important to change that, and I see some of that change happening,” Steve said. “And I think that will be a tipping point when that happens — when enough CISOs get in a room, and they’re talking about routing security. But that’s not happened yet.”
Steve also pointed to confusion about who takes care of the range of security functions related to a network as part of this issue. Some networks within the Internet2 community outsource things like DDoS detection and mitigation, but they assume that routing security is included in that outsourcing and, therefore, already taken care of. But the reality is that routing security is its domain and requires attention across multiple teams in an organization.
Lack of Urgency
Without compelling deadlines — like the one that existed for creating IRR records with Google’s policy on settlement-free peerings — or incentives like a current outage or experiencing a route leak, there is little motivation among organizations to adopt RPKI and create ROAs.
Steve addressed the 31 December 2023 expiration of ARIN’s legacy fee cap, explaining that the impending pricing changes for legacy resources may create some urgency for small institutions. However, larger institutions with larger budgets may not be as impacted or motivated by the changes. Either way, this motivating factor will cease on 1 January 2024.
“ARIN’s sunsetting of the legacy fees has been helpful,” Steve said. “But we’re going to lose some momentum starting next year.”
Leadership Awareness
Closing out his list of barriers to RPKI adoption and ROA creation, Steve surmised that leadership is not hearing the importance of routing security from the right avenues or the right number of avenues to drive it home and make it the standard of care it should be.
Addressing the Challenges
Steve then went on to share how Internet2 is working to overcome all those challenges:
- Extensive Outreach: Internet2 dedicates Steve’s full-time position to educating and raising awareness among its community’s leaders, decision-makers, and engineers.
- Education and Support: Webinars, office hours, ROA-thons, and individual support sessions are offered to help organizations learn everything from “What is ARIN?” to how to create a ROA.
- Motivating Messaging: Steve emphasized the importance of getting organizations to recognize their Internet connection as critical infrastructure. That opens the door to convincing them of the need to create ROAs so that critical infrastructure can be protected and capable to the greatest extent possible now and in the future. Steve also encouraged transit providers with ROV to let their users know they can benefit from creating ROAs.
- Collaboration with ARIN: To address the friction experienced by public institutions, Internet2 continues to work with ARIN to streamline the ARIN agreement process.
- Encouraging Outsourcing: Organizations can delegate a Routing Point of Contact in their ARIN Online account to empower another party to create and maintain their ROAs. Steve reported that, although the process of designating a Routing Point of Contact isn’t streamlined, Internet2 is seeing instances of this, with some state and regional networks offering to manage those tasks on behalf of institutions that can’t or don’t want to deal with it themselves. He expressed the desire for ISPs willing to take this on to have an onboarding process to make the designation part of it easier for the customer.
Progress and Future Perspectives
Despite the challenges, progress has been made in RPKI adoption within the U.S. research and education community.
“As of three or four weeks ago, we’ve gotten [the] 700 number down to 600,” Steve said of the Internet2 organizations without an ARIN agreement.
“When I first started looking at this, ROA coverage was about 4 percent. Now it’s about 15 to 18 percent,” he reiterated. “[We’re] definitely increasing routing security; you have to give hats off to MANRS. I think they’ve done an excellent job making that something people are aware of.”
However, Steve expressed concerns about needing a similar centralized effort in other sectors. He suggested that Information Sharing and Analysis Centers (ISACs) or trade groups take up the cause of prioritizing and promoting routing security as an essential component of cybersecurity to the small organizations in their sectors.
Comments, Questions, and Conclusion
During the Q&A session that followed Steve’s presentation, ARIN community members added their thoughts on improving RPKI adoption numbers.
One person noted the need for all address blocks owned by an organization to be given the capability of ROA management by a third party was a barrier to delegating that responsibility, especially for organizations with large address blocks being leased out.
Another person suggested that the messaging to promote RPKI should no longer be that it’s simply a nice add-on for routing security but that it is becoming an essential connectivity requirement as cloud providers, transit providers, DDoS mitigation providers, and more are now making RPKI a prerequisite to use their services.
Attendees were encouraged to use the ARIN Consultation and Suggestion Process (ACSP) to propose minor tweaks and improvements related to RPKI, as was support for integrating RPKI-related content into the Certified Information Systems Security Professional (CISSP) certification.
Steve Wallace’s keynote address at ARIN 52 shed light on the challenges and barriers faced by the U.S. R&E community in adopting RPKI and creating ROAs. By identifying these hurdles and proposing solutions, Internet2 works toward a more secure and resilient Internet infrastructure within its community and beyond. The comments provided by other ARIN community members added valuable insights and feedback on the topic of RPKI adoption and its significance in improving Internet security and connectivity.
Post adapted from the original, which first appeared on the ARIN Blog.
Christina Paladeau is a Social Media and Content Specialist at ARIN.
Leave a Comment