What is RPKI ?
RPKI stands for Resource Public Key Infrastructure. It is a public key infrastructure framework that is used more and more to secure the Internet’s routing infrastructure. It is commonly implemented aside the Border Gateway Protocol, to have an instrument to validate received routes. It connects the Internet resource information ( mostly IP addresses) to a trust anchor and as such it is a prevention for route hijacking and other attacks.
BGP is a vulnerable routing protocol and as the internet grew, more and more cases were seen where routes have been hijacked. This means an Autonomous System was announcing routes it was not having right to into the internet, disrupting service and potentially harming individual users or networks. Therefore the IETF provided a secure means to certify the allocated Internet number resources as a way to secure routing. The Internet Architecture Board considers a "properly designed and deployed RPKI an absolute prerequisite to having a secure global routing system, which is in turn a prerequisite to having a reliable worldwide Internet."
The base of this architecture is a ROA or Route Origin Authorization. It is an attachment of a route announcement, which can be verified cryptographically using RPKI.
RPKI at Belnet and BNIX
Belnet, the Belgian Research network, has implemented RPKI on all of its borders. The infrastructure was put in place in 2020 and is using 2 RPKI servers to validate incoming routes. This infrastructure is also used by the BNIX route servers since the beginning of 2022. Next to the IRRDB filtering already in place, we’ve added a new layer of security to the routes learned via the route servers.
A route will only be dropped if a certificate exists for a certain Internet number resource and is not validated correctly. Absence of RPKI will not reflect a drop in route announcement, but we highly recommend implementing this architecture in your network.