Workonline deploys RPKI-based BGP origin validation to build a more secure Internet
On 1 April 2019, Workonline Communications became the first African wholesale IP transit provider to deploy Resource Public Key Infrastructure (RPKI) origin validation (OV) to improve the security of Internet routing around the world. The company also leads the way globally as one of the early adopters of the security technology.
A specialised public key infrastructure (PKI) framework, RPKI is designed to secure the Internet's routing infrastructure. Traditional PKI ensures the authentication of certain online activities, such as e-commerce transactions, Internet banking or secure e-mail, by cryptographically validating that a specific public key belongs to a particular entity, via a digital certificate stored in a central registry. Successful authentication tells the user that, for instance, they are indeed interacting with their bank's website and can confidently proceed with the transaction.
RPKI, on the other hand, validates Internet number resource information; for instance, autonomous system numbers and IP numbers, shared between the backbone networks that make up the Internet, to help ensure that online traffic doesn't get hijacked or misdirected either intentionally or accidentally. RPKI OV adds a layer of security to the Border Gateway Protocol (BGP) so that when routing decisions are made, operators can be more certain that the available routes are legitimate.
This means that Workonline's customers can be confident that their Internet traffic will reach the destination it is intended for. At one end of the spectrum, it stops traffic being misdirected because a human entered incorrect AS and IP numbers; and at the other extreme, it guards against criminals deliberately hijacking IP routes.
The thought leader and driving force behind the deployment of RPKI around the world, Job Snijders, who is also Internet architect at NTT Communications, says: "By joining global industry leaders such as AT&T and Cloudflare in deploying RPKI, Workonline is actively protecting its customers from mistaken and fraudulent routing. In addition, it is helping all other networks, whether or not they have a direct relationship. Workonline's honouring of RPKI Route Origin Authorisations (ROAs) published by other operators increases the security of Internet routing for all."
"This security enhancement was a natural next step in our mission to connect Africa to the world and the world to Africa," says Edward Lawrence, director of business development at Workonline. "As well as the clear security benefits, this ensures that our customers' traffic to and from Africa is accurately and safely routed.
"Another win is that RPKI, in fact, helps prevent network performance degradation through ensuring higher quality routing by rejecting any invalid BGP announcements."
Ben Maddison, the director of network operations at Workonline, says: "The RPKI and the OV mechanisms have been around a long time, but large Internet network operators deploying at scale is a relatively new phenomenon. We're hoping that by moving early, we will be able to gather some much-needed operational experience that can be shared with the rest of the industry to accelerate adoption across the board. It's a substantial advance in making the Internet a more secure and robust system."
Becoming a global leader in RPKI implementation is the latest milestone in Workonline's overall commitment to Internet routing security improvement. Workonline was also the first African network to sign up to the Mutually Agreed Norms for Routing and Security, a global initiative supported by the Internet Society, that seeks to reduce the most common routing threats through co-operation among its members. Furthermore, Workonline regularly runs BGP training sessions to support its customers' network engineers in maintaining high-quality routing practices.
How does RPKI work?
RPKI resource certificates give network operators verifiable proof of ownership of a resource's allocation or assignment by a Regional Internet Registry (RIR). Network operators can create cryptographically verifiable statements, which are ROAs, about the route announcements they authorise for the prefixes they own. Only the legitimate holder of the IP prefix can create a RPKI ROA using their resource certificate. Other network operators can use RPKI validator software to download and validate these ROAs, and then confidently use ROAs as input into their Internet route filtering.
It is an initiative driven by the global Internet industry, with Internet Engineering Task Force-defined technical specifications. For more information on BGP Prefix Origin Validation, visit https://tools.ietf.org/html/rfc6811.