Workonline Communications has become the first African wholesale IP transit provider to deploy Resource Public Key Infrastructure (RPKI) Origin Validation (OV) to improve the security of Internet routing around the world.
A specialised public key infrastructure (PKI) framework, RPKI is designed to secure the Internet’s routing infrastructure. Traditional PKI ensures the authentication of certain online activities such as ecommerce transactions, Internet banking or secure email by cryptographically validating that a specific public key belongs to a particular entity, via a digital certificate stored in a central registry.
Successful authentication tells the user that, for instance, they are indeed interacting with their bank’s website and can confidently proceed with the transaction.
RPKI, on the other hand, validates Internet number resource information, for instance autonomous system numbers and IP numbers, shared between the backbone networks that make up the Internet, to help ensure that online traffic doesn’t get hijacked or misdirected either intentionally or accidentally. RPKI OV adds a layer of security to the Border Gateway Protocol (BGP) so that when routing decisions are made, operators can more certain that the available routes are legitimate.
This means that Workonline’s customers can be confident that their Internet traffic will reach the destination it is intended for. At one end of the spectrum it stops traffic being misdirected because a human entered incorrect AS and IP numbers, and at the other extreme, it guards against criminals deliberately hijacking IP routes.
Job Snijders, Internet architect at NTT Communications, says: “By joining global industry leaders such as AT&T and Cloudflare in deploying RPKI, Workonline is actively protecting its customers from mistaken and fraudulent routing. In addition, it is helping all other networks, whether or not they have a direct relationship. Workonline honouring RPKI ROAs published by other operators increases the security of Internet routing for all.”
“This security enhancement was a natural next step in our mission to connect Africa to the world and the world to Africa. As well as the clear security benefits, this ensures that our customers’ traffic to and from Africa is accurately and safely routed. Another win is that RPKI in fact helps prevent network performance degradation by ensuring higher quality routing by rejecting any invalid BGP announcements,” says Edward Lawrence, director of business development at Workonline.
“The RPKI and the Origin Validation mechanisms have been around a long time, but large Internet network operators deploying at scale is a relatively new phenomenon. We’re hoping that by moving early, we will be able to gather some much needed operational experience that can be shared with the rest of the industry to accelerate adoption across the board. It’s a substantial advance in making the Internet a more secure and robust system,” says Ben Maddison, director of network operations at Workonline.
How does RPKI work?
RPKI resource certificates give network operators verifiable proof of ownership of a resource’s allocation or assignment by a Regional Internet Registry (RIR). Network operators can create cryptographically-verifiable statements — Route Origin Authorisations (ROAs) — about the route announcements they authorise for the prefixes they own. Only the legitimate holder of the IP prefix can create a RPKI ROA using their resource certificate. Other network operators can use RPKI validator software to download and validate these ROAs, and then confidently use ROAs as input into their Internet route filtering.
It is an initiative driven by the global Internet industry, with Internet Engineering Task Force (IETF)-defined technical specifications.