All Dutch government networks will use RPKI to prevent BGP hijacking

The Dutch government will improve the security of its Internet routing by adopting the Resource Public Key Infrastructure (RPKI) standard before the end of 2024.

RPKIor Resource Certification protects against erroneous rerouting of Internet traffic, malicious or otherwise, through cryptographic verification of routes.

The standard uses digital certificates to secure the Border Gateway Protocol (BGP) used to exchange routing information and ensure that traffic passes through the legitimate network operator controlling the IP addresses on the destination path.

RPKI for all ICT systems

Standardization forum in the Netherlands, a research and consultancy organization serving the public sector on the use of open standards, announced that all communication devices (ICT) operated by the Dutch government must use the RPKI standard by 2024 .

The government backed the recommendation and in a decision last week adopted the policy which refers to both newly added ICT equipment as well as existing systems.

RPKI certificates are stored centrally and remain public, allowing network providers anywhere in the world to validate Internet traffic routes.

Networks that implement RPKI can be confident that Internet traffic is routed only through authorized paths, eliminating the risk of man-in-the-middle attacks or other data hijacking and interception attacks.

Without RPKI, Internet routing depends on trusting network operators who advertise the correct IP prefixes that they manage. In this model, however, if an operator falsely advertises that it manages a particular set of IP addresses, it would receive traffic that would otherwise take a different path.

Besides the performance impact (e.g. network latency, disruption), this trust-based model opens the door to malicious BGP hijacking that enables traffic interception and monitoring, as well as spoofing. ‘legitimate IP addresses for spam.

An example of BGP hijacking dates back to 2019, when Dutch internet service provider KPN’s network traffic was diverted to China Telecom. for more than two hours.

Internet traffic rerouting can also occur in error when a misconfiguration causes a network operator to advertise another party’s IP space. In 2021, such an accident disrupted thousands of networks all over the world.

Adoption of RPKI

RPKI adoption is already high in the Netherlands, with 77.9% of government websites and 75.1% of email domains already supporting the standard.

RPKI support in Dutch government networks
RPKI support in Dutch government networks (forumstandaardisatie.nl)

However, global adoption of RPKI has progressed more slowly than its developers and proponents had hoped, with Tier 2 ISPs falling behind.

The National Institute of Standards and Technology (NIST) in the United States has a live RPKI monitor which provides real-time information about the RPKI ecosystem drawn from various data repositories, including BGP routing information.

According to NIST data from April 2023, approximately 41% of verifiable IPv4 prefix-origin pairs are RPKI compliant, 58% are susceptible to routing failures, and 1% have a mismatch in their route origin keys. are therefore not valid.

NIST Historical Data on PRKI Adoption
NIST Historical Data on PRKI Adoption (NIST)

RPKI contributes to a safer and better internetbut a 41% adoption rate shows that there is still a long way to go to improve traffic safety around the world.

In early 2020, the RPKI adoption rate was 18% and increased to 27% in January 2021 and 33.5% in early 2022.


Source link