Telstra to roll out RPKI routing security from June 2020

Internet routing is a screaming car wreck, as we know, and network operators should use the tools available to make it more secure and reliable.

That's been happening across Asia Pacific and Africa as operators roll out Resource Public Key Infrastructure (RPKI) Route Origin Authorisations (ROAs) to certify the truth of routing messages transmitted by the Border Gateway Protocol (BGP).

In Bangladesh, for example, the National Data Centre (NDC) set a deadline of 1 December 2019, after which they would dump all invalid routes.

Before then, they conducted an awareness campaign across their customer base -- government agencies, law enforcement and special forces, banks, internet service providers, data centres, internet exchanges, and universities. That campaign included website posts in local languages, direct email to every network contact, and even a Facebook group to discuss progress.

The change was dramatic, according to figures provided at last week's Asia Pacific Regional Internet Conference on Operational Technologies (APRICOT) in Melbourne by Mohammad Abdul Awal of the Network Startup Resource Center.

In September 2019, only 29% of the route information exchanged with NDC's routers was validated with RPKI in an automatic process called Route Object Validation (ROV).

Only 2% of the routing data was detected as being invalid, meaning the majority 69% of data had unknown validity.

But through November 2019, 45% of routing data was validated, and by January 2020 the figure was 72%.

While the awareness campaign clearly went well, it wasn't totally smooth.

"Not everyone is very nice in doing it," Awal said.

"I faced a lot of weird situations where people denied in my face that I'm not going to do it. It's just because their ego comes in the picture. Because I'm saying it and he's not doing it."

Similar growth in RPKI use has been seen in Africa, according to Mark Tinka, head of engineering at SEACOM, the major submarine cable provider in eastern Africa.

SEACOM will be dropping all invalid routes from 1 April 2020.

They will be joined by Liquid Telecom, a major network provider in eastern and southern Africa, as well as pan-African network services provider Workonline Communications.

"Folks like Cloudflare, Google, and all of those have announced that in the next few months they're going to start dropping invalids, so if you didn't think there was a reason to turn it on, this could be a good one," Tinka said.

"Once they start signing their ROAs and once they start dropping invalids, it could potentially disconnect your network from those services."

Other international players like AT&T and Telia have already enforced RPKI across their networks.

But what about Telstra?

As an audience member noted, however, Australia's largest network provider Telstra is yet to join the RPKI ecosystem, although that's set to change.

According to a Telstra spokesperson, the company's current implementation uses a combination of IP-owner subnet validation, which is based on the WHOIS database, in addition to route and AS-path filtering, which are based on access lists.

"Telstra are currently underway with implementation of RPKI and well advanced in the Australian market with ROV (Route Origin Validation) soft-launch targeted for June 2020 and staged roll-out to follow," the spokesperson told ZDNet.

"We will be working closely with our customers to encourage adoption and implementation of the RPKI standard."

Disclosure: Stilgherrian travelled to Melbourne as a guest of the Asia Pacific Network Information Centre (APNIC) whose conference was held in conjunction with APRICOT.

Related Coverage

MIT: We've created AI to detect 'serial internet address hijackers'

MIT researchers develop an AI algorithm for network operators to detect and automatically ignore bad ISPs.

Dear network operators, please use the existing tools to fix security

The internet's security and stability would be significantly improved if network operators implemented protocols that were already written into technical standards and if vendors provided better tools for fixing security.

For two hours, a large chunk of European mobile traffic was rerouted through China

It was China Telecom, again. The same ISP accused last year of "hijacking the vital internet backbone of western countries."