Border Gateway Protocol (BGP)
Securing Global Routing with RPKI and Prefix Filtering
Learn how to implement cryptographically secure routing using RPKI and route filters to prevent malicious BGP hijacks.
In this article
The Vulnerability of Global Trust
The Border Gateway Protocol remains the foundational fabric of the internet, yet it was designed in an era when global connectivity relied on mutual trust between a small group of researchers. In this environment, any router can technically announce any IP prefix to its neighbors, and those neighbors will likely propagate the information globally. This lack of inherent authentication allows a single misconfigured router to accidentally or maliciously hijack massive swathes of internet traffic.
A BGP hijack occurs when an Autonomous System announces a prefix it does not own or provides a shorter, more attractive path to a prefix it should not be advertising. When this happens, data packets intended for a specific destination are diverted to the attacker's network, where they can be inspected, dropped, or modified. These incidents frequently lead to large-scale outages and significant security breaches for financial institutions and critical infrastructure providers.
Traditional defense mechanisms relied heavily on manual prefix lists and community-driven databases like the Internet Routing Registry. However, these databases are often outdated, inconsistent, and lack a cryptographically verifiable chain of trust. To move toward a secure internet, engineers must implement automated, cryptographically backed systems that verify route ownership in real-time.
BGP is essentially a gossip protocol where every participant is assumed to be telling the truth, making the global routing table only as secure as the weakest link in the chain.
The Mechanism of a Hijack
BGP path selection logic prioritizes the most specific prefix length, such as a slash twenty-four over a slash sixteen. Attackers exploit this by announcing a more specific subnet of a target's network, ensuring that traffic globally favors the attacker's route. Even if the prefix length is the same, routers will often choose the path with the shortest Autonomous System path length, which attackers can easily forge.
Why Manual Filters Fail at Scale
Maintaining static prefix filters for every upstream and peer connection is an operational nightmare for growing networks. As peers change their IP allocations, manual lists quickly become stale, leading to legitimate traffic being dropped or unauthorized routes being accepted. This manual overhead creates a brittle security posture that cannot keep pace with the dynamic nature of global routing.
Digital Signatures for IP Prefixes
Resource Public Key Infrastructure provides a framework for securing the internet's routing infrastructure by linking IP address blocks to specific public keys. This system allows the legitimate holders of IP resources to issue digital certificates that authorize a specific Autonomous System to originate their prefixes. These certificates are known as Route Origin Authorizations and form the bedrock of modern BGP security.
By using a hierarchy of trust anchored by the five Regional Internet Registries, RPKI enables any network operator to verify the authenticity of a BGP announcement. When a router receives an update, it can check the ROA to ensure the announcing AS is authorized to do so and that the prefix length falls within the permitted range. This cryptographic verification removes the need for blind trust in the BGP update process.
The adoption of RPKI requires two primary components: the publication of ROAs by resource holders and the implementation of Route Origin Validation by network operators. While many organizations focus on publishing their own records, the real security gain comes from actively dropping invalid routes learned from peers. This collective effort effectively shrinks the surface area available for BGP hijacking attacks.
The RPKI Trust Anchor Hierarchy
The security of RPKI is derived from a distributed architecture where trust is rooted in the Regional Internet Registries like ARIN or RIPE NCC. Each registry acts as a Trust Anchor, issuing certificates for the resources they manage. Operators use local software called validators to download these certificates, verify their signatures, and create a simplified list of Validated ROA Payloads for their routers.
Implementing Route Origin Validation
Implementing Route Origin Validation on production hardware involves setting up a local cache server that communicates with the RPKI validators. This cache server uses the RPKI-to-Router protocol to push a clean list of validated prefixes to the routers. By keeping the heavy cryptographic processing on a separate server, the router's CPU is preserved for core packet forwarding tasks.
Once the router has a synchronized list of validated routes, it evaluates incoming BGP updates against three possible states: Valid, Invalid, or Not Found. A Valid state means the announcement matches a cryptographic record, while an Invalid state indicates a mismatch that likely represents a hijack or a severe misconfiguration. The Not Found state applies to prefixes where the owner has not yet created a record in the RPKI system.
The standard industry recommendation is to prioritize Valid routes and, most importantly, to reject Invalid routes immediately. Handling Not Found routes is more nuanced, as many legitimate networks have not yet adopted RPKI. For these, operators typically allow the traffic but may assign a lower local preference to favor validated paths whenever possible.
Configuring the RPKI-to-Router Session
The following example demonstrates how to configure a router to connect to an RPKI validator and apply validation logic to incoming BGP sessions. This setup ensures that the router receives a live stream of valid prefix-to-AS mappings and can act on them during the path selection process.
1! Connect to the local RPKI validator cache server
2rpki server 10.0.0.50
3 port 323
4 refresh 600
5!
6! Define a route map to handle the validation states
7route-map RPKI_VALIDATION permit 10
8 match rpki invalid
9 set local-preference 0
10 ! In production, it is best practice to 'deny' invalid routes entirely
11!
12route-map RPKI_VALIDATION permit 20
13 match rpki valid
14 set local-preference 200
15!
16route-map RPKI_VALIDATION permit 30
17 match rpki not-found
18 set local-preference 100
19!
20! Apply the route-map to a BGP neighbor
21router bgp 65001
22 neighbor 192.168.1.1 route-map RPKI_VALIDATION inValidation Logic States
When a router performs ROV, it compares the incoming prefix and the originating AS against its local cache. An announcement is marked as Invalid if an ROA exists for the prefix but the AS number does not match, or if the prefix length is more specific than the Max Length allowed. Understanding these states is vital for troubleshooting connectivity issues that arise from strict validation policies.
Hardening with Advanced Filtering
While RPKI secures the origin of a route, it does not fully secure the path the route takes across the internet. To mitigate this, engineers should supplement ROV with robust AS-Path filters and prefix limits. These filters act as a secondary defense, ensuring that even if a route passes origin validation, it does not violate common-sense routing patterns or exceed expected capacity.
Maximum prefix limits are an essential tool for protecting a router's memory and stability. By setting a cap on the number of prefixes accepted from a specific neighbor, you prevent a peer from accidentally leaking the entire global routing table into your local environment. If the limit is exceeded, the BGP session is typically torn down or blocked, preventing a catastrophic resource exhaustion event.
Another critical technique is the use of AS-Path access lists to restrict the networks your peers are allowed to transit through. For example, if you have a private peering relationship with a local ISP, you should only accept routes that originate from their network or their direct customers. This prevents the peer from acting as an unauthorized transit provider for the rest of the internet.
Automating Filter Generation
Manual filter updates are prone to error, so many organizations use tools to generate configurations from the Internet Routing Registry. By querying databases with specific tools, you can build dynamic prefix lists that only allow verified assets. This automation reduces the risk of accidental outages while ensuring that your filters remain current with your peers' network changes.
1import subprocess
2
3def generate_prefix_list(as_number):
4 # Querying the irrtoolset to get prefixes for a specific AS
5 command = ["peval", f"AS-ANY AND AS{as_number}"]
6 try:
7 output = subprocess.check_output(command).decode("utf-8")
8 # Process the output into a router-compatible format
9 print(f"! Generated prefix list for AS{as_number}")
10 return output
11 except subprocess.CalledProcessError as e:
12 return f"Error generating list: {e}"
13
14# Example usage for a peer AS
15generate_prefix_list(64496)Scrubbing BGP Communities
BGP communities are tags used to influence routing policy across different networks. However, malicious or malformed community strings can lead to unexpected routing behavior if they are leaked between peers. It is best practice to scrub all incoming community attributes from your peers and only apply your own internal tags to control traffic flow within your network.
Operational Monitoring and Response
Security is not a static state but a continuous process of monitoring and adjustment. Once RPKI and filtering are in place, you must monitor your BGP sessions for validation failures and unexpected route withdrawals. Tools that provide a global view of BGP announcements can alert you when your own prefixes are being spoofed or when a critical peer has misconfigured their RPKI records.
Analyzing the impact of dropping invalid routes is crucial for maintaining network availability. Sometimes, legitimate networks misconfigure their ROAs, leading their own traffic to be dropped by anyone enforcing strict RPKI policies. Having a clear operational procedure for identifying these 'false positives' allows your team to reach out to the offending network or temporarily bypass validation for that specific peer.
Ultimately, the goal is to reach a state where BGP hijacks are automatically mitigated by the network fabric itself. By combining cryptographic origin validation with automated filtering and proactive monitoring, you create a resilient architecture that protects both your users and the global internet. The transition from a trust-based system to a verified system is the most significant upgrade in the history of internet routing.
Continuous Visibility Tools
External monitoring platforms like BGPStream and ARTEMIS provide real-time telemetry on how your network is perceived from various global vantage points. These tools use a network of looking glasses to detect path anomalies and origin changes as they happen. Integrating these alerts into your incident response workflow ensures that you can react to hijacks in minutes rather than hours.
The Road to ASPA
The next evolution in BGP security is Autonomous System Provider Authorization. This emerging standard aims to secure the path of a route by verifying the relationship between upstream and downstream providers. While ROV secures the 'who,' ASPA secures the 'where,' completing the security model and making it nearly impossible for attackers to forge valid paths.