Embrace RPKI to Secure BGP Routing, Cloudflare Says

BGP (Border Gateway Protocol) routing isn’t secure and organizations should embrace Resource Public Key Infrastructure (RPKI) to improve security, Cloudflare says. Border Gateway Protocol was designed to control the route of data across the Internet. The state of BGP route validation, the website protection company argues, hasn’t seen improvements, thus leading to route leaks and hijacks. As part of BGP hijacking, attackers take over IP address groups by corrupting the routing tables that store the path to a network. RPKI, “a cryptographic method of signing records that associate a BGP route announcement with the correct originating AS number,” can improve BGP routing-security globally, but only if it would enjoy broad adoption, such as being deployed by multiple major network operators, Cloudflare claims. Around 8.7% of the IPv4 Internet routes are currently signed with RPKI, yet only 0.5% of all the networks apply strict RPKI validation, statistics reveal. Although there are protections in place to manage which network can announce which route and to allow one network to filter another network’s routes, route leaks and hijacks do happen, with the most recent of them involving a Russian ISP rerouting traffic from major tech firms, and the BGP hijack of payment processors.