Improving the Resilience of Cable Networks Through RPKI

Improving the Resilience of Cable Networks Through RPKI

Tao Wan
Distinguished Technologist, Security

Jan 24, 2022

Today, CableLabs is releasing a set of best common practices to help accelerate the deployment of Resource Public Key Infrastructure (RPKI), which can mitigate the risk of IP prefix hijacking.

All broadband networks serving residential and business users consist of both access networks and IP networks. The access network connects residential homes and business premises to the broadband provider’s IP network. IP networks are then interconnected, using the Border Gateway Protocol (BGP), to form the internet.

A common disruption to BGP and the exchange of traffic between IP networks is IP prefix hijacking, which can occur accidentally (e.g., by misconfiguration) or intentionally (e.g., by malicious parties).

Incidents of IP prefix hijacking occurred as early as 1997, when a top-level autonomous system (AS) accidentally advertised routes for a large number of IP prefixes belonging to other network operators, creating a routing black hole and major disruption to the internet. Since then, IP prefix hijacking has occurred regularly, causing service disruption to hundreds of millions of internet users, and is considered one of the top threats to internet availability.

Fortunately, network operators and the broader industry have come together to address the risk of IP prefix hijacking. Specifically, RPKI has been standardized by Internet Engineering Task Force (IETF) with deployment strategies outlined by the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) and is being deployed by cable operators and other network operators to prevent IP prefix hijacking. RPKI allows the rightful owner of IP address spaces to cryptographically assert the ownership of their prefixes. It then allows other parties to verify received BGP routes against the trusted cryptographic assertions to detect prefix hijacking. Today, about a third of IP prefixes announced on the internet are digitally signed using RPKI.

To help speed up the deployment of RPKI across the internet and improve the resilience of all networks, CableLabs is releasing an RPKI deployment best common practices (BCP) document. This document was developed by BGP experts from CableLabs and its members (including Charter, Comcast, Cox and Liberty Global) who have successfully deployed RPKI in their networks.

The RPKI deployment BCP provides a five-step guide to deploy both Route Origin Authorization (ROA) and Route Origin Validation (ROV), two major components of RPKI. In addition, it provides guidance on the monitoring of RPKI and BGP to ensure continuous health of the routing infrastructure.

To that end, we invite you to download the CableLabs BCP as a resource in deploying and maintaining RPKI in your networks. With the widespread deployment of RPKI, we can minimize the risk of IP prefix hijacking and increase the security and resiliency of the internet.