BGP Origin As Validation

Introduction

BGP Origin AS Validation architecture is used to prevent IP address space from being hijacked. It relies on the Resource Public Key Infrastructure (RPKI) to tie a resources such as IP address to an ASN via cryptographic public key.

Overview

  • Validates the origin ASN to an IP address space.
  • Does not validate the whole path but only originator.
  • Vendor Support
    • Cisco IOS - 15.2
    • Cisco IOS-XR - 4.3.2
    • Juniper - 12.2

Terminology

  • ROA (Route Origination Authorizations) - links which ASN is able to advertise IP address space. It can also contain the prefix' max length.
  • Validity States:
    • Valid - One ROA covers the prefix.
    • Invalid - A ROA exist, but the advertising ASN is invalid for the BGP route. The prefix length does not match ROA for the advertising ASN.
    • Unknown - There is no ROA created for the IP address space. There is no ROA that cover the prefix length for advertised route.
  • Routers don't validate the ROA

Architecture

  • Composed on a number of architectural parts:
    • BGP router
    • RPKI Server
    • RPKI Router Protocol (RTR)
    • Trust Anchors - The RIR entities such as RIPE, ARIN, LACNIC, APNIC, AfriNIC.

Additional Resources

RIPE RPKI Internet Usage Report
Surfnet.nl RPKI Adaptation Report - Validity, adaptation and detail reports.
RPKI Monitoring - NIST Monitoring Statistics.
RPKI.net - Toolset
Cisco IOS XE BGP AS Origin Validation - Cisco Configuration Guide.
RIPE RPKI Info
Resource Certification - The Internet Journal
Internet Society RPKI

RFC6810 - The Resource Public Key Infrastructure (RPKI) to Router Protocol
RFC7115 - Origin Validation Based on the Resource Public Key Infrastructure (RPKI)

Comments

rating: 0+x
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License