4 years ago
A document I read couple of months back specified Resource Public Key Infrastructure (RPKI) and BGPsec to be perfect solutions to these problems.
RPKI allows network operators to cryptographically define who is allowed to announce prefixes and verify whether an Autonomous System (AS) is authorized to announce a specific prefix. For this, Routing Origin Authorization (ROA) is created by operators of ASs and signed by a private key. ROA contains a set of prefixes tied with the origin AS. BGP speaking routers then validate advertised prefixes against ROA. Based on a result, if there are multiple paths to the prefixes, a lower local preference can be configured for unauthorized prefix so the path via authorized origin is proffered. BGP routers do not do validation by themselves but they ask a remote validator (RPKI server) if an origin AS is authorized to announce a prefix. The BGPsec protocol ensures that the entire path from the origin AS to the destination is valid. Each router on the path adds not only its local AS along with prefix but also the AS number of receiving neighbor to whom it is going to send an update message. This information is signed by a private key and a router attaches a digital signature together with the hash of its public key to the BGPsec update message as BGPsec_Path attribute. The BGPsec update message is sent to the neighbor which do the same and it adds its own signature signed with its own private key, plus hash of its public key. Every edge router on the path validates all the signatures in a message to determine the authenticity of the path information contained in the BGPsec_Path.
Superb…...but RPKI isn’t still adopted as it should be for many reasons; apparently one is the ‘centralization’ with the central server(s) and all that represents as single point of failures, also the incentive? What is the incentive for Operators and Carriers to go through all that hectic process?
Haven't found a solution?