Strengthened RPKI on Restena infrastructure


By the end of February 2021, the Restena Foundation has strengthened the implementation of the Resource Public Key Infrastructure (RPKI) across its whole network infrastructure, further increasing its users’ online security.

The internet is an aggregation of several independent entities. In order for these entities to exchange data with each other, they are individually identified by a unique Autonomous System (AS) operator number used by transits and/or exchange point, depending on the case. These systems communicate with each other through the Border Gateway Protocol (BGP) which, by maintaining a routing database, directs traffic along the different routes directed by the different systems. However, the same route can be claimed by several Autonomous Systems. Thus, a so-called "malicious" entity can, thanks to the integration of efficient technical route selection criteria, claim to be the source of the route and thus illegitimately direct traffic to it. 

The Restena Foundation operates the Luxembourg network for research and education, the domain name registration system under the national extension .lu, and the backbone of the Luxembourg Internet exchange point LU-CIX under the number AS2602. To address this issue to which it is exposed, it has implemented RPKI (Resource Public Key Infrastructure) filtering in February 2021. 

For an even more secure internet

RPKI filtering intends to improve the security of routing on the internet, more specifically to avoid traffic aspiration (or the diversion of requests to a non-legitimate operator) by certifying the ownership of routes on the internet. It is applied to both input and output of infrastructure in order to protect information entering or leaving the network. Restena has been using the RPKI protocol since 2012 when it started signing all its routes in partnership with the European RIPE (Réseaux IP Européens) association which issues RPKI resource certification. Since then, Restena's routes are recognizable and valid for all networks that have implemented RPKI filtering.

This is precisely this filtering that Restena has implemented at the beginning of 2021. Thanks to it, the validity status of the announcements made via BGP by the various proposed routes are analyzed according to a RPKI resources certification. Thus, only routes identified to be valid according to the RPKI ROA (Route Origin Authorizations) protocol are now accepted by the Restena infrastructure, invalid routes being rejected. However, as RPKI is not applied by all telecom operators, many routes cannot yet be identified as valid or invalid. In this case, standard route selection management applies.

A protocol to be widely implemented

RPKI is a protocol deployed more than ten years ago. Since then, this initiative of telecommunication operators has been gradually implemented among operators throughout the world. With routes signed in this way, piracy on the internet is avoided and internet users are guaranteed of reaching the right resource, the right IP address.

However, for this protection to be fully effective, the implementation of RPKI by all telecommunication operators is essential. It is the only method currently available to differentiate between a legitimate route (leading to the right IP address) and an illegitimate route (to which traffic can be diverted and fall into wrong hands).