Resource Public Key Infrastructure (RPKI) Deployment Challenges and Limitations
Published:Last Updated:
Resource Public Key Infrastructure (RPKI) is crucial for securing BGP routing, but its deployment poses significant challenges for ISPs.
Key Points
- ISPs face technical, operational, and policy challenges in adopting RPKI.
- Despite its importance, RPKI adoption remains limited among ISPs.
Table of contents
Introduction: RPKI Deployment Challenges
Technical Implementation Barriers
Operational Management Complexities
Policy Development and Governance Frameworks
Economic Considerations and Resource Allocation
Industry Adoption Trends and Market Forces
Future Development and Strategic Evolution
FAQs
Introduction: RPKI Deployment Challenges
The Border Gateway Protocol (BGP), which has been called the "glue" that holds the internet together, is used to exchange routing information between autonomous systems (ASes). But its bottom-line design, which harks back to a more trusting time on the internet, does not have any security features baked in. This vulnerability has been abused in a number of major incidents of prefix hijacking and route leaking, causing large scale service outages, traffic interception, and financial and reputational loss. RPKI was designed in response to these threats. It is an instance of a public key infrastructure, tailored to secure the BGP routing by cryptographically authenticating the veracity of BGP route announcements. Despite the beauty of this design and the demonstrated effectiveness, the global deployment of RPKI has been a slow and painful process. The choice to implement RPKI is not a simple on/off switch for ISPs; the decision to turn the crank on RPKI is a difficult one that forces even the most security minded providers to confront a diverse array of technical challenges, operational headaches, and policy quandaries.
Technical Implementation Barriers
The biggest technical hurdle for ISPs is how to deploy RPKI on their networks, much of which has been around since before the security framework. Older routing hardware is sometimes unable to execute Route Origin Validation in real-time without drastically impacting the route processing performance (and thus packet forwarding) of an entire router. In addition, numerous networks run on old but stable software releases that are not capable of the RPKI extensions, meaning that complicated system upgrades (which always come with some degree of operational risk) need to be performed. The deployment of RPKI validator systems adds further architectural challenges, as ISPs need to be able to scale efficiently and ensuring high availability with a continuously growing global RPKI repository. The distributed architecture of large ISP networks adds additional complexity for deciding on the best validator placement strategy - should the validation infrastructure be centralized, or should it be regionally distributed with one or more regional validators? Both options have different trade-offs regarding latency, management overhead, and resilience.
Operational Management Complexities
In addition to technical integration, RPKI brings major operational issues requiring new processes and skills. The handling of the Route Origin Authorisations is a very different ball game in this case, and a single mistake in a ROA can result in valid routes being invalidated, effectively knocking them off the network, and causing widespread denial of service. This risk drives the need for strict policies on the production, review and renewal of ROAs, which can often mean cross-departmental collaboration between (traditionally siloed) network engineering and IP address management. The NOC needs to learn a new troubleshooting methodology, where staff need to be able to investigate problems in the RPKI ecosystem itself. This includes reading validation states, recognizing misconfigured ROAs from customers or peers, and determining if an issue is local to the validator or affecting the global repositories - all while trying to keep the network up during incident resolution.
Policy Development and Governance Frameworks
The RPKI transition needs to be accompanied by instrumented policy at internal and external levels. ISPs also need to have internal policies concerning the three RPKI validation states for how they will treat them which appropriately trade off security benefits vs operational flexibility. Strict policy of discarding all Invalid routes provides the maximal security, but in case when some legitimate routes are mistakenly Invalidated it may result in network disruptions; less strict policy weakening security benefits of the deployment.
Effective RPKI is a lot more complicated on the outside, and requires coordination with quite a few other entities to include the Regional Internet Registries so they’ll be managing resource certificates, enterprise customers who will need some education in ROA creation, and peer networks to have some policy alignment on validation. This type of multi-stakeholder process frequently highlights tensions between security imperatives and commercial considerations, such as the desire to preserve particular route-paths for traffic engineering or the execution of commercial agreements, which must be carefully negotiated and transmuted into policy terms across institutional boundaries.
Economic Considerations and Resource Allocation
The business case for RPKI deployment is challenging for ISPs, particularly multi-national / national/regional providers who are already working to tight budgets. The advantages of RPKI are largely preventative, and geared towards the collective good, and so it is challenging to show a return on investment in the traditional financial sense. RPKI improves routing security and mitigates hijack risk, but it is not a direct revenue generator, and its benefits will only be fully realized when it is broadly adopted across the internet ecosystem. That’s a classic tragedy of the commons situation—everyone will wait for the other ISPs to make the first move. As a result, RPKI implementation is a limited term investment of scarce engineering resources and budget, competing with more immediately profitable efforts, for example, network build out or new services versus security hardening. The business case becomes more complex when you factor in potential operational disruption during deployment, and the ongoing cost of maintaining the RPKI infrastructure.
Industry Adoption Trends and Market Forces
Although there are challenges associated with its deployment, RPKI adoption is increasing along with a combination of industry-led initiatives and market pressure. Large cloud providers, content delivery networks, and transit providers are increasingly requiring RPKI be implemented to peer with them, providing a strong financial incentive to implement it broadly. Initiatives such as MANRS (Mutually Agreed Norms for Routing Security) have defined the levels for implementation and can be a guide for ISPs starting to roll it out. Regional Internet Registries have improved their support and lowered the technical barriers for participation through better tools, documentation, and training. The developing legal regime, especially in Europe and North America, is also starting to introduce requirements on routing security into cybersecurity frameworks, further driving adoption. These intersecting trends are slowly transforming RPKI from a discretionary security improvement to a de facto standard of operational best practice for the global networking community.
Future Development and Strategic Evolution
RPKI deployment in the future is likely to be more automated and included as part of generalized network security management. Upcoming platforms are acquiring the functionality to synchronize ROA management with existing BGP policy configuration, to warn of potential misconfigurations before publishing, and to offer full-transparent view on RPKI validation states in the network infrastructure. Next-generation validator systems are expected to provide additional levels of performance and reliability, while efforts towards standardisation to protocols and implementation best-practice continue. Moving forward, the future development toward BGPsec (more a of a complete security framework that verifies the full AS path, not just the origin) will be built upon the basis of RPKI deployment. ISPs' strategic planning should include not only near-term RPKI implementation but also the anticipation of these and other future developments, to help ensure that the investments of today in skills and infrastructure will help drive their success in securing routing for the future as the standards and technologies continue to evolve.
FAQs
1. What is RPKI?
Resource Public Key Infrastructure (RPKI) is a framework designed to secure BGP routing by cryptographically verifying the authenticity of route announcements.
2. Why is RPKI important for ISPs?
RPKI helps prevent BGP hijacking and route leaks, ensuring the integrity and reliability of internet routing.
3. What are the main challenges in deploying RPKI?
Challenges include compatibility with existing infrastructure, scalability concerns, management of ROAs, and coordination among stakeholders.
4. How can ISPs overcome these challenges?
ISPs can invest in training, adopt automation tools, and collaborate with RIRs and industry groups to streamline RPKI deployment.
5. What is the future of RPKI deployment?
With ongoing efforts to address current challenges, RPKI adoption is expected to increase, enhancing the security of internet routing.