Another layer of routing security on SWITCHlan

We’ve improved routing security on SWITCHlan even further by introducing Resource Public Key Infrastructure (RPKI).

Testo: Fabian Mauchle, pubblicato il 10.09.2020

Work, research, teaching, studying – today, almost nothing is possible at Swiss universities without a stable and secure network. 30 years of building and development have made the Research and Education Network SWITCHlan one of Switzerland’s most powerful networks. To continue meeting the growing requirements for a stable and secure network in the future, we are constantly investing in upgrades to our infrastructure.

A core element of SWITCHlan is the routing layer, which selects the path for the IP packets in the network. The standard protocol used to exchange routing information in the worldwide Internet is the Border Gateway Protocol (BGP). With BGP, neighboring networks announce the IP prefixes they can reach to their peers. Since every network operator has only control of the routing information of their own network, they must trust the information provided by their peers.

Unfortunately, the suggested routes in the Internet might be wrong due to configuration errors, or have been altered with malicious intent. Detecting such incorrect routing information is essential for mitigating routing problems in order to prevent service degradation as well as providing more security for users.

There are different methods to improve routing security. SWITCHlan complies with international standards such as the "Mutually Agreed Norms for Routing Security" (MANRS), that provide guidance to mitigate the most common routing threats. Such standards define concrete actions that network operators should take (filtering, anti-spoofing, validation, etc.). One security framework that improves routing security even further is the Resource Public Key Infrastructure (RPKI).

“RPKI helps network operators to make more reliable routing decisions. In RPKI digital certificates (based on X.509 certificates) are used to prove the association between (for example) IP address blocks and the holder of those Internet number resources. Thus, Internet routing information can prove the resource holder's right of use of their resources and can be validated cryptographically. ” RIPE NCC

SWITCH already signed its IP resources (IP ranges) in 2015 and completed signing of customer held resources for which SWITCH is acting as the sponsoring LIR in 2019. As the final implementation step, SWITCHlan is right now enabling the validation of routing information received from our peers.

The validation of routing information happens in two steps. First a validator software downloads the signed route origin authorizations (ROAs) from the five internet registries and performs the cryptographic validation. The final list of valid ROAs is then provided to the border routers which check each route received from a peer against this list. If a route violates the ROA, it is ignored.

SWITCH uses two different validator implementations to increase fault tolerance even if there are software bugs. Nevertheless, the whole system is designed in a fail-safe manner, as routing information will never be rejected due to a lack of information.

If you are an IP resource holder and registered as a local internet registry (LIR) at ripe, please help securing the internet routing system by certifying your IP resources. RIPE provides a very simple to use tool for this.

References and resources:

Fabian   Mauchle

Fabian Mauchle

After gaining a degree in IT (MSc FHO) from the University of Applied Sciences Rapperswil, Fabian Mauchle joined SWITCH in 2010. He works as a Network Engineer on the Network team.

Altri contributi