Businesses are driving digital initiatives that fundamentally change the way they interact with customers and provide them with a consistent, superior experience. These enterprises/providers have assets that span the cloud, offices, and increasingly the “intelligent” edge and business models that transcend all of these assets.
The internet’s core routing infrastructure is the foundational layer that is responsible for interconnecting all these assets while maintaining the integrity and security of the service. Unfortunately, the reality is that network integrity issues have continued to plague the internet, and this is in no small measure due to the implicit trust-based model for routing traffic across independent, inter-domain routing networks.
State of the Internet’s Routing System
In 2017, there were ~14,000 routing incidents affecting over 10% of all Autonomous Systems (AS) on the internet, as reported by the Internet Society. These incidents span the full spectrum, from accidental route leaks to malicious route hijackings, resulting in significant financial losses, even for high-profile services. The recent (Nov 2018) accidental leaking of routes resulting in loss of popular Google services was a perfect example. Another famous recent (Apr 2018) example was the crypto-currency theft worth $150,000.
Taking a serious note of these issues, the US government agency, National Institute of Standards and Technology (NIST), came out with a cybersecurity practice guide. The most powerful element of this guide is that its solution is based on a series of key standards-based BGP security proposals including but not limited to RFC 6810, RFC 6811, RFC 7115, RFC 6480, and RFC 6482.
Cryptographic RPKI-based Route Origin Validation Solution
The proposal involves Route Origin Validation (ROV), which essentially means that a business/provider entity can validate whether the AS that has originated a BGP route advertisement is in fact authorized to do so. The Resource Public Key Infrastructure (RPKI) is a cryptographic PKI that publishes Route Origin Authorization (ROA) objects that specify which AS can advertise a given prefix.
The key benefit of this solution is that businesses now have visibility into the validity of routes received thereby improving the security of their assets. The real-time alerts enable network operators to execute data-driven policy decisions (e.g. quarantine/reject potentially malicious routes) that fundamentally impact their bottom line. As more entities adopt this solution, it can also help reduce outages due to these types of incidents.
In spite of the significant advantages, the adoption of the ROV solution thus far, by enterprises and providers, has been limited because of perceived deployment complexity, very few routing vendor choices, performance challenges, and the high costs associated with these implementations.
The Arrcus Route Origin Validation (ROV) Solution
Given how critical routing security is to any enterprise/provider infrastructure, Arrcus has implemented an innovative, yet simple RPKI-based ROV solution that addresses the adoption challenges mentioned above and helps customers easily visualize and validate their inter-domain network traffic.
In the video demonstration below, you will see how an enhanced ArcOS® router is able to visualize “invalid” routes using its analytics engine service. Note that this solution can be extended to include other registries as well, such as the Internet Route Registry (IRR).
At Arrcus, “network different” is not just a tagline but a key lynchpin of the development philosophy. The Arrcus team has taken a leadership stance by co-authoring many of the RFCs referenced in the NIST guide and continue to lead many of the IETF leadership tracks in this area. In fact, ArcOS was built from first principles with security being a key architectural tenet. This has allowed Arrcus to offer differentiated security solutions, with RPKI-based ROV being just the first of many security capabilities that we see Arrcus pioneering ahead.
Arrcus’s ROV solution either comes packaged with the ArcOS router (physical or virtual) or is available as a cloud service.
Interested in knowing more?