Lumen enhances routing security with Resource Public Key Infrastructure (RPKI)
Ron Pfaff
Posted On March 22, 2021
Customers should verify their IP indexes to prevent traffic from being dropped
When you clicked the link to read this blog, you triggered a series of actions that directed your data across the internet to this page using the most efficient path possible. All along the way, as the data traveled from there to here, it encountered dozens of potential offramps, each advertising that it was willing and able to get it (and you) here – to this blog.
Because there are about a million possible network routes around the world, the global internet has a standard protocol to determine the best possible route for every trip along a network. It’s called the Border Gateway Protocol (BGP), and it’s like the Google Maps of networking. Without it, traffic would not have a route to follow – let alone a path that steered it clear of accidents and speed traps. It would be a bit like driving from New York to Los Angeles at night. Without a map. And wearing a blindfold.
When BGP was built in 1989, it was based on a mutual trust between networks that advertised routes were safe, accurate and not maliciously altered. This model was sufficient in the early days of internet development; however, it has become increasingly vulnerable to configuration mistakes or abuse by malicious actors looking to redirect routes to achieve criminal objectives.
To help close this security loophole, a growing number of network providers have committed to enable Resource Public Key Infrastructure (RPKI). On March 25, 2021, Lumen will “flip the switch” and begin validating routes using RPKI on our global AS3356 internet core.
What is RPKI?
RPKI is a voluntary framework intended to secure internet routing infrastructure and prevent route hijacking and other inconsistencies. It does this by verifying that a specific system is authorized to use its stated IP prefixes. These authorizations – known as Route Origin Authorizations (ROAs) – occur at the Regional Internet Registry (RIR) level, so IP addresses are certifiably linked to a trusted authority.
IP service providers can use RPKI to validate IP route announcements, which helps ensure valid announcements are permitted and invalid announcements are dropped.
How RPKI works
Owners of IP addresses publish their RIR-certified ROAs, which state 1.) which autonomous system is authorized to originate certain IP prefixes and 2.) the length of those prefixes. RPKI validates the ROAs using BGP Route Origin Validation (ROV) – a process that verifies the originating system and prefix length published in the ROA.
Once implemented, Lumen will use RPKI route validation on all BGP sessions for both customers and peers. Lumen’s RPKI validation servers download the ROAs, examine them, then send the tables to routers that can determine the validity of an IP prefix. IP prefixes are then tagged and handled as follows:
| Tag | Meaning | Option |
| Valid | IP prefix has a positive match against the ROA | IP prefix is permitted |
| Invalid | IP prefix does not match the ROA, whether by invalid prefix length or invalid origin ASN | IP prefix dropped |
| Unknown | IP prefix is no in ROA | IP prefix is permitted |
Enabling RPKI on the Lumen AS3356 internet core
Once RPKI is enabled and active on the Lumen network for both peer and customer BGP sessions, there will be no requirement or process to “order” RPKI because it will already be “on”.
- Customers who have existing, established ROAs will immediately receive BGP Route Origin Validation via RPKI from Lumen.
- Customers who establish new ROAs will receive BGP Route Origin Validation once the ROA is completed.
- Customers who do not have ROAs will not be impacted, and BGP route announcements will operate as normal (unless that route is actually owned by another entity with an ROA that only permits their origin ASN).
Customers will not have the option to turn off or deactivate RPKI. All external customer and peer sessions will be validated, and we will not make exceptions or allow special, unverified sessions.
Make sure your IP prefixes don’t get dropped!
Customers should use the Lumen Looking Glass – https://lookingglass.centurylink.com to validate how their IP prefixes are being marked in the Lumen network. Invalid IP prefixes will be dropped for all peers and all customers beginning March 25.
community “rpki-valid” members “3356:901”
community “rpki-invalid” members “3356:902”
community “rpki-unknown” members “3356:903”
Additional resources
If you have questions about Lumen’s adoption of RPKI, please reach out to a member of your account team, or email RPKI Support. You can also visit the Lumen website to find additional information about RPKI including:
- How to establish ROAs
- Details about RPKI and Lumen DDoS Mitigation Service
- Frequently asked questions
