Activating validation services for route origin, TWNIC continues to safeguard Internet routing security with RPKI
People are growingly reliant on the Internet for work, school and daily activities. The impact to people’s life will be unthinkable should the Internet suddenly stop working. Border Gateway Protocol (BGP) is one of the key elements that allow the Internet to maintain smooth operation. BGP hijacking, whether as a result of intentional attack by hackers or unintentional configuration errors, causes disruption to Internet services and even threats to information security. There can be serious consequences, so every government agency, private corporation and individual are obligated to prevent this from happening.
The Taiwan Network Information Center (TWNIC) has been actively promoting Resource Public Key Infrastructure (RPKI) with an aim to enhance Internet routing security since the official signing of TWNIC RPKI Certificate Authority (CA) with the Asia Pacific Network Information Center (APNIC) on September 28, 2018. This is to address security concerns caused by IP address prefix errors. Using RPKI, legitimate holders of number resources are able to control the operation of Internet routing protocols to prevent route hijacking and other attacks.
After two years of efforts, 98% of Taiwan’s IP address holders have completed the setting of RPKI Route Origin Authorization (ROA) in routers, the highest rate among the top 100 on the list of countries by IP address allocations. This marks the successful completion of TWNIC’s phase-one work of the RPKI project. To mark the achievement and to kick off the second phase of the project, TWNIC held Taiwan RPKI Day on September 28, 2020. At the event, TWNIC launched the RPKI Validator service and 46 IP members connected to the Validator server to test the service. They activated the RPKI function of the routers and connected to the TWNIC Validator server, after which they would be able to download the latest ROA data on a regular basis and perform route origin validation.
ROA setting rate reaches 98% in Taiwan, far ahead of industrial countries
According to Wei-Chung Teng, commissioner, National Communications Commission (NCC), RPKI plays a growingly important role in ensuring smooth Internet routing and preventing BGP hijacking. TWNIC has been making a lot of efforts toward promoting RPKI. Not only does it provide technical support but it has also held six training sessions to guide members on RPKI configurations. These efforts generated impressive results in phase 1 of the project.
Teng expects the second phase of TWNIC’s RPKI promotion work to create great success as well much like how Taiwan has made itself a role model for pandemic management. Taiwan has limited resources and is often subject to cyberattacks due to its geographical location. As such, rapid RPKI buildup should be a nationwide effort so as to ensure network routing in Taiwan is reliable, trustworthy and untampered.
TWNIC chairman Kenny Huang commented that engaging in RPKI promotion for two years, TWNIC issues CA Authorization when providing IP addresses to telecom operators and Internet service providers (ISP) for validation of the route origin. The intention is to address increasing routing security threats. For example, about two years ago, a Google BGP error sent Internet traffic that should have been routed to Japan’s major telecom operators to Google. However, Google is not an ISP and thus does not provide transit services, so the Internet traffic ended up going nowhere. This resulted in an eight-hour Internet outage in Japan, disrupting online banking, public transport fare systems, gaming and a slew of other services. Taiwan can learn from the incident.
According to Huang, with growing information security awareness and strong support from NCC, TWNIC organized several meetings to encourage ISPs to participate in the RPKI project. Phase-one efforts created a 98% ROA setting rate, leading industrial countries, such as France (77%) and Germany (52%), by a wide margin.
Moving forward into third phase – automatically filtering out illegitimate routes
APNIC director general Paul Wilson expressed congratulation to Taiwan RPKI Day in a video. He said after the signing of TWNIC RPKI CA with APNIC two years ago, TWNIC could start to use RPKI Digital Certificates to protect the IP addresses under its management while allowing TWNIC members holding the certificates to protect their route declaration through ROA. This is a critical step on the way to Internet routing security. Taiwan currently has 98% of its IP addresses signed with ROA, which is a remarkable achievement.
Going into phase-two execution, about 46 operators will participate in the testing work, which represents the persistent support for Internet security by Taiwan’s Internet community. Pau Wilson disclosed that he is aware TWNIC is undertaking phase-three work – comprehensive route filtering. Such forward planning is impressive and serves as a role model for the rest of the world to follow. He urged Taiwan’s Internet community to follow TWNIC’s lead and take part in not only phase-two testing but also additional trial runs and field operations so as to build a reliable, secure and open Internet environment.
Huang reiterated Internet is designed to enable intercommunication, not with security as a top priority. Route declaration based purely on trust is blind and vulnerable to malicious hijacking. RPKI enables authentication and validation of route origin to catch malicious conduct. Then, filtering can follow to prevent hackers from arbitrarily broadcasting routes that they do not possess. TWNIC will be monitoring phase 2 progress and move into phase-three in the case of a high participation in its Validation service, wherein it will encourage its IP members to activate automatic filtering, picking up the pace of building a secure Internet.
Taiwan RPKI project has officially entered the second phase
DIGITIMES’ editorial team was not involved in the creation or production of this content. Companies looking to contribute commercial news or press releases are welcome to contact us.