Improve the security and resilience of the Internet’s global routing system
Because we want to improve the security and resilience of the Internet’s global routing system, we activate RPKI validation and filtering on every IP Transit service link and every Peering session with the AS 5511 network.
You will be contacted by our operational teams when we will intervene on BGP sessions between your network and Orange’s AS 5511.
In case you have already created ROAs for the IP space of your network, do not hesitate to double-check its consistency with your BGP advertisements. If you have not done this, we encourage you to in order to better protect the Internet.
IP Transit Backhole options (On Demand Blackhole or Remotely Triggered Blackhole) are not impacted by RPKI deployment in our network.
The Internet today has developed into a worldwide network. People and companies rely on it for their day to day communication – from shopping and entertainment, to business critical applications. As more services converge to IP transport, IP transit reliability and quality performance has become an extremely important objective for both Internet subscribers, Internet Service Providers (ISPs), and content and cloud service providers.
While IP is used for Internet transport, Border Gateway Protocol (BGP), an essential component of IP Transit, determines the path that IP packets are transported on. BGP routing protocol is a standardized gateway protocol designed to exchange routing and reachability information among autonomous systems (AS) on the Internet. BGP builds and maintains the Internet routing table, however, it is not capable of validating the routing information by itself.
RPKI is an IETF standard framework, which provides an out-of-band system in order to validate BGP routes advertised by networks constituting the Internet. RPKI is part of identified actions by the Mutually Agreed Norms for Routing Security (MANRS ) global initiative in order to:
RPKI relies on public information that can be accessed through cryptographic methods. Network operators create cryptographic certificates, called Route Origin Authorization (ROA), stating which autonomous system (AS) is authorized to originate a certain BGP prefix. ROAs can be securely consulted on the Regional Internet Registries’ databases, which encompass the following information: Autonomous System, Advertised prefix and Maximum Length
 |
 |
Routers will then perform a task called Route Origin Validation (ROV), where routers and the RPKI architecture will exchange information, allowing a comparison of the BGP prefix advertisement received against the ROA (if any).
The ROV task can provide 3 status allowing routers to take a decision about the given BGP prefix
The AS that advertises the BGP prefix does not correspond to the AS authorized by the covering ROA. This could be a hijacking attempt.
| BGP Prefix |
Covering ROA |
| ASN: 65003 ; Prefix 192.168.1.0 /24 |
ASN: 65020; Prefix: 192.168.1.0 /24 Max Length: /26 |
The BGP prefix length is longer than what is allowed by the maximum length set in a ROA that matches the prefix and AS.
| BGP Prefix |
Covering ROA |
| ASN: 65003 ; Prefix 192.168.1.0 /24 |
ASN: 65003; Prefix: 192.168.1.0 /22 Max Length: /22 |
Feel free to check the following documentation for further information about RPKI and BGP routing matters:
“I'm very pleased to hear that RPKI origin validation is now fully deployed in your network, and that, thanks to you, the internet routing table is now even more secure. You are clearly demonstrating leadership among the international providers. We're very happy to be one of your Partners!”
