Workonline deploys RPKI-based BGP Origin Validation to build a more secure Internet

 On 1 April 2019 Workonline Communications became the first African wholesale IP transit provider to deploy Resource Public Key Infrastructure (RPKI) Origin Validation (OV) to improve the security of Internet routing around the world. The company also leads the way globally, as one of the early adopters of the security technology.

 A specialised public key infrastructure (PKI) framework, RPKI is designed to secure the Internet’s routing infrastructure. Traditional PKI ensures the authentication of certain online activities such as ecommerce transactions, Internet banking or secure email by cryptographically validating that a specific public key belongs to a particular entity, via a digital certificate stored in a central registry. Successful authentication tells the user that, for instance, they are indeed interacting with their bank’s website and can confidently proceed with the transaction.

 RPKI, on the other hand, validates Internet number resource information, for instance autonomous system numbers and IP numbers, shared between the backbone networks that make up the Internet, to help ensure that online traffic doesn’t get hijacked or misdirected either intentionally or accidentally. RPKI OV adds a layer of security to the Border Gateway Protocol (BGP) so that when routing decisions are made, operators can more certain that the available routes are legitimate.

This means that Workonline’s customers can be confident that their Internet traffic will reach the destination it is intended for. At one end of the spectrum it stops traffic being misdirected because a human entered incorrect AS and IP numbers, and at the other extreme, it guards against criminals deliberately hijacking IP routes.

Thought leader and driving force behind the deployment of RPKI around the world, Job Snijders, Internet Architect at NTT Communications, says: “By joining global industry leaders such as AT&T and Cloudflare in deploying RPKI, Workonline is actively protecting its customers from mistaken and fraudulent routing. In addition, it is helping all other networks, whether or not they have a direct relationship. Workonline honouring RPKI ROAs published by other operators increases the security of Internet routing for all.”

“This security enhancement was a natural next step in our mission to connect Africa to the world and the world to Africa. As well as the clear security benefits, this ensures that our customers’ traffic to and from Africa is accurately and safely routed. Another win is that RPKI in fact helps prevent network performance degradation by ensuring higher quality routing by rejecting any invalid BGP announcements,” says Edward Lawrence, Director of Business Development at Workonline.

“The RPKI and the Origin Validation mechanisms have been around a long time, but large Internet network operators deploying at scale is a relatively new phenomenon. We’re hoping that by moving early, we will be able to gather some much needed operational experience that can be shared with the rest of the industry to accelerate adoption across the board. It’s a substantial advance in making the Internet a more secure and robust system” said Ben Maddison, Director of Network Operations at Workonline.  

Becoming a global leader in RPKI implementation is the latest milestone in Workonline’s overall commitment to Internet routing security improvement. Workonline was also the first African network to sign up to the Mutually Agreed Norms for Routing and Security (MANRS), a global initiative, supported by the Internet Society, that seeks to reduce the most common routing threats through cooperation among its members. Furthermore, Workonline regularly runs BGP training sessions to support its customers’ network engineers in maintaining high quality routing practices.

How does RPKI work?

RPKI resource certificates give network operators verifiable proof of ownership of a resource’s allocation or assignment by a Regional Internet Registry (RIR). Network operators can create cryptographically-verifiable statements — Route Origin Authorisations (ROAs) —  about the route announcements they authorise for the prefixes they own. Only the legitimate holder of the IP prefix can create a RPKI ROA using their resource certificate. Other network operators can use RPKI validator software to download and validate these ROAs, and then confidently use ROAs as input into their Internet route filtering.

It is an initiative driven by the global Internet industry, with Internet Engineering Task Force (IETF)-defined technical specifications. For more information on BGP Prefix Origin Validation: https://tools.ietf.org/html/rfc6811

About Workonline Communications

Workonline (AS 37271) is the fastest growing IP transit network in Africa, and one of the top three largest in Africa. The company is focused on providing highly scalable, high quality, and flexible service options to meet the needs of carriers, Internet service providers, content providers, and mobile operators. Visit www.workonline.africa, and follow us on Twitter, Facebook and LinkedIn.