Abstract Lines Graphic

NYIIX RPKI

NYIIX RPKI User Guide

This user guide provides an overview of the NYIIX Resource Public Key Infrastructure filtering service (“IIX RPKI”) to guide your understanding of its operation, capabilities, and benefits.

JOIN NYIIX TODAY!

Benefits of RPKI in fighting route hijacking:

On the Internet, it is common to advertise the prefixes of the network you manage with BGP and inform other networks of the route to that prefixes. However, if the wrong prefixes are advertised to other networks due to misconfiguration, etc., those prefixes will be routed to the wrong destination. Such a situation is called route hijacking.

RPKI stands for Resource Public Key Infrastructure, which can be used to support secure Internet routing and prevent route hijacking.

RPKI can be used to prove that given prefixes belong to you. You can prove it by obtaining a certificate signed by the organization that assigned those prefixes (ARIN, RIPE, or a regional Internet registry). With this signed certificate, you can prove to a third-party organization such as NYIIX that the prefixes really belong to you and that you have adequately announced the prefixes to our route servers.

IIX RPKI Resource Public Key Infrastructure filtering service Diagram

RPKI Infrastructure Diagram

How IIX RPKI Works: (In a Nutshell)

  1. RPKI validation means that the validator will check the existing ROA.
  2. ROA stands for Route Origin Authorization, which ties the prefixes to the originating autonomous system. It also describes whether the prefixes are to be announced in bulk or whether sub-announcements are allowed. For example, it could look like this:
    • Origin AS: AABBCC
    • Prefixes:
      • XXX.XXX.XXX.XXX/24 (max length /32)
      • YYY.YYY.YYY.YYY/24 (max length /24)
      • ZZZ.ZZZ.ZZZ.ZZZ/20 (max length /24)
  3. The NYIIX route servers will query this validator, resulting in one of the following three values:
    • Valid: The ROA is present, and BGP announcements are covered (originator AS, prefix, and prefix length are covered by the ROA). It is the best state.
    • Invalid: The ROA is present, but the originator AS is different, or the prefix length does not match. It cannot say a safe route.
    • Unknown: The ROA is not present; the NYIIX route servers will distribute it if it is successfully checked against the IRRDB data.
  4. The NYIIX route servers will query this validator, resulting in one of the following three values:
    1. IRRDB Filtering only mode (default)
      • This is the current setup. The routes through the NYIIX route servers are filtered based on IRRDB only.
    2. IRRDB Filtering plus RPKI tagging mode
      • The routes through the NYIIX route servers are filtered based on IRRDB and, in addition, tagged with the following communities based on RPKI data.
      • You can filter them out on your own devices.
        • Valid routes: 13538:65011
        • Invalid routes: 13538:65021
        • Unknown routes: 13538:65031
    3. Dual (IRRDB and RPKI) Filtering mode
      • The routes through the NYIIX route servers are filtered by IRRDB first and then further filtered by RPKI data.
      • In terms of RPKI filtering, the only Valid routes and Unknown routes are announced to your devices, Invalid routes are dropped. The routes being announced to your devices are tagged with the above communities for your reference.

See RFC 6480 or ARIN for more details. In addition, there is an excellent FAQ on RPKI here.

Learn More About NYIIX RPKI and How to Join.

Enter your email to get in touch or find out more.

  • When submitting your email address you will be contacted by our marketing team to discuss your interest in our services. Your information will be used and protected as outlined in our Privacy Policy.
  • This field is for validation purposes and should be left unchanged.