ARIN to Take Down Its RPKI for 30 Minutes to Test BGP Routes
The American Registry for Internet Numbers Will Perform an Unannounced Maintenance of Its RPKI to Check if Networks Are Adhering to BGP Best Practices.
The decision comes as more and more networks are implementing Resource Public Key Infrastructure (RPKI) validation and signing of their BGP routes in an attempt to protect themselves against route hijacks and leaks.
RPKI is a cryptographic framework designed to secure the Internet’s routing infrastructure focusing primarily on the Border Gateway Protocol (BGP).
So, the question that ARIN is trying to answer is what could happen in case the critical RPKI goes down?
The American Registry for Internet will perform unannounced maintenance for around thirty minutes of its RPKI in July at an undisclosed date in order to check if networks are adhering to BGP best practices.
The thought process behind the drill is that if ARIN’s critical RPKI faces disruptions or outages the networks should be prepared to fall back to routing on unvalidated announcements as this is one of the best practices, described in RFC 7115.
ARIN is committed to being a valued resource for the member community by providing high availability services to organizations that rely on our products, including critical RPKI infrastructure operated by ARIN. We want to ensure that ARIN and the greater RPKI community are prepared in the unlikely event that access to ARIN’s RPKI repository becomes unavailable. To that end, we encourage operators utilizing ARIN’s RPKI repository data to follow the best practices as described in RFC 7115 / BCP 185 – specifically falling back to routing on unvalidated announcements (i.e. NotFound validity state) in the absence of RPKI data availability.
In order to achieve this goal, ARIN intends to conduct brief (30 minutes) unannounced maintenance during the month of July and encourages all organizations that take action based on RPKI route classifications to review their operational model before that time.
ARIN thanks you for your understanding as we take the necessary steps to keep our RPKI infrastructure running at peak performance, as expected by those who have embraced RPKI as a component to enhancing routing security. We encourage everyone to follow best practices in their use of RPKI so that it may become widely deployed in the internet community in a responsible manner.
The exercise is meant to make the organizations that rely on ARIN’s RPKI route classification to review their operational model before next month.
ARIN is one of the five Regional Internet Registries (RIRs) making the RPKI work, alongside RIR, that very much like ARIN is providing for a way in which members can take an IP-ASN pair and sign a ROA (Route Origin Authorization) record.
A Route Origin Authorization is a digitally signed object part of the RPKI system that is created in order to enable anyone to verify if an IP address block holder has authorized an Autonomous System to originate routes to one or more prefixes within that address block.
More networks are adopting RPKI, therefore ARIN felt the need to encourage networks and Autonomous System owners to investigate and become more prepared with a fail-safe plan.
Heimdal™ Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;