APNIC moves to block accidental BGP hijacks – Security

Network routes in the Asia-Pacific region are to be protected against bad route advertisements, with APNIC turning on a feature to pre-validate route information before it can be propagated across the Internet.

Enterprise system admins know too well what happens if a network operator mistakenly announces itself as the best route to their networks: traffic gets black-holed and they’re cut off from the Internet until the situation is resolved.

That’s because the Border Gateway Protocol (BGP), one of the Internet’s foundation protocols, was designed in an era when networks assumed other networks could be trusted.

Hence APNIC’s decision to implement what’s called Route Management Prevalidation (RMP), a way for bodies who accept and redistribute BGP announcements to alert an operator if something’s wrong.

As APNIC’s blog post explained, “Users will receive warnings if they attempt to submit route management changes in MyAPNIC that would cause any of their current BGP announcements to be considered ‘RPKI-invalid’.

“Users can then make adjustments as required and avoid running into reachability issues and similar as a result.”

The author of that post, APNIC product and delivery manager – registry product, Tom Harrison spoke to iTnews about how RMP will operate when it’s enabled.

When a network operator tries to make a route announcement, for example that they should receive traffic for AS124 (IP address block in this Autonomous System number), “the system will basically determine the effect of having that rule,” he said.

Harrison said “if having that role for AS124 would violate a rule for AS123”, the network operator will be warned before they proceed.

It’s as simple as warning to an operator, “This is going to invalidate someone else’s announcement. Do you want to proceed?”, he explained.

For something as important as keeping the Internet’s routing infrastructure stable, it would look at first glance like leaving the operator able to override the prevalidation system is the wrong thing to do.

That’s not the case, Harrison explained.

Route validation isn’t yet widely deployed – RIPE (the registry for Europe, the Middle East and some of Central Asia) is the only other organization running it, as far as Harrison knows.

So there are large portions of the Internet where bad route announcements can still be used for network disruption or espionage (for example, researchers suspected China of systematic network hijacks in 2018).

Harrison said a network operator needs to be able to override the route validation warning, so as to be able to reverse either accidental or deliberate hijacks.

The route validation process was first described in Internet RFC 6483, in 2012.

It has since been incorporated into the international network operators’ co-operative effort, Mutually Agreed Norms for Routing Security (MANRS), a set of agreements to adopt practices that prevent instability in the BGP system.

About the author


Leave a Comment