A Secure Public Internet? Is it Possible?

Blog

|19 April 2023

The public Internet is a lot of things. It’s a low-cost connection for remote offices. It’s student access to countless public learning tools. It’s the delivery mechanism for the world’s knowledge to our devices. It’s every company’s lifeline to their customers.

For all the good the Internet delivers, we can agree that the Internet is not secure. Internet Service Providers (ISPs) worldwide are now starting to change that. To understand how, let’s quickly review what makes the Internet hum.

The Internet is an interconnected network of networks. The core foundation of the Internet is the interlinked networks of the largest Internet service providers (ISPs) – the “Tier-1s.” A Tier-1 ISP has access to the entire Internet without having to pay for IP Transit.

They do this through “peering”, which establishes inter-ISP settlement-free interconnections used to pass traffic from one network to another needed for the delivery of the packet. These agreements are voluntary, unpaid, mutually beneficial, bilateral, direct to other Tier-1s or strategic networks, and serve the needs of their mutual customers and the Internet at large.

Through these “peering” arrangements, the Tier-1s exchange and transmit data between their networks, and smaller ISPs purchase Internet access from the Tier-1s. Peered Tier-1 ISPs maintain their networks by always ensuring adequate bandwidth to support the content and “eyeball” traffic exchanged between them.

The Internet wouldn’t work as cohesively without such inter-company cooperation. 

Interconnection through peering is just the first step. The next step provides the rules of how packets are exchanged – how routing occurs. All interconnected networks exchange packets according to the rules defined by a protocol called BGP – Border Gateway Protocol – the global Internet traffic routing system. 

BGP is one of the core protocols of the Internet. But it was not built with security in mind.

Resource Public Key Infrastructure (RPKI) is a “companion” technology created to make BGP routing more secure. It does this by validating traffic origins. RPKI allows network operators to validate the authenticity of BGP route advertisements, ensuring their validity, and rejecting the route advertisement when it originates from an unauthorized source.

rpki bouncer

RPKI – The Internet’s “Bouncer”

RPKI puts a keener eye on the announcements heading into an ISP’s network, ensuring they’re authorized. 

Imagine that you’re a bouncer at a nightclub, and a guest comes to the door claiming VIP status. You first ask for their name, obtain it, and check it against the information you have on your VIP guest list. If their name is found on the VIP guest list – you may let them in.

Or… as with RPKI, you may also require proof that they are who they said they are and ask for a form of ID which will match the details on their VIP pass. Only after they produce these items, and these items are validated, is the guest admitted. 

RPKI is the Internet’s club bouncer. When networks claim authority to announce routes (enter the club), the bouncer validates authority and identity against a virtual VIP pass. 

These VIP passes are the digital certificates published by the five global Regional Internet Registries (RIRs), and assigned to each club guest. The five RIRs are AfriNIC (Africa), APNIC (Asia-Pacific), ARIN (North America), LACNIC (Latin America), and RIPE NCC (Europe, MIddle East, and Central Asia). The certificates are published in the RPKI (our bouncer’s list).

RPKI checks this digital certificate against the information in its system. If this digital VIP pass is recognized and signed by a trusted authority, it’s allowed access.

Like the Whole Internet, RPKI takes Cooperation to Work

RPKI validation occurs in two directions: by both the originating network and the receiving network. Similar to the voluntary good behaviour of peering, RPKI also requires voluntary good behaviour from peered ISPs in order to protect all Internet users. The protection of verifying origin identity becomes most meaningful when networks “sign” or identify their own route origins, and when they validate the origins of the traffic destined for their networks.

As a Tier-1 ISP, Zayo understands the responsibility of maintaining sound, balanced, and well distributed peering. We also take to heart the responsibility of adopting technologies like RPKI to make the entire Internet safer. Zayo is proud to be among the Tier-1 ISPs to embrace this technology, first by validating the route origins of traffic entering our network, and later this year by “signing” – creating and attaching digital signatures to our own routes to ensure their authenticity. 

Beyond RPKI’s initial foundation described here is its ultimate promise – still ahead. Its foundation is built and is currently being adopted by ISPs worldwide. This foundation will yield future improvements, such as Autonomous System Provider Authorization (ASPA) Objects, adding autonomous system (AS) paths, and ultimately BGPSec, in which BGP will include signed advertisements.

Specifically, what does RPKI currently do?

RPKI technology guards against route hijacking. BGP route hijacking is a common attack where the attacker (club guest claiming VIP status) announces a false route (presents a forged ID or VIP pass, pretending to be who they are not) in order to divert traffic to the attacker’s own network. Why would they do this? Because the diverted traffic contains the sorts of desired information that can be used for malicious intent, information such as account numbers, passwords, or other personal details.

These attacks have real consequences. 

A Successful Hijack:

In 2018, a large-scale attack was launched against MyEtherWallet, a cryptocurrency wallet service. The attackers gained control of the BGP routers and were able to redirect traffic destined for MyEtherWallet to a phishing site hosted by the attackers’ own servers. The site looked identical to the MyEtherWallet site, so users had no idea they had been redirected. They entered their usernames and passwords, and with that, the attackers had access to their login credentials (and stole their funds). If the routes were properly validated using RPKI, the redirect would have been rejected and traffic would have continued to its real, intended destination.

woman working on laptop internet of things

More Successful Hijacks:

Very similar BGP hijack attacks occurred to cryptocurrency “bridging services” in 2022: Ronin Network ($600M stolen), Wormhole Network ($325M stolen), and Harmony Horizon Bridge ($100M stolen).

Outside of the obvious lucrative crypto attacks, BGP hijackers also target ISPs and DNS provider traffic in order to redirect users to their own servers. Why? To control access to certain sites, to intercept, monitor, and decode sensitive information within the traffic stream, or simply to disrupt Internet service. Since 2020, there have been over 1,400 BGP hijacking incidents – about 14 every day – and no matter the reason for the attack, the attackers seem to be succeeding in meeting their goals.

Accidental “Hijacks” – the Devastation of a Typo

BGP redirects aren’t always intentional or malicious. Accidental BGP redirects are called “route leaks” and can occur due to human programming errors, bugs in software, configuration issues, or other unintentional errors. For example, in 2019, a large portion of Verizon’s Internet traffic was accidentally redirected to pass through one of their customer’s IP networks. This customer, a small Pennsylvania metals manufacturer, found their system quickly overwhelmed, and Verizon’s IP users never reached their intended destinations. 

Because BGP always looks for the most efficient routing through the Internet, accidental miscoding or other errors can redirect many users, causing widespread outages, degraded performance, and interrupted trips to the most popular destinations such as Google, Facebook, YouTube, Amazon, Netflix, and other popular sites.

Like our club bouncer, RPKI provides the safeguards that can plug BGP’s security holes. Whether BGP redirects are intentional or accidental, RPKI will ensure that when ISPs route traffic, they’re routing it to pre-approved, authorized, and valid destinations.

Zayo’s is invested in our Customers’ Success

In the past two years, Zayo has enhanced our network considerably, ensuring its performance for our customers. We are enhancing our network, expanding its reach, and modernizing our IP layer. Our priorities were simple: adding geographic coverage, keeping our customers – and ultimately their customers – safe, while delivering bandwidth flexibility in an automated fashion.

Zayo’s role in building RPKI into the foundation of the Internet is part of this overall network strategy. Another initiative is requiring two-factor authentication for any BGP routing changes customers request. Zayo is among the first Internet providers to tighten BGP security in this manner.

Summarized, Zayo’s most recent IP-related network updates include:

As the Internet as a whole becomes more secure, Zayo is proud to bring the promise of great IP performance and a more secure experience to the global Internet community.

About the Author