• Technologies
    • Black Lotus Labs
    • Cloud
    • Edge Compute
    • Collaboration
    • Managed Services
    • Network
    • Security
  • Business Advice
    • 4th Industrial Revolution
    • Business Continuity & Disaster Recovery
    • Customer Experience
    • Data Driven Business
    • Operational Efficiency
    • Tech Trends
  • Industries
    • Financial Services
    • Healthcare
    • Gaming
    • Manufacturing
    • Media and Entertainment
    • Pharmaceutical
    • Public Sector
    • Retail
    • Technology
  • About Us
    • Leadership Perspectives
    • NewsRoom
  • Technologies
    • Black Lotus Labs
    • Cloud
    • Edge Compute
    • Collaboration
    • Managed Services
    • Network
    • Security
  • Business Advice
    • 4th Industrial Revolution
    • Business Continuity & Disaster Recovery
    • Customer Experience
    • Data Driven Business
    • Operational Efficiency
    • Tech Trends
  • Industries
    • Financial Services
    • Healthcare
    • Gaming
    • Manufacturing
    • Media and Entertainment
    • Pharmaceutical
    • Public Sector
    • Retail
    • Technology
  • About Us
    • Leadership Perspectives
    • NewsRoom

Lumen enhances routing security with Resource Public Key Infrastructure (RPKI)

Ron Pfaff Posted On March 22, 2021
0


0
Shares
  • Share On Facebook
  • Tweet It

Customers should verify their IP indexes to prevent traffic from being dropped

When you clicked the link to read this blog, you triggered a series of actions that directed your data across the internet to this page using the most efficient path possible. All along the way, as the data traveled from there to here, it encountered dozens of potential offramps, each advertising that it was willing and able to get it (and you) here – to this blog.

Because there are about a million possible network routes around the world, the global internet has a standard protocol to determine the best possible route for every trip along a network. It’s called the Border Gateway Protocol (BGP), and it’s like the Google Maps of networking. Without it, traffic would not have a route to follow – let alone a path that steered it clear of accidents and speed traps. It would be a bit like driving from New York to Los Angeles at night. Without a map. And wearing a blindfold.

When BGP was built in 1989, it was based on a mutual trust between networks that advertised routes were safe, accurate and not maliciously altered. This model was sufficient in the early days of internet development; however, it has become increasingly vulnerable to configuration mistakes or abuse by malicious actors looking to redirect routes to achieve criminal objectives.

To help close this security loophole, a growing number of network providers have committed to enable Resource Public Key Infrastructure (RPKI). On March 25, 2021, Lumen will “flip the switch” and begin validating routes using RPKI on our global AS3356 internet core.

What is RPKI?

RPKI is a voluntary framework intended to secure internet routing infrastructure and prevent route hijacking and other inconsistencies. It does this by verifying that a specific system is authorized to use its stated IP prefixes. These authorizations – known as Route Origin Authorizations (ROAs) – occur at the Regional Internet Registry (RIR) level, so IP addresses are certifiably linked to a trusted authority.

IP service providers can use RPKI to validate IP route announcements, which helps ensure valid announcements are permitted and invalid announcements are dropped.

How RPKI works

Owners of IP addresses publish their RIR-certified ROAs, which state 1.) which autonomous system is authorized to originate certain IP prefixes and 2.) the length of those prefixes. RPKI validates the ROAs using BGP Route Origin Validation (ROV) – a process that verifies the originating system and prefix length published in the ROA.

Once implemented, Lumen will use RPKI route validation on all BGP sessions for both customers and peers. Lumen’s RPKI validation servers download the ROAs, examine them, then send the tables to routers that can determine the validity of an IP prefix. IP prefixes are then tagged and handled as follows:

Tag Meaning Option
Valid IP prefix has a positive match against the ROA IP prefix is permitted
Invalid IP prefix does not match the ROA, whether by invalid prefix length or invalid origin ASN IP prefix dropped
Unknown IP prefix is no in ROA IP prefix is permitted

Enabling RPKI on the Lumen AS3356 internet core

Once RPKI is enabled and active on the Lumen network for both peer and customer BGP sessions, there will be no requirement or process to “order” RPKI because it will already be “on”.

  • Customers who have existing, established ROAs will immediately receive BGP Route Origin Validation via RPKI from Lumen.
  • Customers who establish new ROAs will receive BGP Route Origin Validation once the ROA is completed.
  • Customers who do not have ROAs will not be impacted, and BGP route announcements will operate as normal (unless that route is actually owned by another entity with an ROA that only permits their origin ASN).

Customers will not have the option to turn off or deactivate RPKI. All external customer and peer sessions will be validated, and we will not make exceptions or allow special, unverified sessions.

Make sure your IP prefixes don’t get dropped!

Customers should use the Lumen Looking Glass – https://lookingglass.centurylink.com to validate how their IP prefixes are being marked in the Lumen network. Invalid IP prefixes will be dropped for all peers and all customers beginning March 25.

community “rpki-valid” members “3356:901”

community “rpki-invalid” members “3356:902”

community “rpki-unknown” members “3356:903”

Additional resources

If you have questions about Lumen’s adoption of RPKI, please reach out to a member of your account team, or email RPKI Support. You can also visit the Lumen website to find additional information about RPKI including:

  • How to establish ROAs
  • Details about RPKI and Lumen DDoS Mitigation Service
  • Frequently asked questions

No related posts.

0
Shares
  • Share On Facebook
  • Tweet It


Cybersecurity


Author

Ron Pfaff

As Senior Vice President of Service Assurance at Lumen Technologies, Ron is responsible for global network technologies, infrastructure, and ensuring customer service. As a leading technology company, his team is committed to delivering solutions to an array of service and network obstacles. Lumen is the fastest, most secure platform for next-gen business applications and data and we are excited to offer high-end customer experiences.

Trending Now
SASE vs. SSE—What You Need to Know
Adeel Omer March 17, 2023
What Does Your Path to SASE Look Like?
Lumen March 16, 2023
You may also like
Podcast | Creating Byte-sized Insights on Privacy-Enhancing Technologies
March 6, 2023
5 Observations from Lumen on 2022 Attack Trends
February 6, 2023
Collaborate to protect the whole of your state and local resources
January 4, 2023
How customers benefit from our commitment to leadership—today and tomorrow
Read Next

How customers benefit from our commitment to leadership—today and tomorrow

  • Categories

    Adaptive Networking

    Connected Security

    Hybrid Cloud

    Communications and Collaboration

    Edge Computing

    SASE


  • Lumen is guided by our belief that humanity is at its best when technology advances the way we live and work. With 450,000 route fiber miles serving customers in more than 60 countries, we deliver the fastest, most secure platform for applications and data to help businesses, government and communities deliver amazing experiences.

Services not available everywhere. ©2022 Lumen Technologies. All Rights Reserved.
Press enter/return to begin your search