Resource Public Key Infrastructure (RPKI)

RPKI is a public key infrastructure framework designed to secure the Internet's routing infrastructure, specifically the Border Gateway Protocol (BGP). RPKI provides a way to connect information about Internet number resources (like IP addresses) to a trust anchor. Using RPKI, legitimate holders of number resources can control the operation of Internet routing protocols to prevent route hijacking and other attack risks. For more information, see RPKI – The required cryptographic upgrade to BGP routing.

RPKI on Internet Exchange

Equinix Internet Exchange Multi-Lateral Peering Exchange (MLPE) route servers use RPKI to validate all BGP prefixes advertised to them by customers against records of authority with the Regional Internet Registries (RIRs). We operate redundant cache servers in every Internet Exchange (IX) metro to facilitate the key validation, and we operate redundant validator servers in each region. This infrastructure model enables fast validation of routes and provides robust resiliency to maintain the service if RIR databases become unavailable.

Customer Visibility

Looking Glass, a route analytics tool on the IX Portal, can verify whether the IP prefixes that are advertised to the Equinix route servers are being validated. Equinix also advertises BGP communities to customers to indicate whether individual prefixes are valid.

RPKI on Bi-Lateral Peering Sessions

You can also use RPKI on bilateral peering sessions, although Equinix does not perform any of the validation for these processes. Two IX participants can agree to use RPKI to protect a peering session between them, with their own method for validating the advertised prefixes.

MLPE Prefix Validation Process

This diagram shows how Equinix IX handles the process flow for MLPE prefix validation for IRR and RPKI.

1. Prefix passed internal MLPE policies – The prefix has passed several internal checks, such as prefix length, Bogon, invalid ASN, and next hop.

2. IRRDB – Internet Routing Registries (IRRs) are a collection of globally distributed databases (DBs) maintained by Regional Internet Registries (RIRs). Many IRRs mirror each other’s databases. IRRs contain internet routing object resources that describe Autonomous System Numbers, IP number prefixes, ownership, and so on. These resources are used by numerous entities to help define routing policies.

   Equinix requires customers to publish information related to their public IP prefixes in one of the IRRs. Equinix queries a minimum of one IRR with visibility into all the other major IRRs.

3. RTBH – Remotely Triggered Black Hole (RTBH) filtering is a self-managed feature that enables you to block unnecessary traffic before it enters the IX protected network. RTBH protects you from Distributed Denial of Service (DDoS) attacks.

4. ROA Exists – A Route Origin Authorization (ROA) is a cryptographically signed statement that consists of a prefix, prefix length, maximum prefix length, originating ASN, and a validity date.

   If there is no ROA for the announcement, the status is Unknown/NotFound.

5. ROA Valid – The ROA and route announcement match.

6. ROA Invalid – The ROA has a matching prefix, but not all parameters within the ROA match the announcement. For example, the origination ASN, prefix length, or prefix maximum length do not match.