APNIC moves to block BGP fat-thumb outages

Network routes in the Asia-Pacific region are to be better protected against accidental bad route propagation, with APNIC turning on a feature to pre-validate route information before it can be propagated across the Internet.

Enterprise system admins know too well what happens if a network operator mistakenly announces itself as the best route to their networks: traffic gets black-holed and they’re cut off from the Internet until the situation is resolved.

That’s because the Border Gateway Protocol (BGP), one of the Internet’s foundation protocols, was designed in an era when networks assumed other networks could be trusted.

Hence APNIC’s decision to implement what’s called Route Management Prevalidation (RMP), a way for APNIC to alert an operator if something’s wrong that would make networks on their infrastructure unreachable.

As APNIC’s blog post explained, “Users will receive warnings if they attempt to submit route management changes in MyAPNIC that would cause any of their current BGP announcements to be considered ‘RPKI-invalid’.

"Users can then make adjustments as required and avoid running into reachability issues and similar as a result.”

By validating ROA changes when they happen, it should be possible to minimize RPKI-invalids.
See what APNIC is doing to help with this https://t.co/IFsDQs7xLx pic.twitter.com/7OPI0UI8Ko

— APNIC (@apnic) April 11, 2022

The author of that post, APNIC product and delivery manager – registry product, Tom Harrison spoke to iTnews about how RMP will operate when it’s enabled.

When a network operator tries to make a route origin authorisation (ROA), for example that they should receive traffic for 10.0.0.0/24 AS124 (IP address block in this Autonomous System number), “the system will basically determine the effect of having that ROA,” he said.

The ROA is a statement that the network (in this example, AS124) is permitted to make the specified announcement (10.0.0.0/24).  

Harrison said “if having that role for AS124 would violate an ROA”, the network operator will be warned before they proceed.

It’s as simple as warning an operator, “This is going to invalidate someone else’s announcement. Do you want to proceed?”, he explained.

For something as important as keeping the Internet’s routing infrastructure stable, it would look at first glance like leaving the operator able to override the prevalidation system is the wrong thing to do.

That’s not the case, Harrison explained.

Harrison told iTnews in an email that this doesn’t prevent a hijack, it can limit the effect of a propagated hijack, because networks performing Route Origin Validation should drop the bad information once they receive the new ROA.

To ensure a network can send the right route information requires that the manager be able to override the warning.

The route validation process was first described in Internet RFC 6483, in 2012. 

It has since been incorporated into the international network operators’ co-operative effort, Mutually Agreed Norms for Routing Security (MANRS), a set of agreements to adopt practices that prevent instability in the BGP system.

Updated: This story has been updated to clarify some of the technical detail.