New Internet.nl release adds RPKI test
Route leaks and hijacks
Resource Public Key Infrastructure (RPKI) is a technique that aims to prevent certain route leaks and hijacks. This concerns cases where Internet traffic is redirected to the systems of an unauthorized network. Such a detour may be the result of a simple typing error by a network administrator who thereby unintentionally diverts Internet traffic, or it may be the result of a targeted attack on the infrastructure of the Internet, for example, to make websites unreachable or to steal data from Internet users. A relevant Dutch example concerns an incident where a set of IP addresses belonging to the Ministry of Foreign Affairs was temporarily hijacked by a Bulgarian network operator in 2014.
Operation of RPKI
RPKI allows the legitimate holder of a block of IP addresses to publish a digitally signed statement regarding the intentions of routing from its network. These statements, called Route Origin Authorizations (ROAs), can be cryptographically validated by other network administrators and then used to set up filters. This allows routers to filter out routes that violate the ROAs published for the IP addresses in question (invalid = reject).
RPKI thus requires action from two parties. First, the holder of the IP addresses must publish ROAs. Second, the party receiving routes from other networks via Border Gateway Protocol (BGP) must filter based on all globally published ROAs, where invalid routes should never be accepted or advertised.
RPKI Test in Internet.nl
First, the test checks whether at least one ROA has been published for each IP address. Then, it verifies whether the route announcement of each IP address is matched by any ROA found. For now, the results of the RPKI test do not weigh into the overall test result score — they will in early 2023. Later this year, the RPKI test will also be added to the API and dashboard of Internet.nl.
Special thanks go to NCSC-NL for developing a large part of the new RPKI test and, in accordance with prevailing Dutch government policy ("open, unless"), making it available as open source. The foundation of the new RPKI test is formed by Routinator, open source RPKI Relying Party software developed by NLnet Labs.
In addition to RPKI, there are other, complementary techniques that make Internet routing more secure. The MANRS initiative provides an overview of best practices that we recommend to implement as well.
The test tool Internet.nl is an initiative of the Dutch Internet Standards Platform which is a collaboration of partners from the Internet community and the Dutch government. The aim of the platform is to jointly increase the use of modern Internet standards to make the Internet more accessible, safer and more reliable for everyone. The software code of Internet.nl is available under an open source license.
Release notes 1.5.0
- RPKI support [(#613)]. For all IPs of all name servers, mail servers and web server, this check looks for the existence of an RPKI ROA, and whether all BGP routes covering these IPs are valid. As this is a new check, the total score does not yet include RPKI results.
- Fixed issues with the IPv4/IPv6 consistency test for large pages [(#665)]
- Various dependencies updated [(#721)] [(#725)] [(#695)] [(#688)] [(#712)]
- Internal documentation improvements [(#717)]
- Small improvements in cache reset requests [(#724)]
- Small improvements in various test explanations.
- The privacy statement was updated to clarify the use of third party services.
Upgrading to 1.5 from 1.4.x
See the change overview for the steps to upgrade if you have your own deployment of the internet.nl codebase.