David A. Wheeler's Blog

Sat, 23 May 2020

Verizon still failing to support RPKI

On 2019-06-24 parts of the Internet became inaccessible because Verizon failed to implement a key security measure called Resource Public Key Infrastructure (RPKI). Here’s a brief story about the 2019 failure by Verizon, with follow-on details.

What’s shocking is that Verizon is still failing to implement RPKI. Verizon’s continuing failure continues to make it trivial for both accidents and malicious actors (including governments) to shut down large swathes of the Internet, including networks around the US capital. That’s especially absurd because during the COVID-19 pandemic we have become more dependent on the Internet. There have been many routine failures by accident or on purpose; it’s past time to deploy the basic countermeasure (RPKI) to deal with it. Verizon needs to implement RPKI, as many other operators already have.

The fundamental problem is that the Internet depends on a routing system called Border Gateway Protocol (BGP), which never included a (useful) security mechanism. Resource Public Key (RPKI) provides an important security mechanism to counter certain kinds of BGP problems (either by accident or on purpose). “Why it’s time to deploy RPKI” (RIPE NCC, 2019-05-17) is a short 2-minute video that explains why it’s past time to deploy RPKI.

Verizon already knows that they’re failing to support RPKI; here’s a complaint posted on 2020-04-19 7:16AM that Verizon wasn’t supporting RPKI. It’s clear RPKI is useful; “Visualizing the Benefits of RPKI” by Kemal Sanjta (2019-07-19) shows how RPKI really does help.

If you’re a Verizon customer, you can easily verify Verizon’s status via Is BGP safe yet?. The answer for Verizon users is “no”.

If your Internet Service Provider (ISP) doesn’t support RPKI, please nag them to do so. If you’re a government, and your ISPs won’t yet support RPKI, ask when they’re going secure their network with this basic security measure. It will take work, and it won’t solve all problems in the universe, but those are merely excuses for failure; those statements describe all things that should be done. RPKI is an important minimum part of securing the Internet, and it’s time to ensure that every Internet Service Provider (ISP) supports it.

path: /security | Current Weblog | permanent link to this entry