Routing Security

The prioritization of routing security is no longer optional. In our current digital landscape where Internet traffic crosses thousands of networks, strong routing security helps maintain trust and stability by preventing disruptions and attacks that could compromise sensitive information or services.

Implementing strong routing security policy is essential for companies that operate networks, as they provide access to the information that commercial businesses, research facilities, and institutions of higher learning rely on.

What is Routing Security?

Routing security refers to the set of practices, protocols, and technologies used to ensure data traversing the Internet follows the intended, legitimate path, protecting it from interception, manipulation, or misdirection. Misconfigured or malicious route announcements can lead to network outages and financial losses.

The primary focus is to secure the routing infrastructure from attacks like route hijacking or leaks, primarily focusing on fixing vulnerabilities in the Border Gateway Protocol (BGP).

Commonly Used Routing Security Tools

Network operators have been working to ensure the Internet works seamlessly to provide the best possible experience for their customers for many years. These operators realized the need for a globally accessible location to document their routing intentions.

Today there are two routing security tools in use that are integral in maintaining the security and reliability of the Internet. These are the Internet Routing Registries and the Resource Public Key Infrastructure.

Internet Routing Registries (IRR)

IRRs are a broad ecosystem of databases that contain information — submitted and maintained by Internet number resource holders such as Internet service providers (ISPs) or other entities — about Autonomous System Numbers (ASNs) and routing IP prefixes. Operators create “route objects” in these databases to document their routing intentions.

IRRs can be used by ISPs to develop routing plans. For example, ISPs who use BGP can create Access Control Lists to permit or deny traffic in their networks based on route registry information. It ensures routing stability by allowing operators to determine which networks are authorized to announce specific IP address prefixes.

As part of the global IRR, the ARIN IRR provides a registry of Internet routing objects for resources in the ARIN region. ARIN’s IRR stores information in Routing Policy Specification Language (RPSL) objects. These objects are submitted to the ARIN IRR by resource holders such as ISPs and retrieved by other IRRs when ISPs in their region request ARIN routing information.

IRR Summary

• User-defined data in multiple separate third-party databases
• Contains a mix of authenticated and non-authenticated data
• No cryptographic chain of authority across the entire ecosystem
• Long lived and widely deployed
• Can contain outdated and incomplete data

Learn More About IRR Features at ARIN

Resource Public Key Infrastructure (RPKI)

RPKI is a specialized security framework designed to provide a more robust, cryptographically verifiable method of securing BGP.

RPKI uses cryptographically verifiable statements to ensure that Internet number resources are certifiably linked to the stated holders of those resources. This enables resource holders to attest which ASNs should originate their prefixes (i.e. blocks of IP addresses). Network operators can compare BGP announcements from the global Internet routing table with RPKI validity data to make informed decisions to enhance their routing security.

How Does RPKI Work at ARIN?

1. Legitimate resource holders obtain a resource certificate from ARIN.
2. That certificate allows resource holders to make cryptographically signed statements about the origin ASN of a prefix.
3. Data is fetched from ARIN that confirms the resources are valid.
4. Network operators act based on this validation, enhancing security on a global scale.

RPKI Summary

• Strong cryptographic control and chain of authenticity
• Regional Internet Registries (RIRs) are the authoritative source and confirm data entered by resource holders
• Accepted as the best available routing security tool today
• Feature development ongoing
• Planned for long-term support and use

Learn More About RPKI at ARIN

Linking RPKI and IRR Together

Feature	IRR	RPKI
Primary Method	Database-driven policy records	Cryptographic certification
Artifact	Route objects	Route Origin Authorizations (ROAs) or Autonomous System Provider Authorizations (ASPAs)
Trust Model	Based on registry accuracy	Based on digital signatures and PKI
Strength	Widely deployed and familiar	Stronger protection against hijacks

Global Use of RPKI and IRR

The five RIRs coordinate to promote global adoption of these tools. By using IRR and RPKI together, network operators can make better-informed judgements about the validity of route announcements and significantly limit the impact of configuration errors or the activities of nefarious actors.

DNS Security (DNSSEC)

While the Domain Name System (DNS) is invaluable to the Internet community, it is not without vulnerability. Internet criminals are capable of creating false DNS records, which may trick users into visiting websites or downloading malicious software. DNSSEC protects the Internet from these kinds of attacks using public-key cryptography. This ability allows users to validate that the DNS records they receive came from the correct source.

ARIN offers DNSSEC functionality in ARIN Online, and encourages customers to learn how they can use this tool to secure their records.

Reverse DNS

Reverse DNS is used to determine the domain name that is associated with a given IP address. The process of acquiring reverse resolution is accomplished using PTR records that are rooted in the in-addr.arpa domain. ARIN requires organizations to maintain their in-addr.arpa domain records. The ARIN Online delegation management tools and ARIN’s RESTful Provisioning system enable you to individually manage nameservers and to register Delegation Signer (DS) Resource Records for DNSSEC for each reverse delegation within both IPv4 and IPv6 networks. Visit Reverse DNS for more information.