Back to blog

Follow and Subscribe

Fastly drives improved internet routing security with global push to adopt RPKI

Rob Bushell

Staff Product Manager

Job Snijders

Principal Software Engineer, Fastly

Jeremiah Millay

Principal Network Engineer, Fastly

Joel Jaeggli

Network Architect

Did you know that Fastly supports and participates in the Internet Engineering Task Force (IETF) and is active in the operational community around the global adoption of Resource Public Key Infrastructure (RPKI)?  

In addition to active support and involvement in the global networking community's effort to adopt RPKI, Fastly has recently introduced routing security improvements to our own network.

Why are we driving IETF network security standards? Running critical customer workloads means our customers depend on Fastly to provide the best network security available and we take that trust seriously. Working to improve standards across the industry not only helps secure Fastly’s customers but also makes the Internet, as a whole, a more secure and safer place.

What is Internet Routing?

The Border Gateway Protocol (BGP) is used to announce the availability of routes to networks on the Internet, kind of like announcing that particular highway routes are available on a road system for traffic to traverse. If you need to get from point A to point B, you need to know there is a route and what that route is. The Internet is similar in that organizations need to announce routes to their services and servers by using BGP to announce pathways on the Internet. The BGP specification is maintained by the IETF following an open collaborative model.

Security and reliability concerns

BGP has been used to route Internet traffic for decades and is at the core of how the Internet works today, in identifying the routes between organizations, ISPs, and content providers on the Internet. BGP has flaws, not least of which is susceptibility to hijacking. In BGP hijacking, one organization mistakenly or falsely announces someone else’s routes (IP addresses). Looking at how close the number keys are to each other on keyboards, it is not hard to imagine every so often a typo is made in router configurations. So while many hijacks have been identified as accidental operational errors, concern that deliberate redirection of traffic has a more malicious motivation also has a long history. Security around who gets to make BGP announcements for which prefixes was long overdue!

What is RPKI?

RPKI offers a way of certifying the correctness of BGP announcements on the Internet in a cryptographically verifiable way. RPKI was introduced to address this security concern by allowing resource owners to use Route Origin Authorizations (ROAs) to indicate legitimate originator(s) (into the global BGP) for a set of prefixes. On the other side of this certification process, network operators can act as Relying Parties (RP), processing the published ROAs to validate the route announcements they receive from BGP peers and transits. 

How exactly validated RPKI data can be used to verify the BGP origin of prefixes in route announcements is described in RFC 6811. While the boilerplate might seem daunting at first, this is a very accessible and readable document and worth your time!

What has Fastly done so far?

Fastly has issued ROAs for all its IP address space. This helps other Internet providers ascertain the validity of route announcements for Fastly IP space. Fastlyans have made major contributions to various RPKI open source projects like rpki-client and StayRTR, sent comments in response to the FCC’s Notice Of Inquiry on Secure Internet Routing, and co-authored and contributed to a number of RPKI standards specifications such as RFC 9319, RFC 9323, RFC 9582, and RFC 9589.

One of Fastly’s own employees, Job Snijders, has been a key champion in the effort to roll RPKI out across the industry. Job has long been active in the Internet community pushing for the introduction of RPKI and has lectured, presented analysis, and developed standards & tooling to help shift the industry towards RPKI adoption and help the industry to close this global internetworking security gap. As of May 1st, 2024, more than 50% of the Internet’s routes are covered by ROAs!

RFC 9582 and RFC 9589 deserve special attention as today marks their final approval and publication, in efforts driven by Job. While RFC 9589 outlines an optimization strategy to transport RPKI data, RFC 9582 is a backward-compatible revision of the ROA specification that removes ambiguities such as forbidding infinitely large positive and negative integers, as obviously, Autonomous System Numbers cannot be negative integers! An obscure detail perhaps, but clarifying boundaries helps with secure programming.

Looking Ahead

Customers using Fastly’s platform effectively outsource their Internet Routing to us, along with their content and workloads. For Bring Your Own IP (also known at Fastly as Subscriber Provided Prefix) customers, this is especially true. That level of trust is something we take very seriously. 

For the last few years, Fastly has required customers bringing their own IP addresses to install RPKI ROAs before we announce the prefixes (in addition to the widely used letter of authorization approach common to the industry). By driving industry-wide network security standards, we can do our part to help make the whole Internet a more secure and safer place, not just for our customers, but for everyone.