Deployment of RPKI and BGP Origin Validation in Ecuador


Contributors: AEPROVI, LACNIC and Cisco Systems



Since September 5th 2013, all the network operators[1] in Ecuador have voluntarily registered their networks to be protected using the latest technologies approved by the Internet Engineering Task Force (IETF).  Additionally, the local Internet Exchange Point (IXP), NAP.EC, is now able to verify that ISPs do not announce unauthorized routing information to influence local traffic. This project has also been an opportunity to foster innovation and for capacity building in the local Internet Engineering community. The development of these human assets is an important step for the security of critical Internet resources. Network administrators in the Latin-American region and around the globe could learn from the results and lessons learned in this pioneer effort.


The Global Routing Security Challenge


The Internet global routing system relies on the Border Routing Protocol (BGP) protocol developed by the IETF in the early 90s. Thanks to this technology, the Internet has been able to become the great platform that we all use today. The original proposal for the protocol did not include any mechanism for an organization to explicitly manifest its right to use a set of IP addresses resources (either version 4 or 6.) Throughout its history, several incidents have been reported where part of the Internet traffic would be diverted to an incorrect destination when a network operator improperly announced routes to address space that was not allocated to it. In the vast majority of the cases, the incidents were not intentional but due to incorrect operational practices but still would affect Internet users and operators.


The IETF and the Regional Internet Registries (RIRs) have been working for almost a decade on a new architecture that would prevent or at least contain the majority of these incidents. This architecture consists of two elements: the Resource Public Key Infrastructure (RPKI) and the BGP origin validation. Thanks to these technologies, an RIR member (e.g. a LACNIC member) can make a cryptographic attestation (called Route Origin Authorization (ROA)) of who is authorized to use its IP addresses. Network operators around the globe have the option to configure their routers to perform filtering based on these attestations (i.e. the BGP origin validation.)



The role of Internet Exchange Points (IXP) in RPKI and BGP origin validation


One of the possible strategies for the insertion of security technologies is the creation of “islands of trust”, where the technology is fully deployed.


An Internet Exchange Point is a meeting point where a number of organizations (service providers, enterprises, content providers, etc.) exchange routing information. Implementing technologies such as RPKI and BGP origin validation at an IXP can help achieve the goal of creating an “island of trust”.



The RPKI and BGP origin validation project in Ecuador


AEPROVI (Asociación de empresas proveedoras de servicios de Internet, valor agregado, portadores y tecnologías de la información), manages since 2001 the local IXP infrastructure in Ecuador (NAP.EC) in two points of presence: Quito and Guayaquil. Thanks to this infrastructure, the local traffic is exchanged without the need to pay for expensive international connections. The operators connected directly to NAP.EC cover approximately 97% of the total Internet users in Ecuador. Moreover, if we consider that NAP.EC also allows the indirect interconnection of smaller service providers, the total exchanged traffic almost covers 100% of the total number of users and local traffic[2]. This statistic also reflects that the adoption of these new technologies by the NAP.EC and its community in practice means the full adoption in the country.


Since early September 2013, almost 100% of the local networks in Ecuador that are present at NAP.EC have registered their routing information at LACNIC’s RPKI system. Additionally, the routing infrastructure at NAP.EC has been updated with equipment that include the BGP origin validation functionality. Therefore, NAP.EC is enabled to monitor and assist the network operators in validating routing information.





The most common metrics to measure the impact of an RPKI deployment project are:

1.     Number of prefixes included in ROAs

2.     Size of IPv4 address space protected by cryptographic material (measured in percentage of the total space allocated to networks in Ecuador)

3.     Size of IPv6 address space protected by cryptographic material (measured in percentage of the total space allocated to  networks in Ecuador)




Plots of the evolution of prefixes included in ROAs for Ecuador


In all the metrics, the result is a consistent almost 100% adoption of RPKI in Ecuador.  Given its early adoption, NAP.EC is a global pioneer in assisting its members protect their resources.


The way forward


This pioneering project was only possible thanks to the strengths of the local Internet community, the trust gained by the NAP.EC management team and the commitment by the project partners.


The experiences gained during the project in Ecuador are an important source of lessons for the global Internet community.  This document is one of the steps taken to continue disseminating best practices to the rest of the broad Internet community.


Network Operators and IXPs in other countries and regions can use the lessons learned at the NAP.EC to help in deploying RPKI and BGP Origin Validation.


Previous RPKI contributions to CITEL

Member States can review the following reference documents related to RPKI at the Rappourtership of Internet Matters in the Permanent Consulting Committee I:

-       CCP.I-TEL/doc. 1611/09 – dated on May 4th 2009

-       CCP.I-TIC/doc. 2248/11 – dated on March 1st 2011



Find attached the slides presented at IEPG - IETF 88.


[1]The terms "network operator" and "operator" in this contribution refers to organizations that run networks and includes service providers, enterprises, academia, etc.

[2]Based on the statistics published by the “Superintendencia de telecomunicaciones de Ecuador” on its website, updated in June 2013: