Internet2: Network Routing Security and RPKI Adoption in Research and Education
A Q&A with James Deaton
Where are we today with routing security, particularly for our research and higher education networks? How can we connect with resources that will not only inform but also help us proactively keep our networks safe from threats like route hijacking or route leaks that can result in costly outages and data loss?
James Deaton, vice president of network services at Internet2, leads the strategic direction and operations of Internet2's world-class network infrastructure in support of the U.S. research and education (R&E) community. Here, we ask Deaton about Internet2's initiatives and leadership efforts to promote routing security and RPKI adoption.
Mary Grush: Why should network routing security be included in the overall cybersecurity priorities for research and education networks?
James Deaton: This is an important question, given all the attention we have today on cybersecurity concerns. R&E networks play a critical role in the mission of higher education institutions, supporting teaching and learning as well as research and public service. Network routing security incidents can directly affect the reliability and resilience of those networks, impacting everything from academic programs and administrative functions to sensitive research collaborations. So, while data privacy and application security often take center stage, network routing security is also an essential part of cybersecurity.
While data privacy and application security often take center stage, network routing security is also an essential part of cybersecurity.
Grush: What's at stake if network routing security is compromised? How would a CIO or CISO see this?
Deaton: Prioritizing routing security as we do with Internet2 and within our R&E community helps protect against threats like route hijacking and leaks. These incidents can lead to outages and data loss, potentially bringing essential services to a full stop.
From the CIO's or the CISO's perspective, a network routing issue can mean extended downtime on the campus network and lost or compromised data. Academic programs can be disrupted, because of not having access to cloud-based services. Significant service interruptions may result in serious financial loss for the institution.
A network routing issue can mean extended downtime on the campus network and lost or compromised data.
These things can even damage an institution's reputation, which could ultimately hurt its ability to attract students and faculty, or researchers and funding if these types of incidents occur over time.
Let's take a recent example of what's at stake when Internet routing security is compromised. We saw, just this past July, a real-world incident where a commercial network outside of the U.S. hijacked IP addresses from a U.S.-based research and education network — and that disrupted key infrastructure and shut down some of the critical services within that R&E network, including the state's public-facing websites.
An incident like that illustrates how routing security breaches can have far-reaching impacts; from preventing student access to online resources, to disrupting ongoing research collaborations, to upending normal business processes.
Grush: What's the key thing that leaders of potentially affected R&E networks should focus on, to protect their organizations from all this?
Deaton: Routing security issues are pressing concerns, very obviously, for members of the R&E community. But they are not unique to the R&E community or to individual institutions.
One of the most important things to remember about network routing security is that it requires collective action. Protecting networks from common routing threats is in every institution's best interest. But you can't do it on your own. The full benefits of routing security best practices require widespread adoption — as we see with RPKI.
One of the most important things to remember about network routing security is that it requires collective action… you can't do it on your own.
Grush: Can you talk a bit more specifically about Resource Public Key Infrastructure — RPKI — how RPKI works as a key network routing security strategy?
Deaton: RPKI, Resource Public Key Infrastructure, is a framework that was introduced in 2008 to ensure the authenticity of Internet routing information. Network operators and IP address holders create cryptographically signed certificates — Route Origin Authorizations (ROAs), which are published in an RPKI registry. The registry serves to verify the identity of IP address holders, while the ROAs validate the Autonomous Systems (ASes) allowed to announce an organization's routing prefixes for those addresses. RPKI helps prevent issues with route configurations. Even simple errors and misconfigurations may disrupt services — it doesn't necessarily take a malicious attack.
RPKI helps prevent issues with route configurations. Even simple errors and misconfigurations may disrupt services — it doesn't necessarily take a malicious attack.
There's a lot of complex work going on in this space, with the development of RPKI standards coming from the Internet Engineering Task Force and others behind the framework and protocols. But I can offer a simple analogy to help illustrate how RPKI works.
The analogy that I'd like to borrow comes from AFRINIC, which is the Internet numbers registry for Africa. They put it this way: RPKI works much like a passport and visa system for Internet routing. Cryptographic certificates, provided by RPKI, act like passports, verifying the identity of IP address holders. And Route Origin Authorizations — ROAs — act as visas, authorizing the legitimate use of IP prefixes. It's like saying, "Here's who I am, and here's how I am authorized to operate." Without both elements, Internet routers won't announce route prefixes, thus preventing unauthorized traffic.
So by adopting RPKI-ROA, networked organizations can protect their IP addresses from hijacking and prevent route leaks. RPKI-ROA clearly contributes to the overall cybersecurity posture of connected networks — and more widespread adoption of RPKI means a more trusted and collaborative network ecosystem. RPKI adoption also lays the groundwork for Autonomous System Provider Authorization (ASPA) and Border Gateway Protocol security (BGPsec), future standards that will further enhance Internet security by leveraging RPKI's trusted infrastructure.
RPKI-ROA clearly contributes to the overall cybersecurity posture of connected networks — and more widespread adoption of RPKI means a more trusted and collaborative network ecosystem.
Grush: So is routing security with RPKI-ROAs becoming a recognized priority for most cybersecurity teams?
Deaton: With so many cybersecurity concerns facing any CIO or CISO, it can be understandably challenging to prioritize routing security. Furthermore, RPKI-ROA sometimes falls through the cracks between an organization's networking and cybersecurity teams. To address that problem, we need to provide increased focus on it.
Routing security incidents may not make news headlines like ransomware attacks or major data breaches, leading to a lack of urgency in addressing them. However, the impacts of routing security are real and significant.
Routing security incidents may not make news headlines… however, the impacts are real and significant.
Grush: Who has adopted RPKI-ROAs, in the higher education R&E space? Which organizations are the models and champions of routing security and RPKI-ROAs?
Deaton: I think it's fantastic that we've had, over the years since its 2008 introduction, some very strong early adopters of RPKI, including state and regional networks like Michigan's Merit Network and New Jersey's Edge. They have spent a lot of effort helping establish routing security within their networks and their communities. We also have higher education institutions like The George Washington University and Texas A&M University that have made great strides in this space. Some of these early adopters have been leveraging RPKI for more than a decade.
The 2008-2010 timeframe is when our own Network Technology Advisory Committee at Internet2 began referencing discussions and reporting on the rising interest within the community about RPKI and the actions that need to be taken to address it.
Grush: Could you comment on RPKI-ROA adoption rates, specifically what some of the more cited statistics mean in the context of R&E?
Deaton: I think it's important for the higher education community to understand that we've got some great momentum going. Right now, 226 of the Internet2-connected R&E networks are protecting their IP addresses using RPKI-ROAs.
Internet2 has been working with ARIN, the American Registry for Internet Numbers, to track the U.S. R&E community specifically so that we're able to give credible reports that show adoption status and highlight the IP addresses that still need to be protected by RPKI-ROAs.
For example, if you look across the IP addresses owned by any U.S. R&E organizations — whether Internet2 members or not — only about 24 percent of those R&E IPv4 addresses are protected by RPKI-ROAs. Then if you look globally at IPv4 addresses across all sectors — including R&E, commercial Internet service providers, and others — there's close to a 45 percent adoption rate. You can see that industry and other players are ahead of R&E in this space. And so, we're working to bridge that gap in the coming year. It's one of the main reasons we established our Internet2 Routing Integrity Initiative in 2022.
Going back to what I said earlier, we have 226 Internet2-connected R&E networks that have already adopted RPKI. With data from ARIN, we know that there are more than 800 additional R&E organizations currently in a position to adopt RPKI-ROAs. So we think closing the gap is achievable.
We have 226 Internet2-connected R&E networks that have already adopted RPKI… There are more than 800 additional R&E organizations currently in a position to adopt RPKI-ROAs.
We're working both internally and with our R&E network community to help build pathways for campus IT leaders to establish RPKI-ROAs — while we help address friction points through collaboration. That includes supporting a better understanding of the processes that ARIN has already established and made available to those 800-plus institutions. We're excited to see that we have a path forward, where we can hopefully help close the gap for RPKI adoption in R&E over the next year.
We're working both internally and with our R&E network community to help build pathways for campus IT leaders to establish RPKI-ROAs.
Grush: How can Internet2 bring together not only the R&E community in this effort, but also work with other organizations and resources that have relevance and an impact on routing security? First, how can the Internet2 Routing Integrity Initiative help?
Deaton: The "Internet2 Routing Integrity Initiative" moniker was coined by our community: Internet2 subject matter experts like Steven Wallace and the Internet2 membership. It is focused on every R&E network operator adopting routing security best practices.
So, when it was established, there were several elements included in the discussion flowing from the Internet2 Routing Integrity Initiative: routing security, as well as broadly hardening network devices, helping detect and mitigate distributed DDoS attacks, building resilient cloud connectivity — which is especially important and current for higher education institutions — and helping increase IPv6 deployment.
While we're talking specifically about RPKI here in this Q&A, the Internet2 Routing Integrity Initiative is focused on bringing together incredibly diverse sets of data to be able to understand the unique opportunities for the R&E community to address all aspects of routing security.
In this effort, we have a network of people in the community who support higher education institutions all across the U.S., as well as staff internally who stand by to be able to connect community leaders with information about the state of their organization's routing security maturity and to help close the gap in areas like RPKI-ROA adoption.
Through the Internet2 Routing Integrity Initiative, we've been producing a valuable set of resources that are publicly available, whether in reports, or webinars and conference presentations, or informative blog posts with technical details. The Internet2 Route Reports and free Internet2 Routing Integrity Assessment tool are easy to access and uniquely tailored to R&E.
The Internet2 Route Reports and free Internet2 Routing Integrity Assessment tool are easy to access and uniquely tailored to R&E.
At our Internet2 Technology Exchange event coming up in early December in Boston, we have several sessions and workshops associated with strengthening routing security. Whether it's analyzing route policies and configurations, creating RPKI-ROAs, or leveraging other resources and best practices, these sessions present a great opportunity to learn from and connect with community experts.
Grush: What's another good, current resource to start learning about RPKI?
Deaton: In September 2024, the White House Office of the National Cyber Director released a "Roadmap to Enhancing Internet Routing Security". It provides ample background and useful links, underscoring a growing recognition of the importance of routing security.
Grush: What about MANRS?
Deaton: MANRS — the Mutually Agreed Norms for Routing Security — stands out among the broader initiatives supporting routing security. MANRS brings awareness to routing security standards and engages in outreach to get everyone to participate. It has support from multiple industry, research, and higher education community participants. Working with MANRS, we've recognized that there's a truly great opportunity to leverage virtually the entire higher education community to work together, specifically for network routing security.
Working with MANRS, we've recognized that there's a truly great opportunity to leverage virtually the entire higher education community to work together, specifically for network routing security.
Grush: What actions are network operators able to take now, to adopt RPKI? Is there an easy way IP address holders in R&E can supply their data and adopt RPKI-ROAs?
Deaton: In the U.S., the process of RPKI adoption and creating an RPKI-ROA is facilitated through ARIN.
And for those 800-plus R&E institutions I mentioned earlier that are already qualified to create RPKI-ROAs, most of the work — at least the initial work — to be able to adopt RPKI is already in place. For them, creating an RPKI-ROA comes down to a pretty simple web form with only three fields. It takes less than 5 minutes to complete as long as the participant can identify and input accurate data — accuracy is essential and very critical to avoid causing a network outage in the process! But the good news is that no new hardware or hardware configuration is required.
If your readers would like to check whether their networked organization is one of those 800-plus that already qualify to adopt RPKI as Internet2-connected R&E institutions, they can check the list easily by e-mailing [email protected].
Grush: There's so much going on to support the adoption of RPKI… both from relevant organizations and from Internet2 membership.
Deaton: Yes, and I also want to call attention to one of our Internet2 members, N-Wave, which is the National Oceanic and Atmospheric Administration's network service provider. They've done a lot of work in this space as well. Recently they've seen that through their efforts, the U.S. Department of Commerce is beginning its own substantial implementation of RPKI across its networks and several bureaus. So it's just great to see that recent momentum that will carry us forward.
Given data from ARIN, along with other research input from sources as diverse as NIST and the NSF, I know we have a great opportunity together with our Internet2 community to build on some of our best collaborative aspects and increase RPKI adoption in the coming year. I would love to see the R&E community, through our initiatives and available resources, take the lead in the RPKI-ROA adoption rate. I think we have that opportunity.
[Editor's note: Image created with AI — Microsoft Image Creator by Designer.]