IT systems operated by the Dutch government have to implement the RPKI standard by the end of 2024, making internet routing more secure. This is the ambition of the Overheidsbreed Beleidsoverleg Digitale Overheid (OBDO), decided on 30 March 2023. It means not only new IT purchases, but also existing IT systems will have to comply to the standard.
Dit is een Engelstalig nieuwsbricht. Er is ook een Nederlandstalige versie.
Resource Public Key Infrastructure (RPKI) is a technique that can be used to prevent route leaks and hijacks of internet traffic. In these cases, internet traffic is rerouted to systems of a non-authorized network and could be the consequence of an accidental system error or a targeted attack to compromise availability of websites or to steal data from internet users.
An example is the temporary hijack of IP addresses of the Ministry of Foreign Affairs in 2014, by a Bulgarian network operator. More recently, in 2019 traffic of, among others, KPN was rerouted through China Telecom. RPKI can prevent these type of incidents in the future.
How does RPKI work?
RPKI is an open standard that can be used to secure the routes of internet traffic. This is accomplished by using digital certificates, that indicate the authorized network providers (origins) to which internet traffic for a specific IP address should be routed. The certificates are stored centrally, allowing network operators worldwide to verify them. RPKI therefore protects the fundaments of the internet.
Requirement for new and existing systems
Since 2019, RPKI is already required for governments according to the ‘comply or explain’ principle. This accounts for all new IT-related purchase orders. With the new decision, RPKI also needs to be implemented for all existing IT systems and services. Next to publishing certificates, networks of the governments also have to verify the certificates of others.
Current use of RPKI
Forum Standaardisatie conducted a baseline measurement in December 2022. This indicated that 77,9% of all governmental websites already used RPKI, and 75,1% of all email servers. When comparing different levels of government, mostly regional and local governments still have to take steps in implementing RPKI.
“With this decision, the Dutch government shows they aim to support the reliability of the internet", says Benno Overeinder, director at NLnet Labs and member of Forum Standaardisatie. "The implementation of these first RPKI-related measures will improve the availability of the digital government. It also provides a strong foundation for the future adoption of internet standards, to which my organization contributes daily.”
How to implement RPKI?
Publication of certificates:
- Test your website and email domain names using Internet.nl to verify if a valid RPKI-certificate is published for all IP addresses.
- If the test indicates a certificate is invalid or missing, contact the IP address supplier. Usually, this is the website or email provider. The certificates (ROA’s) can be created at the Internet Routing Registry (IRR). For European IP addresses, this is RIPE NCC.
- Test if internet traffic from your network to other networks uses RPKI validation, to ensure invalid routes are not used. These tests can be conducted using https://isbgpsafeyet.com/ or https://rpkitest.nlnetlabs.net/, and confirm the outcomes with your network operator.
- If the tests indicate that RPKI validation is not supported, ask your network operator to implement this. It may be possible that RPKI validation is not applied on the local network directly, but rather on a higher-level network that connects the local network to the internet.