Cloudflare wants internet route leaks to be a thing of the past

Internet outages happen all the time. If it’s not someone cutting through a cable in the street, it’s a massive denial-of-service attack pummeling a pillar of the internet with junk data.

There is another, more common cause: routing issues.

Internet routing isn’t sexy. But it’s a fundamental part of how the internet works. Routing relies on the border gateway protocol (BGP), which manages how internet traffic is routed the internet. BGP relies on trust between network operators to not send incorrect or malicious data. But mistakes happen, and malformed data can form a “route leak” that leads to confusion over where internet traffic should go, and can lead to massive outages.

Predictably, bad actors can take advantage of the overly trusting protocol in what’s known as a “route hijack.” By redirecting unencrypted traffic, it can be read and modified.

Now, Cloudflare wants routing issues to be a thing of the past by deploying a new feature to try to stop route leaks and hijacks in their tracks.

Cloudflare told TechCrunch that rolling out resource public key infrastructure (RPKI) to all of its customers for free will make it far more difficult to reroute traffic — either by accident or deliberately.

RPKI, in a nutshell, helps to ensure that traffic goes to the right place through a route that’s verified as legitimate and correct by using cryptographically signed certificates.

“When two networks connect with each other — say, AT&T and Verizon — they announce the set of IP addresses for which they should be sent traffic,” said Nick Sullivan, Cloudflare’s head of cryptography. “The RPKI is a security framework to make sure a network announces only its legitimate IP addresses.”

Cloudflare’s push in the right direction follows an effort by the National Institute for Standards and Technology, which last week published its first draft of a new standard, which incorporates RPKI as one of three components that will help prevent route leaks and hijacks. A possible approval is expected in the coming weeks.

RPKI isn’t perfect, though — it’s better at preventing leaks than hijacks, Cloudflare said, but called its move the “first milestone” in moving from trust-based to authentication-based routing.

Sullivan said pushing for RPKI will protect networks from fraudulently (or accidentally) directing traffic to the wrong place, “resulting in a safer and more stable internet.”

Right now, RPKI adoption hovers between about 8-9 percent, but less than 1 percent of networks are using strict RPKI validation.

Because it can only be effective if it’s deployed across a large swath of network operators. The company wanted to encourage a wider adoption of the technology by showing it can be done easily and cost efficiently.

With any luck, that might just be the kick that it needs.