The organization that manages Internet addresses in Europe and the Middle East has started issuing certificates to network operators to prevent routing snafus such as the one that made Google’s YouTube site inaccessible in 2008.
RIPE NCC, a nonprofit organization based in Amsterdam, is one of five Regional Internet Registries that are responsible for assigning blocks of Internet Protocol (IP) addresses and AS (Autonomous System) numbers to network operators.
Networking operators can request a digital certificate for a range of IP addresses that proves that “RIPE NCC says they are the holder of that specific block number or range,” said Andrew de La Haye, the organization’s chief operations officer.
RIPE NCC uses an automated Web-based system to assign IP addresses. The form used by the system now includes a button that allows a digital certificate to be issued for an application. The program started Monday.
With certification, network operators can verify that IP addresses don’t belong to another network. Routing problems can occur if two networks claim the same set of addresses. The certificates are based on Public Key Infrastructure principles.
One of the most prominent example of routing problems occurred in 2008 when Pakistan Telecom made an error with BGP (Border Gateway Protocol), which is used to configure routers for Internet traffic.
The Pakistan government had ordered that ISPs block YouTube, but Pakistan Telecom misconfigured the block, making YouTube unreachable to users worldwide. That error would have been avoidable if Pakistan Telecom had a digital certificate, which would have shown that it did not control IP addresses prefixes that belonged to Google, de La Haye said. Subsequently, ISPs would not have followed the routing instructions.
In an incident earlier this year, a small ISP named IDC China Telecommunication made a routing error that was then propagated by the much larger network provider China Telecom, which caused a higher proportion of Internet traffic to flow through China than normal. The incident raised security concerns.
“It often happens that people make a mistake,” de La Haye said.
With certification, ISPs can create a filter in their routers that will block unauthorized traffic routes automatically, de La Haye said. ISPs previously could verify the routes were correct, but the process was manual. Router manufacturers are developing equipment that will check the certificates.
RIPE NCC has also developed open-source tools that can be used by its members in order to check certificates, de La Haye said.
The four other Regional Internet Registries are also implementing certification systems that are based on open standards. Some RIPE NCC members, which are network operators in Europe, the Middle East and parts of Central Asia, have already generated certificates since the program started on Monday, de La Haye said.
The move to certification is also being supported by the European Telecommunications Network Operators’ Association, de La Haye said.