Enforcing RPKI-based routing policy on the data plane at an internet exchange

Abstract

Over a decade of work has gone into securing the BGP routing control plane. Through all this, there has been an oft repeated refrain, "It is acknowledged that rigorous control plane verification does not in any way guarantee that packets follow the control plane." We describe what may be the first deployment of data plane enforcement of RPKI-based control plane validation. OpenFlow switches providing an exchange fabric and controlled by a Quagga BGP route server drop traffic for prefixes which have invalid origins without requiring any RPKI support by connected BGP peers.