More Web Proxy on the site http://driver.im/

research-article

On Measuring RPKI Relying Parties

Authors:

George Michaelson,

Amreesh Phokeer,

Thomas C. Schmidt,

Matthias WählischAuthors Info & Claims

IMC '20: Proceedings of the ACM Internet Measurement Conference

Pages 484 - 491

https://doi.org/10.1145/3419394.3423622

Published: 27 October 2020 Publication History

Abstract

In this paper, we introduce a framework to observe RPKI relying parties (i.e., those that fetch RPKI data from the distributed repository) and present insights into this ecosystem for the first time. Our longitudinal study of data gathered from three RPKI certification authorities (AFRINIC, APNIC, and our own CA) identifies different deployment models of relying parties and (surprisingly) prevalent inconsistent fetching behavior that affects Internet routing robustness. Our results reveal nearly 90% of relying parties are unable to connect to delegated publication points under certain conditions, which leads to erroneous invalidation of IP prefixes and likely widespread loss of network reachability.

Supplementary Material

MP4 File (imc2020-58-long.mp4)

John Kristoff presents a measurement study of RPKI Relying Parties. We survey the Relying Party landscape in the wild, identify inconsistent fetching behavior, and uncover conditions that could lead to erroneous invalidation of IP prefixes and likely widespread loss of network reachability.

Download
588.40 MB

References

[1]

AMS-IX. 2020. AMS-IX Route Servers. https://www.ams-ix.net/ams/documentation/ams-ix-route-servers.

[2]

Alexander Azimov, Eugene Uskov, Randy Bush, Keyur Patel, Job Snijders, and Russ Housley. 2020. A Profile for Autonomous System Provider Authorization. Internet-Draft. Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-profile-03 Work in Progress.

[3]

Alexander Azimov, Eugene Uskov, Randy Bush, Keyur Patel, Job Snijders, and Russ Housley. 2020. Verification of AS_PATH Using the Resource Certificate Public Key Infrastructure and Autonomous System Provider Authorization. Internet-Draft. Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-verification-05 Work in Progress.

[4]

The Telia Carrier Blog. 2020. Dropping RPKI Invalid Prefixes. Retrieved May 23, 2020 from https://blog.teliacarrier.com/2020/02/05/dropping-rpki-invalid-prefixes/

[5]

T. Bruijnzeels, O. Muravskiy, B. Weber, and R. Austein. 2017. The RPKI Repository Delta Protocol (RRDP). RFC 8182. IETF.

[6]

R. Bush. 2014. Origin Validation Operation Based on the Resource Public Key Infrastructure (RPKI). RFC 7115. IETF.

[7]

Randy Bush. 2020. Re: [Sidrops] nlnet rp and rsync. https://mailarchive.ietf.org/arch/msg/sidrops/p5v0fGfagEDHXkhV_DjGRZ13L_o/

[8]

R. Bush and R. Austein. 2017. The Resource Public Key Infrastructure (RPKI) to Router Protocol, Version 1. RFC 8210. IETF.

[9]

Randy Bush, Jay Borkenhagen, Tim Bruijnzeels, and Job Snijders. 2020. Timing Parameters in the RPKI based Route Origin Validation Supply Chain. Internet-Draft. Internet Engineering Task Force. https://tools.ietf.org/html/draft-ietf-sidrops-rpki-rov-timing-00 Work in Progress.

[10]

Cloudflare.2019--2020. OctoRPKI. https://github.com/cloudflare/cfrpki

[11]

Raytheon BBN Technologies Corporation.2011--2017. rpstir. https://github.com/bgpsecurity/rpstir

[12]

Fiber Telecom AS41327. 2020. Peering Policy. https://www.fibertelecom.com/it/peering-policy.php.

[13]

W. George and S. Murphy. 2017. BGPsec Considerations for Autonomous System (AS) Migration. RFC 8206. IETF.

[14]

Yossi Gilad, Avichai Cohen, Amir Herzberg, Michael Schapira, and Haya Shulman. 2017. Are We There Yet? On RPKI's Deployment and Security. In Proc. of NDSS. ISOC.

[15]

Sharon Goldberg. 2014. Why is It Taking So Long to Secure Internet Routing? Commun. ACM 57, 10 (September 2014), 56--63.

Digital Library

[16]

G. Huston, S. Weiler, G. Michaelson, and S. Kent. 2016. Resource Public Key Infrastructure (RPKI) Trust Anchor Locator. RFC 7730. IETF.

[17]

Daniele Iamartino, Cristel Pelsser, and Randy Bush. 2015. Measuring BGP route origin registration validation. In Proc. of PAM (LNCS). Springer, Berlin, 28--40.

[18]

Dragon Research Labs.2006--2016. rcynic. https://github.com/dragonresearch/rpki. net

[19]

NLnet Labs.2019--2020. Routinator 3000. https://www.nlnetlabs.nl/projects/rpki/routinator/

[20]

M. Lepinski and S. Kent. 2012. An Infrastructure to Support Secure Internet Routing. RFC 6480. IETF.

[21]

Martin J Levy. 2018. RPKI -- The required cryptographic upgrade to BGP routing. The Cloudflare Blog. Cloudflare, https://blog.cloudflare.com/rpki/.

[22]

AusNOG mailing list archive. 2020. Telstra AS1221 RPKI Implementation. Retrieved May 23, 2020 from http://lists.ausnog.net/pipermail/ausnog/2020-February/043901.html

[23]

NANOG mailing list archive. 2019. AT&T/as7018 now drops invalid prefixes from peers. Retrieved May 23, 2020 from https://mailman.nanog.org/pipermail/nanog/2019-February/099501.html

[24]

Zhuoqing Mao, Randy Bush, Timothy Griffin, and Matthew Roughan. 2003. BGP Beacons. In In Proceedings of the Internet Measurement Conference (Miami, Florida, USA) (IMC 2003). Association of Computing Machinery, New York, NY, USA, 1--14. https://doi.org/10.1145/948205.948207

[25]

RIPE NCC.2011--2018. RIPE NCC Validator 2. https://github.com/RIPE-NCC/rpki-validator

[26]

RIPE NCC.2019--2020. RIPE NCC Validator 3. https://www. ripe. net/manage-ips-and-asns/resource-management/certification/tools-and-resources

[27]

PeeringDB. 2019. The Interconnection Database. https://www.peeringdb.com/.

[28]

FORT project.2019--2020. FORT Validator. https://fortproject. net/validator

[29]

OpenBSD Project.2019--2020. rpki-client. https://www.rpki-client.org/

[30]

Y. Rekhter, T. Li, and S. Hares. 2006. A Border Gateway Protocol 4 (BGP-4). RFC 4271. IETF.

[31]

Andreas Reuter, Randy Bush, Italo Cunha, Ethan Katz-Bassett, Thomas C. Schmidt, and Matthias Wahlisch. 2018. Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and Filtering. ACM SIGCOMM Computer Communications Review 48, 1 (April 2018), 19--27.

Digital Library

[32]

K. Sriram, D. Montgomery, D. McPherson, E. Osterweil, and B. Dickson. 2016. Problem Definition and Classification of BGP Route Leaks. RFC 7908. IETF.

[33]

Cecilia Testart, Philipp Richter, Alistair King, Alberto Dainotti, and David Clark. 2020. To Filter or Not to Filter: Measuring the Benefits of Registering in the RPKI Today. In Proc. of PAM (LNCS), Vol. 12048. Springer, Berlin Heidelberg, 71--87.

[34]

Andrew Tridgell, Paul Mackerras, and Wayne Davison.1998--2020. rsync. https://rsync.samba.org/

[35]

NTT News & Video. 2020. NTT Improves Security of the Internet with RPKI Origin Validation Deployment. Retrieved May 23, 2020 from https://www.gin.ntt.net/ntt-improves-security-of-the-internet-with-rpki-origin-validation-deployment/

[36]

Matthias Wählisch, Olaf Maennel, and Thomas C. Schmidt. 2012. Towards Detecting BGP Route Hijacking Using the RPKI. SIGCOMM Comput. Commun. Rev. 42, 4 (Aug. 2012), 103--104.

Digital Library

[37]

Matthias Wählisch, Robert Schmidt, Thomas C. Schmidt, Olaf Maennel, Steve Uhlig, and Gareth Tyson. 2015. RiPKI: The Tragic Story of RPKI Deployment in the Web Ecosystem. In Proc. of 14th ACM Workshop on Hot Topics in Networks (HotNets). ACM, New York, 11:1--11:7.

Digital Library

Cited By

Rodday NCunha ÍBush RKatz-Bassett ERodosek GSchmidt TWählisch M(2024)The Resource Public Key Infrastructure (RPKI): A Survey on Measurements and Future ProspectsIEEE Transactions on Network and Service Management10.1109/TNSM.2023.332745521:2(2353-2373)Online publication date: Apr-2024
https://doi.org/10.1109/TNSM.2023.3327455
Zeng MHuang XZhang PLi DXie K(2024)Improving Prefix Hijacking Defense of RPKI From an Evolutionary Game PerspectiveIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.337164421:6(5170-5184)Online publication date: Nov-2024
https://doi.org/10.1109/TDSC.2024.3371644
van Hove KHam Jvan Rijswijk-Deij R(2023)rpkiller: Threat Analysis of the BGP Resource Public Key InfrastructureDigital Threats: Research and Practice10.1145/3617182Online publication date: 25-Aug-2023
https://doi.org/10.1145/3617182
Show More Cited By

Index Terms

On Measuring RPKI Relying Parties
1. Networks
2. Security and privacy
  1. Network security
    1. Security protocols

Recommendations

Byzantine-Secure Relying Party for Resilient RPKI
CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security

BGP is a gaping hole in Internet security, as evidenced by numerous hijacks and outages. The significance of BGP for stability and security of the Internet has made it a top priority on the cyber security agenda of the US government, with CISA, FCC, and ...
Reduction-based security analysis of Internet routing protocols
ICNP '12: Proceedings of the 2012 20th IEEE International Conference on Network Protocols (ICNP)

In recent years, there have been strong interests in the networking community in designing new Internet architectures that provide strong security guarantees. However, none of these proposals back their security claims by formal analysis. In this paper, ...
RFC 8897: Requirements for Resource Public Key Infrastructure (RPKI) Relying Parties

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '20: Proceedings of the ACM Internet Measurement Conference

October 2020

751 pages

ISBN:9781450381383

DOI:10.1145/3419394

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

BMBF

Conference

IMC '20

Sponsor:

IMC '20: ACM Internet Measurement Conference

October 27 - 29, 2020

Virtual Event, USA

Acceptance Rates

IMC '20 Paper Acceptance Rate 53 of 216 submissions, 25%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
445
Total Downloads

Downloads (Last 12 months)68
Downloads (Last 6 weeks)7

Reflects downloads up to 07 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Rodday NCunha ÍBush RKatz-Bassett ERodosek GSchmidt TWählisch M(2024)The Resource Public Key Infrastructure (RPKI): A Survey on Measurements and Future ProspectsIEEE Transactions on Network and Service Management10.1109/TNSM.2023.332745521:2(2353-2373)Online publication date: Apr-2024
https://doi.org/10.1109/TNSM.2023.3327455
Zeng MHuang XZhang PLi DXie K(2024)Improving Prefix Hijacking Defense of RPKI From an Evolutionary Game PerspectiveIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.337164421:6(5170-5184)Online publication date: Nov-2024
https://doi.org/10.1109/TDSC.2024.3371644
van Hove KHam Jvan Rijswijk-Deij R(2023)rpkiller: Threat Analysis of the BGP Resource Public Key InfrastructureDigital Threats: Research and Practice10.1145/3617182Online publication date: 25-Aug-2023
https://doi.org/10.1145/3617182
Kaiser FShulman HWaidner MMeng WJensen CCremers CKirda E(2023)Poster: Longitudinal Analysis of DoS AttacksProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3624382(3573-3575)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3624382
Kowalski MMazurczyk W(2023)Toward the mutual routing security in wide area networksComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2023.109778230:COnline publication date: 1-Jul-2023
https://dl.acm.org/doi/10.1016/j.comnet.2023.109778
Bartoli A(2023)Network architecture and ROA protection of government mail domains: A case studyComputer Communications10.1016/j.comcom.2023.02.004201(143-161)Online publication date: Mar-2023
https://doi.org/10.1016/j.comcom.2023.02.004
Fontugne RPhokeer APelsser CVermeulen KBush R(2023)RPKI Time-of-Flight: Tracking Delays in the Management, Control, and Data PlanesPassive and Active Measurement10.1007/978-3-031-28486-1_18(429-457)Online publication date: 10-Mar-2023
https://doi.org/10.1007/978-3-031-28486-1_18
Hlavacek TJeitner PMirdita DShulman HWaidner MYin HStavrou ACremers CShi E(2022)Behind the Scenes of RPKIProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560645(1413-1426)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560645
Friedemann PRodday NRodosek G(2022)Assessing the RPKI Validator Ecosystem2022 Thirteenth International Conference on Ubiquitous and Future Networks (ICUFN)10.1109/ICUFN55119.2022.9829712(295-300)Online publication date: 5-Jul-2022
https://doi.org/10.1109/ICUFN55119.2022.9829712
Hlavacek TShulman HWaidner M(2022)Smart RPKI Validation: Avoiding Errors and Preventing HijacksComputer Security – ESORICS 202210.1007/978-3-031-17140-6_25(509-530)Online publication date: 25-Sep-2022
https://doi.org/10.1007/978-3-031-17140-6_25
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents