MaxLength Considered Harmful to the RPKI

Gilad, Yossi; Sagga, Omar; Goldberg, Sharon

doi:10.1145/3143361.3143363

Cited by 28 publications

(25 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Interestingly, we find that the use of MaxLength has been decreasing and only 11.2% of IP prefixes in VRPs use it in our latest snapshot. This aligns with a previous report [26].…”

Section: Too-specific Announcementssupporting

confidence: 94%

“…It has been argued that the use of MaxLength is harmful [24,26]. The reasoning is, that by allowing more specific announcements the prefix holder makes itself vulnerable to malicious hijacks where the origin ASN is spoofed by prepending it to the BGP path.…”

Section: Discussion 71 Maxlengthmentioning

confidence: 99%

“…The MaxLength attribute is therefore efficient, as it acts as a macro that allows a single ROA to match many sub-prefixes. Those sub-prefixes that are not actually advertised, however, but matched by the ROA can be vulnerable to forged-origin sub-prefix hijacks [24,26]. Thus, it is often recommended to use MaxLength only if all subprefixes are actually advertised in BGP.…”

Section: Max-lengthmentioning

confidence: 99%

“…Other studies focused on the security of RPKI; Gilad et al [26] pointed out that the MaxLength attribute of ROAs could weaken BGP security unless all sub-prefixes matched on an ROA with the MaxLength attribute were actually announced. Cooper et al [12] showed that sophisticated attacks on RPKI repositories could cause transient failures of RPKI, thus taking some IP prefixes offline.…”

Section: Related Workmentioning

confidence: 99%

See 3 more Smart Citations

RPKI is Coming of Age

Chung

Aben²,

Bruijnzeels

et al. 2019

Proceedings of the Internet Measurement Conference

View full text Add to dashboard Cite

Despite its critical role in Internet connectivity, the Border Gateway Protocol (BGP) remains highly vulnerable to attacks such as prefix hijacking, where an Autonomous System (AS) announces routes for IP space it does not control. To address this issue, the Resource Public Key Infrastructure (RPKI) was developed starting in 2008, with deployment beginning in 2011. This paper performs the first comprehensive, longitudinal study of the deployment, coverage, and quality of RPKI. We use a unique dataset containing all RPKI Route Origin Authorizations (ROAs) from the moment RPKI was first deployed, more than 8 years ago. We combine this dataset with BGP announcements from more than 3,300 BGP collectors worldwide. Our analysis shows the after a gradual start, RPKI has seen a rapid increase in adoption over the past two years. We also show that although misconfigurations were rampant when RPKI was first deployed (causing many announcements to appear as invalid) they are quite rare today. We develop a taxonomy of invalid RPKI announcements, then quantify their prevalence. We further identify suspicious announcements indicative of prefix hijacking and present case studies of likely hijacks. Overall, we conclude that while misconfigurations still do occur, RPKI is "ready for the big screen," and routing security can be increased by dropping invalid announcements. To foster reproducibility and further studies, we release all RPKI data and the tools we used to analyze it into the public domain.

show abstract

“…Interestingly, we find that the use of MaxLength has been decreasing and only 11.2% of IP prefixes in VRPs use it in our latest snapshot. This aligns with a previous report [26].…”

Section: Too-specific Announcementssupporting

confidence: 94%

Section: Discussion 71 Maxlengthmentioning

confidence: 99%

Section: Max-lengthmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

RPKI is Coming of Age

Chung

Aben²,

Bruijnzeels

et al. 2019

Proceedings of the Internet Measurement Conference

View full text Add to dashboard Cite

show abstract

“…In addition, deploying these extensions is not trivial and requires trained staff [5] and financial investment, and (iii) Exposure of business relationships through peering agreements in the RPKI [4]. In addition, the RPKI faces implementation [10] and transparency [11] challenges.…”

Section: Introductionmentioning

confidence: 99%

IPchain: Securing IP Prefix Allocation and Delegation with Blockchain

Paillissé

Ferriol

García

et al. 2018

2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and I

View full text Add to dashboard Cite

We present IPchain, a blockchain to store the allocations and delegations of IP addresses, with the aim of easing the deployment of secure interdomain routing systems. Interdomain routing security is of vital importance to the Internet since it prevents unwanted traffic redirections. IPchain makes use of blockchains' properties to provide flexible trust models and simplified management when compared to existing systems. In this paper we argue that Proof of Stake is a suitable consensus algorithm for IPchain due to the unique incentive structure of this use-case. We have implemented and evaluated IPchain's performance and scalability storing around 150k IP prefixes in a 1GB chain.

show abstract

IRR Hygiene in the RPKI Era

Akiwate

Krenc

et al. 2022

Passive and Active Measurement

View full text Add to dashboard Cite

MaxLength Considered Harmful to the RPKI

Cited by 28 publications

References 14 publications

RPKI is Coming of Age

RPKI is Coming of Age

IPchain: Securing IP Prefix Allocation and Delegation with Blockchain

IRR Hygiene in the RPKI Era

Contact Info

Product

Resources

About