Origin Validation Operation Based on the Resource Public Key Infrastructure (RPKI)

Bush, Randy

doi:10.17487/rfc7115

Cited by 17 publications

(14 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A hijacker can intercept 100% of the tra c destined to any subpre x of 168.122.0.0/16 (up to length /24) except for those addresses in 168.122.225.0/24. For instance, to intercept all tra c for IP pre x 168.122.0.0/24, the hijacker performs a forged-origin subpre x hijack [6,9] by sending this BGP announcement:…”

Section: Forged-origin Subprefix Hijackmentioning

confidence: 99%

See 1 more Smart Citation

MaxLength Considered Harmful to the RPKI

Gilad

Sagga

Goldberg

2017

Proceedings of the 13th International Conference on Emerging Networking EXperiments and Technologies

View full text Add to dashboard Cite

User convenience and strong security are often at odds, and most security applications need to nd some sort of balance between these two (often opposing) goals. The Resource Public Key Infrastructure (RPKI), a security infrastructure built on top of interdomain routing, is not immune to this issue. The RPKI uses the maxLength attribute to reduce the amount of information that must be explicitly recorded in its cryptographic objects. MaxLength also allows operators to easily recon gure their networks without modifying their RPKI objects. Our network measurements, however, suggest that the maxLength attribute strikes the wrong balance between security and user convenience. We therefore believe that operators should avoid using maxLength. We give operational recommendations and develop software that allow operators to reap many of the bene ts of maxLength without its security costs.

show abstract

Section: Forged-origin Subprefix Hijackmentioning

confidence: 99%

“…Unlike the forged-origin subpre x hijack, this attack does not allow the hijacker to attract all of the tra c, and is thus signi cantly less e ective [16]. RFC 7115 [6]…”

Section: Forged-origin Subprefix Hijackmentioning

confidence: 99%

MaxLength Considered Harmful to the RPKI

Gilad

Sagga

Goldberg

2017

Proceedings of the 13th International Conference on Emerging Networking EXperiments and Technologies

View full text Add to dashboard Cite

show abstract

“…• There exists an AS-level PKI, that authenticates the public key of an asymmetric key pair ( , −1 ) for each participating AS and certifies its network resources; we rely on the SCION control-plane PKI [66] certifying AS numbers for a deployment in SCION and on RPKI [11] certifying AS numbers and IP address ranges for a deployment in today's Internet.…”

Section: Assumptionsmentioning

confidence: 99%

“…The main ideas behind PISKES are as follows. Autonomous systems (ASes) 1 can obtain certificates for their AS number and IP address range from a public-key infrastructure (PKI)-SCION's control-plane PKI [66] in a SCION deployment or the Resource Public Key Infrastructure (RPKI) [11] in today's Internet. PISKES uses such a PKI to bootstrap its own symmetric-key infrastructure.…”

Section: Introductionmentioning

confidence: 99%

PISKES: Pragmatic Internet-Scale Key-Establishment System

Rothenberger

Roos²,

Legner

et al. 2020

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

Denial-of-service attacks have become increasingly prevalent in the Internet. In many cases they are enabled or facilitated by the lack of source authentication-it is often easy for an attacker to spoof its own IP address and thus launch reflection attacks or evade detection. There have been attempts in the past to resolve this issue through filtering or cryptography-based techniques; however, there is still no sufficiently strong system in place today-all proposals either provide weak security guarantees, are not efficient enough, or lack incentives for deployment. In this paper we present PISKES, a pragmatic Internet-scale key-establishment system enabling firstpacket authentication. Through the PISKES infrastructure, any host can locally obtain a symmetric key to enable a remote service to perform source-address authentication. The remote service can itself locally derive the same key with efficient cryptographic operations. PISKES thus enables packet authentication for a wide variety of systems including high-throughput applications like DNS. We have implemented a prototype system that enables a DNS server to verify the source of every received packet within 85 ns, which is over 220 times faster than a system based on asymmetric cryptography. PISKES has been developed for the SCION secure Internet architecture but is also applicable to today's Internet. With its strong source-authentication properties and highly efficient operation it has the potential to finally bring network-layer authentication to the Internet.

show abstract

“…If route origin validation is implemented, the reader SHOULD refer to the rules described in RFC 7115 [15]. In short, each external route received on a router SHOULD be checked against the Resource Public Key Infrastructure (RPKI) data set:…”

Section: Sidr -Secure Inter-domain Routingmentioning

confidence: 99%