Rpkiller: Threat Analysis from an RPKI Relying Party Perspective

Koen, van Hove,; Ham, Jeroen van der; Rijswijk-Deij, Roland van

doi:10.48550/arxiv.2203.00993

Cited by 3 publications

(3 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Even worse, a malicious CA can create a large number of descendant RCs and operate numerous PPs to make RPs endlessly retrieve PPs, thus exhausting and paralyzing RPs. We find that Koen van Hove has demonstrated the feasibility of this attack by manipulating his PP (parent.rov.koenvanhove.nl) [55].…”

Section: B Data-driven Rpki Threat Analysismentioning

confidence: 88%

dRR: A Decentralized, Scalable, and Auditable Architecture for RPKI Repository

Su,

Li,

Chen

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Although Resource Public Key Infrastructure (RPKI) is critical for securing inter-domain routing, we find that its key component, the RPKI Repository, is under studied. We conduct the first data-driven analysis of the existing RPKI Repository infrastructure, including a survey of worldwide AS administrators and a large-scale measurement of the existing RPKI Repository. Based on the findings of our study, we identify three key problems. Firstly, misbehaving RPKI authorities can easily manipulate RPKI objects, and Internet Number Resources holders (INRs holders) and Relying Parties (RPs) can neither prevent malicious behaviors of misbehaving authorities nor hold them accountable. Secondly, RPKI Repository is sensitive to failures: An attack or downtime of any repository Publication Point (PP) will prevent RPs from obtaining complete RPKI object views. Finally, we identify scalability issues with the current RPKI Repository, which are expected to worsen with the further deployment of Route Origin Authorization (ROA).To address these problems, we propose dRR, an architecture that enhances the security, robustness, and scalability of the RPKI Repository while being compatible with standard RPKI. By introducing two new entities: Certificate Servers (CSs) and Monitors, dRR forms a decentralized federation of CSs, which enables the RPKI Repository to proactively defend against malicious behavior from authorities and to tolerate PPs' failures. dRR is also scalable for future large-scale deployment. We present the design of dRR in detail and implement a prototype of dRR on a global Internet testbed spanning 15 countries. Experimental results show that, although new security features are introduced, dRR only incurs negligible latency for certificate issuance and revocation. The throughput of certificate updates achieved by dRR is 450 times higher than the current maximum RPKI certificate update frequency.

show abstract

Section: B Data-driven Rpki Threat Analysismentioning

confidence: 88%

dRR: A Decentralized, Scalable, and Auditable Architecture for RPKI Repository

Su,

Li,

Chen

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Another recent work that performed similar research as [143] was done by van Hove et al [139]. Parts of this work were also published as an IETF draft [201].…”

Section: Attacks and Threat Modelsmentioning

confidence: 90%

The Resource Public Key Infrastructure (RPKI): A Survey on Measurements and Future Prospects

Rodday,

Cunha,

Bush

et al. 2024

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

The adoption of the Resource Public Key Infrastructure (RPKI) is increasing. To better understand and improve RPKI deployment, measuring route origin authorization (ROA) objects, RPKI route origin validation (ROV), and RPKI resilience is essential. In this paper, we survey RPKI-related research that aims to understand RPKI deployment. Additionally, we enrich our survey with many industry and IETF-related contributions.Our work provides an in-depth analysis of the many ideas and challenges discussed in studies of the RPKI ecosystem and includes lessons from mistakes made in the past, which we should avoid in the future.

show abstract

“…The complexity of RPKI makes the creation of efficient, secure, bug-free, and RFC-compliant software implementations a complex task. Indeed, previous work found that due to missing limits on recursion depths, RP implementations were vulnerable to stalling attacks [18], [19], [20], [21], which was fixed by introducing thresholds to all the RP implementations. However, except for occasional bug reports, no systematic analysis of RPKI validation software has been performed to date.…”

Section: Introductionmentioning

confidence: 99%

The CURE to Vulnerabilities in RPKI Validation

Mirdita,

Shulman,

Vogel

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Over recent years, the Resource Public Key Infrastructure (RPKI) has seen increasing adoption, with now 37.8% of the major networks filtering bogus BGP routes. Systems interact with the RPKI over Relying Party (RP) implementations that fetch RPKI objects and feed BGP routers with the validated prefix-ownership data. Consequently, any vulnerabilities or flaws within the RP software can substantially threaten the stability and security of Internet routing.We uncover severe flaws in all popular RP implementations, making them susceptible to path traversal attacks, remotely triggered crashes, and inherent inconsistencies, violating RPKI standards. We report a total of 18 vulnerabilities that can be exploited to downgrade RPKI validation in border routers or, worse, enable poisoning of the validation process, resulting in malicious prefixes being wrongfully validated and legitimate RPKI-covered prefixes failing validation. Furthermore, our research discloses inconsistencies in the validation process, with two popular implementations leaving 8149 prefixes unprotected from hijacks, 6405 of which belong to Amazon.While these findings are significant in their own right, our principal contribution lies in developing CURE, the first-of-itskind system to systematically detect bugs, vulnerabilities, and RFC compliance issues in RP implementations via automated test generation. The statefulness of RPKI, the lack of rigorous RPKI specifications for recognizing bugs in the object suite, the complexity and diversity of RP implementations, and the inaccessibility of their critical functionalities render this a highly challenging research task. CURE is a powerful RPKI publication point emulator that enables easy and efficient fuzzing of complex RP validation pipelines. It is designed with a set of novel techniques, utilizing differential and stateful fuzzing. We generated over 600 million test cases and tested all popular RPs on them.Following our disclosure, the vendors already assigned CVEs to the vulnerabilities we found. We are releasing our fuzzing system along with the CURE tool to enable the vendors improve the quality of RP implementations.

show abstract

Rpkiller: Threat Analysis from an RPKI Relying Party Perspective

Cited by 3 publications

References 26 publications

dRR: A Decentralized, Scalable, and Auditable Architecture for RPKI Repository

dRR: A Decentralized, Scalable, and Auditable Architecture for RPKI Repository

The Resource Public Key Infrastructure (RPKI): A Survey on Measurements and Future Prospects

The CURE to Vulnerabilities in RPKI Validation

Contact Info

Product

Resources

About