short-paper

Limiting the Power of RPKI Authorities

Authors:

Haya ShulmanAuthors Info & Claims

ANRW '20: Proceedings of the 2020 Applied Networking Research Workshop

Pages 12 - 18

https://doi.org/10.1145/3404868.3406674

Published: 27 July 2020 Publication History

Abstract

Although Resource Public Key Infrastructure (RPKI) is critical for securing the inter-domain routing, one of the arguments hindering its adoption is the significant power that it provides to the Regional Internet Registries (RIRs), allowing prefix takedowns. In this work, we propose a small change to RPKI to distribute the power of RIRs preventing any single one of them from taking down a prefix. We design and implement a distributed RPKI system that relies on threshold signatures. This ensures that any change to the RPKI certificates requires a joint action by a number of RIRs, avoiding unilateral IP address takedowns. We evaluate the performance of our design and use historic RPKI data to analyse its performance and efficiency.

References

[1]

Donald Beaver. Efficient multiparty protocols using circuit randomization. In CRYPTO, volume 576 of Lecture Notes in Computer Science, pages 420--432. Springer, 1991.

Digital Library

[2]

Tim Bruijnzeels, Oleg Muravskiy, Bryan Weber, and Rob Austein. The RPKI repository delta protocol (RRDP). RFC, 8182:1--24, 2017.

[3]

Ran Canetti. Universally composable security: A new paradigm for cryptographic protocols. In FOCS, pages 136--145. IEEE Computer Society, 2001.

Digital Library

[4]

Ben Cartwright-Cox. The State of RPKI: Q4 2018, 20 December 2019. https://blog.benjojo.co.uk/post/state-of-rpki-in-2018.

[5]

Avichai Cohen, Yossi Gilad, Amir Herzberg, and Michael Schapira. One hop for RPKI, one giant leap for BGP security. In HotNets, pages 10:1--10:7. ACM, 2015.

Digital Library

[6]

Danny Cooper, Ethan Heilman, Kyle Brogle, Leonid Reyzin, and Sharon Goldberg. On the risk of misbehaving RPKI authorities. In HotNets, pages 16:1--16:7. ACM, 2013.

Digital Library

[7]

David Cooper, Stefan Santesson, Stephen Farrell, Sharon Boeyen, Russell Housley, and W. Timothy Polk. Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC, 5280:1--151, 2008.

[8]

Anders P. K. Dalskov, Marcel Keller, Claudio Orlandi, Kris Shrishak, and Haya Shulman. Securing DNSSEC keys via threshold ECDSA from generic MPC. IACR Cryptology ePrint Archive, 2019:889, 2019.

[9]

Data61. MP-SPDZ - Versatile framework for multi-party computation, 7 June 2019. https://github.com/data61/MP-SPDZ.

[10]

Yossi Gilad, Avichai Cohen, Amir Herzberg, Michael Schapira, and Haya Shulman. Are We There Yet? On RPKI's Deployment and Security. In NDSS, 2017.

[11]

Adiseshu Hari and T. V. Lakshman. The internet blockchain: A distributed, tamper-resistant transaction framework for the internet. In HotNets, pages 204--210. ACM, 2016.

Digital Library

[12]

Ethan Heilman, Danny Cooper, Leonid Reyzin, and Sharon Goldberg. From the consent of the routed: improving the transparency of the RPKI. In SIGCOMM, pages 51--62. ACM, 2014.

Digital Library

[13]

Tomas Hlavacek, Italo Cunha, Yossi Gilad, Amir Herzberg, Ethan Katz-Bassett, Michael Schapira, and Haya Shulman. Disco: Sidestepping rpki's deployment barriers. In NDSS. The Internet Society, 2020.

[14]

Tomas Hlavacek, Amir Herzberg, Haya Shulman, and Michael Waidner. Practical experience: Methodologies for measuring route origin validation. In DSN, pages 634--641. IEEE Computer Society, 2018.

[15]

ICANN. ICANN Tells U.S. Court That ccTLDs Are Not "Property" | Files Motion to Quash in U.S. Legal Action Aimed at Seizing Top-Level Domains, 30 July 2014. https://www.icann.org/resources/press-material/release-2014-07-30-en.

[16]

Jonathan Katz, Ueli Maurer, Björn Tackmann, and Vassilis Zikas. Universally composable synchronous computation. In TCC, volume 7785 of Lecture Notes in Computer Science, pages 477--498. Springer, 2013.

Digital Library

[17]

Matt Lepinski and Stephen T. Kent. An infrastructure to support secure internet routing. RFC, 6480:1--24, 2012.

[18]

Yaping Liu, Shuo Zhang, Qingyuan Li, and Sufang. Requirement for the transparency of RPKI, 5 November 2019. Work in Progress.

[19]

M. Mueller, M. van Eeten, and B. Kuerbis. In important case, ripe-ncc seeks legal clarity on how it responds to foreign court orders, 23 November 2011. https://www.internetgovernance.org/2011/11/23/in-important-case-ripe-ncc-seeks-legal-clarity-on-how-it-responds-to-foreign-court-orders/.

[20]

NRO. Handling requests for information by law enforcement authorities, 2018. https://www.nro.net/accountability/rir-accountability/rir-governance-matrix/#lawenforcement.

[21]

Jordi Paillisse, Miquel Ferriol, Eric Garcia, Hamid Latif, Carlos Piris, Albert Lopez-Bresco, Brenden Kuerbis, Alberto Rodríguez-Natal, Vina Ermagan, Fabio Maino, and Albert Cabellos. Ipchain: Securing IP prefix allocation and delegation with blockchain. In iThings/GreenCom/CPSCom/SmartData, pages 1236--1243. IEEE, 2018.

[22]

Andreas Reuter, Randy Bush, Ítalo Cunha, Ethan Katz-Bassett, Thomas C. Schmidt, and Matthias Wählisch. Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and Filtering. ACM SIGCOMM Computer Communication Review, 48(1):19--27, January 2018.

Digital Library

[23]

RIPE NCC. The RIPE NCC's Case Against the State of the Netherlands Dismissed, 14 February 2013. https://www.ripe.net/publications/news/about-ripe-ncc-and-ripe/ripe-nccs-case-against-the-state-of-the-netherlands-dismissed.

[24]

RIPE NCC. RIPE NCC Blocks Registration in RIPE Registry Following Order from Dutch Police, 9 November 2011. https://www.ripe.net/publications/news/about-ripe-ncc-and-ripe/ripe-ncc-blocks-registration-in-ripe-registry-following-order-from-dutch-police.

[25]

Muhammad Saad, Afsah Anwar, Ashar Ahmad, Hisham Alasmary, Murat Yuksel, and Aziz Mohaisen. Routechain: Towards blockchain-based secure and efficient BGP routing. In IEEE ICBC, pages 210--218. IEEE, 2019.

[26]

Mark Tinka. RPKI ROV & Dropping of Invalids - Africa, 09 April 2019. https://www.mail-archive.com/[email protected]/msg00796.html.

[27]

Christopher S Yoo and David A Wishnick. Lowering legal barriers to rpki adoption. U of Penn Law School, Public Law Research Paper, (19--02), 2019.

Cited By

Rodday NCunha ÍBush RKatz-Bassett ERodosek GSchmidt TWählisch M(2024)The Resource Public Key Infrastructure (RPKI): A Survey on Measurements and Future ProspectsIEEE Transactions on Network and Service Management10.1109/TNSM.2023.332745521:2(2353-2373)Online publication date: Apr-2024
https://doi.org/10.1109/TNSM.2023.3327455
van Hove Kvan der Ham-de Vos Jvan Rijswijk-Deij R(2023)rpkiller: Threat Analysis of the BGP Resource Public Key InfrastructureDigital Threats: Research and Practice10.1145/36171824:4(1-24)Online publication date: 20-Oct-2023
https://dl.acm.org/doi/10.1145/3617182
Umeda NKimura TYanai N(2023)The Juice Is Worth the Squeeze: Analysis of Autonomous System Provider Authorization in Partial DeploymentIEEE Open Journal of the Communications Society10.1109/OJCOMS.2022.32338334(269-306)Online publication date: 2023
https://doi.org/10.1109/OJCOMS.2022.3233833
Show More Cited By

Index Terms

Limiting the Power of RPKI Authorities
1. Networks
  1. Network protocols
    1. Network layer protocols
      1. Routing protocols
2. Security and privacy
  1. Security services
    1. Privacy-preserving protocols

Recommendations

On the risk of misbehaving RPKI authorities
HotNets-XII: Proceedings of the Twelfth ACM Workshop on Hot Topics in Networks

The RPKI is a new security infrastructure that relies on trusted authorities to prevent some of the most devastating attacks on interdomain routing. The threat model for the RPKI supposes that authorities are trusted and routing is under attack. Here we ...
RPKI is Coming of Age: A Longitudinal Study of RPKI Deployment and Invalid Route Origins
IMC '19: Proceedings of the Internet Measurement Conference

Despite its critical role in Internet connectivity, the Border Gateway Protocol (BGP) remains highly vulnerable to attacks such as prefix hijacking, where an Autonomous System (AS) announces routes for IP space it does not control. To address this issue,...
RPKI MIRO: Monitoring and Inspection of RPKI Objects
SIGCOMM'15

The Resource Public Key Infrastructure (RPKI) stores attestation objects for Internet resources. In this demo, we present RPKI MIRO, an open source software framework to monitor and inspect these RPKI objects. RPKI MIRO provides resource owners, RPKI ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ANRW '20: Proceedings of the 2020 Applied Networking Research Workshop

July 2020

77 pages

ISBN:9781450380393

DOI:10.1145/3404868

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

IRTF: Internet Research Task Force
Internet Society: Internet Society
SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 July 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Short-paper
Research
Refereed limited

Funding Sources

DFG, German Research Foundation)
German Federal Ministry of Education and Research and the Hessen State Ministry for Higher Education, Research and Arts

Conference

ANRW '20

Sponsor:

IRTF
Internet Society
SIGCOMM

ANRW '20: Applied Networking Research Workshop

July 27 - 30, 2020

Virtual Event, Spain

Acceptance Rates

Overall Acceptance Rate 34 of 58 submissions, 59%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
244
Total Downloads

Downloads (Last 12 months)40
Downloads (Last 6 weeks)6

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Rodday NCunha ÍBush RKatz-Bassett ERodosek GSchmidt TWählisch M(2024)The Resource Public Key Infrastructure (RPKI): A Survey on Measurements and Future ProspectsIEEE Transactions on Network and Service Management10.1109/TNSM.2023.332745521:2(2353-2373)Online publication date: Apr-2024
https://doi.org/10.1109/TNSM.2023.3327455
van Hove Kvan der Ham-de Vos Jvan Rijswijk-Deij R(2023)rpkiller: Threat Analysis of the BGP Resource Public Key InfrastructureDigital Threats: Research and Practice10.1145/36171824:4(1-24)Online publication date: 20-Oct-2023
https://dl.acm.org/doi/10.1145/3617182
Umeda NKimura TYanai N(2023)The Juice Is Worth the Squeeze: Analysis of Autonomous System Provider Authorization in Partial DeploymentIEEE Open Journal of the Communications Society10.1109/OJCOMS.2022.32338334(269-306)Online publication date: 2023
https://doi.org/10.1109/OJCOMS.2022.3233833
Kowalski MMazurczyk W(2023)Toward the mutual routing security in wide area networksComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2023.109778230:COnline publication date: 1-Jul-2023
https://dl.acm.org/doi/10.1016/j.comnet.2023.109778
Mastilak LHelebrandt PGalinski MKotuliak I(2022)Secure Inter-Domain Routing Based on Blockchain: A Comprehensive SurveySensors10.3390/s2204143722:4(1437)Online publication date: 13-Feb-2022
https://doi.org/10.3390/s22041437
Du BAkiwate GKrenc TTestart CMarder AHuffaker BSnoeren AClaffy K(2022)IRR Hygiene in the RPKI EraPassive and Active Measurement10.1007/978-3-030-98785-5_14(321-337)Online publication date: 28-Mar-2022
https://dl.acm.org/doi/10.1007/978-3-030-98785-5_14
Shrishak KShulman H(2021)Privacy Preserving and Resilient RPKIIEEE INFOCOM 2021 - IEEE Conference on Computer Communications10.1109/INFOCOM42981.2021.9488759(1-10)Online publication date: 10-May-2021
https://dl.acm.org/doi/10.1109/INFOCOM42981.2021.9488759

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents