Abstract
In order to cope with the BGP (Border Gateway Protocol) security defects, RPKI (Resource Public Key Infrastructure) was proposed in IETF (Internet Engineering Task Force) in order to authenticate the relationship between IP prefix and its origination. Since 2012, a series of RPKI-related protocols have been standardized in IETF and the community has launched its actual deployment. However, with the global deployment of RPKI, a lot of concerns from technical, economic and political aspects have been raised. In this paper, we attempt to collect and analyze the most critical risks appeared during the RPKI deployment, and summarize the alternative solutions which have been presented to address or mitigate these risks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Rekhter, Y., Li, T., Hares, S.: A Border Gateway Protocol 4 (BGP-4). IETF RFC4271 (January 2006)
IP hijacking. http://en.wikipedia.org/wiki/IP_hijacking
Zhang, Z., Zhang, Y., Hu, Y.C., Mao, Z.M.: Practical Defenses Against BGP Prefix Hijacking. ACM CoNext (December 2007)
Ballani, H., Francis, P., Zhang, X.: A Study of Prefix Hijacking and Interception in the Internet. ACM SIGCOMM (2007)
Huston, G., Michaelson, G.: Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations (ROAs). IETF RFC 6483 (February 2012)
Lepinski, M., Kent, S., Kong, D.: A Profile for Route Origin Authorizations (ROAs). IETF RFC 6482 (February 2012)
Austein, R., Huston, G., Kent, S., Lepinski, M.: Manifests for the Resource Public Key Infrastructure (RPKI). IETF RFC 6486 (February 2012)
Huston, G., Loomans, R., Michaelson, G.: A Profile for Resource Certficate Repository Structure. IETF RFC 6481 (February 2012)
Weiler, S., Ward, D., Housley, R.: The rsync URI Scheme. IETF RFC 5781 (February 2010)
Bush, R., Austein, R.: The Resource Public Key Infrastructure (RPKI) to Router Protocol. IETF RFC6810 (January 2013)
Gagliano, R., Kent, S., Turner, S.: Algorithm Agility Procedure for the Resource Public Key Infrastructure (RPKI). IETF RFC6916 (April 2013)
Bush, R.: Origin Validation Operation Based on the Resource Public Key Infrastructure (RPKI). IETF RFC7115 (January 2014)
Bruijnzeels, T., Muravskiy, O., Weber, B., Austein, R., Mandelberg, D.: RPKI Repository Delta Protocol. draft-ietf-sidr-delta-protocol-00 (February 2015)
Kisteleki, R., Haberman, B.: Securing RPSL Objects with RPKI Signatures. draft-ietf-sidr-rpsl-sig-06.txt (November 2014)
Lepinski, M. (ed.): BGPsec Protocol Specification. draft-ietf-sidr-bgpsec-protocol-11 (January 2015)
RPKI Dashboard. http://rpki.surfnet.nl/global.html
RIPE NCC. http://certification-stats.ripe.net/
Housley, R., Ashmore, S., Wallace, C.: Trust Anchor Format. IETF RFC5914 (June 2010)
Lepinski, M., Kent, S.: An Infrastructure to Support Secure Internet Routing. IETF RFC 6480 (February 2012)
IAB statement on the RPKI. https://www.ietf.org/mail-archive/web/ietf-announce/current/msg07028.html
Malhotra, A., Goldberg, S.: RPKI vs ROVER Comparing the Risks of BGP Security Solutions. ACM SIGCOMM (2014)
Cooper, D., Heilman, E., Brogley, K., Reyzin, L., Goldberg, S.: On the Risk of Misbehaving RPKI Authorities. ACM Hotnets (November 2013)
Heilman, E., Cooper, D., Reyzin, L., Goldberg, S.: From the Consent of the Routed-Improving the Transparency of the RPKI. ACM SIGCOMM (2014)
rsync web pages. https://rsync.samba.org/
Oleg Muravskiy: RPKI Repository Analysis and Delta Protocol. http://www.ietf.org/proceedings/86/slides/slides-86-sidr-2.pdf
rsync considered inefficient and harmful. https://www.ietf.org/proceedings/89/slides/slides-89-sidr-6.pdf
Weber, B.: RPKI Repository Distribution Protocol(RRDP). https://www.ietf.org/mail-archive/web/sidr/current/msg05367.html
George, W.: Adventures in RPKI (non)deployment. https://www.nanog.org/sites/default/files/wednesday_george_adventuresinrpki_62.9.pdf
Huston, G., Michaelson, G., Loomans, R.: A Profile for X.509 PKIX Resource Certificates. IETF RFC6487 (February 2012)
Example: Configuring Origin Validation for BGP. https://www.juniper.net/documentation/en_US/junos12.2/topics/topic-map/bgp-origin-as-validation.html
GTA testbed. https://myicann.org/plan/project/5283e47c0038d63c92a626c2f26a59f6
Stoyanov, H.: Cryptographically secure detection of mirror worlds. http://web.mit.edu/rsi/2014/all/hristo.pdf.gz
Bruijnzeels, T., Muravskiy, O., Weber, B.: RPKI Repository Analysis and Requirements. draft-tbruijnzeels-sidr-repo-analysis-00 (February 2013)
Wang, C., Yan, Z., Hu, A.: An Efficient Data Management Architecture for the Large-scale Deployment of Resource Public Key Infrastructure. IEEE CECNet (December 2014)
Gill, P., Schapira, M., Goldberg, S.: Let the Market Drive Deployment: A Strategy for Transitioning to BGP Security. ACM SIGCOMM (2011)
Resource Public Key Infrastructure (RPKI). http://www.slideshare.net/SienaPerry/introduction-to-rpki-rpki-my-nog20140821shortv2
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Liu, X., Yan, Z., Geng, G., Lee, X., Tseng, SS., Ku, CH. (2016). RPKI Deployment: Risks and Alternative Solutions. In: Zin, T., Lin, JW., Pan, JS., Tin, P., Yokota, M. (eds) Genetic and Evolutionary Computing. Advances in Intelligent Systems and Computing, vol 387. Springer, Cham. https://doi.org/10.1007/978-3-319-23204-1_30
Download citation
DOI: https://doi.org/10.1007/978-3-319-23204-1_30
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-23203-4
Online ISBN: 978-3-319-23204-1
eBook Packages: EngineeringEngineering (R0)