Are We There Yet? On RPKI’s Deployment and Security

Yossi Gilad; Avichai Cohen; Amir Herzberg; Michael Schapira; Haya Shulman

doi:10.14722/ndss.2017.23123

Are We There Yet? On RPKI’s Deployment and Security

Yossi Gilad^*, Avichai Cohen, Amir Herzberg, Michael Schapira, Haya Shulman

^*Corresponding author for this work

The Rachel and Selim Benin School of Engineering and Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

64 Scopus citations

Abstract

The Resource Public Key Infrastructure (RPKI) binds IP address blocks to owners’ public keys. RPKI enables routers to perform Route Origin Validation (ROV), thus preventing devastating attacks such as IP prefix hijacking. Yet, despite extensive effort, RPKI’s deployment is frustratingly sluggish, leaving the Internet largely insecure. We tackle fundamental questions regarding today’s RPKI’s deployment and security: What is the adoption status of RPKI and ROV? What are the implications for global security of partial adoption? What are the root-causes for slow adoption? How can deployment be pushed forward? We address these questions through a combination of empirical analyses, a survey of over 100 network practitioners, and extensive simulations. Our main contributions include the following. We present the first study measuring ROV enforcement, revealing disappointingly low adoption at the core of the Internet. We show, in contrast, that without almost ubiquitous ROV adoption by large ISPs significant security benefits cannot be attained. We next expose a critical security vulnerability: about a third of RPKI authorizations issued for IP prefixes do not protect the prefix from hijacking attacks. We examine potential reasons for scarce adoption of RPKI and ROV, including human error in issuing RPKI certificates and inter-organization dependencies, and present recommendations for addressing these challenges.

Original language	English
Title of host publication	24th Annual Network and Distributed System Security Symposium, NDSS 2017
Publisher	The Internet Society
ISBN (Electronic)	1891562460, 9781891562464
DOIs	https://doi.org/10.14722/ndss.2017.23123
State	Published - 2017
Event	24th Annual Network and Distributed System Security Symposium, NDSS 2017 - San Diego, United States Duration: 26 Feb 2017 → 1 Mar 2017

Publication series

Name	24th Annual Network and Distributed System Security Symposium, NDSS 2017

Conference

Conference	24th Annual Network and Distributed System Security Symposium, NDSS 2017
Country/Territory	United States
City	San Diego
Period	26/02/17 → 1/03/17

Bibliographical note

Publisher Copyright:
© 2017 24th Annual Network and Distributed System Security Symposium, NDSS 2017. All Rights Reserved.

Access to Document

10.14722/ndss.2017.23123

Cite this

@inproceedings{0abba34be17f4545af9e478460d3b374,

title = "Are We There Yet? On RPKI{\textquoteright}s Deployment and Security",

abstract = "The Resource Public Key Infrastructure (RPKI) binds IP address blocks to owners{\textquoteright} public keys. RPKI enables routers to perform Route Origin Validation (ROV), thus preventing devastating attacks such as IP prefix hijacking. Yet, despite extensive effort, RPKI{\textquoteright}s deployment is frustratingly sluggish, leaving the Internet largely insecure. We tackle fundamental questions regarding today{\textquoteright}s RPKI{\textquoteright}s deployment and security: What is the adoption status of RPKI and ROV? What are the implications for global security of partial adoption? What are the root-causes for slow adoption? How can deployment be pushed forward? We address these questions through a combination of empirical analyses, a survey of over 100 network practitioners, and extensive simulations. Our main contributions include the following. We present the first study measuring ROV enforcement, revealing disappointingly low adoption at the core of the Internet. We show, in contrast, that without almost ubiquitous ROV adoption by large ISPs significant security benefits cannot be attained. We next expose a critical security vulnerability: about a third of RPKI authorizations issued for IP prefixes do not protect the prefix from hijacking attacks. We examine potential reasons for scarce adoption of RPKI and ROV, including human error in issuing RPKI certificates and inter-organization dependencies, and present recommendations for addressing these challenges.",

author = "Yossi Gilad and Avichai Cohen and Amir Herzberg and Michael Schapira and Haya Shulman",

note = "Publisher Copyright: {\textcopyright} 2017 24th Annual Network and Distributed System Security Symposium, NDSS 2017. All Rights Reserved.; 24th Annual Network and Distributed System Security Symposium, NDSS 2017 ; Conference date: 26-02-2017 Through 01-03-2017",

year = "2017",

doi = "10.14722/ndss.2017.23123",

language = "אנגלית",

series = "24th Annual Network and Distributed System Security Symposium, NDSS 2017",

publisher = "The Internet Society",

booktitle = "24th Annual Network and Distributed System Security Symposium, NDSS 2017",

}

Gilad, Y, Cohen, A, Herzberg, A, Schapira, M & Shulman, H 2017, Are We There Yet? On RPKI’s Deployment and Security. in 24th Annual Network and Distributed System Security Symposium, NDSS 2017. 24th Annual Network and Distributed System Security Symposium, NDSS 2017, The Internet Society, 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, United States, 26/02/17. https://doi.org/10.14722/ndss.2017.23123

Are We There Yet? On RPKI’s Deployment and Security. / Gilad, Yossi; Cohen, Avichai; Herzberg, Amir et al.
24th Annual Network and Distributed System Security Symposium, NDSS 2017. The Internet Society, 2017. (24th Annual Network and Distributed System Security Symposium, NDSS 2017).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Are We There Yet? On RPKI’s Deployment and Security

AU - Gilad, Yossi

AU - Cohen, Avichai

AU - Herzberg, Amir

AU - Schapira, Michael

AU - Shulman, Haya

PY - 2017

Y1 - 2017

N2 - The Resource Public Key Infrastructure (RPKI) binds IP address blocks to owners’ public keys. RPKI enables routers to perform Route Origin Validation (ROV), thus preventing devastating attacks such as IP prefix hijacking. Yet, despite extensive effort, RPKI’s deployment is frustratingly sluggish, leaving the Internet largely insecure. We tackle fundamental questions regarding today’s RPKI’s deployment and security: What is the adoption status of RPKI and ROV? What are the implications for global security of partial adoption? What are the root-causes for slow adoption? How can deployment be pushed forward? We address these questions through a combination of empirical analyses, a survey of over 100 network practitioners, and extensive simulations. Our main contributions include the following. We present the first study measuring ROV enforcement, revealing disappointingly low adoption at the core of the Internet. We show, in contrast, that without almost ubiquitous ROV adoption by large ISPs significant security benefits cannot be attained. We next expose a critical security vulnerability: about a third of RPKI authorizations issued for IP prefixes do not protect the prefix from hijacking attacks. We examine potential reasons for scarce adoption of RPKI and ROV, including human error in issuing RPKI certificates and inter-organization dependencies, and present recommendations for addressing these challenges.

AB - The Resource Public Key Infrastructure (RPKI) binds IP address blocks to owners’ public keys. RPKI enables routers to perform Route Origin Validation (ROV), thus preventing devastating attacks such as IP prefix hijacking. Yet, despite extensive effort, RPKI’s deployment is frustratingly sluggish, leaving the Internet largely insecure. We tackle fundamental questions regarding today’s RPKI’s deployment and security: What is the adoption status of RPKI and ROV? What are the implications for global security of partial adoption? What are the root-causes for slow adoption? How can deployment be pushed forward? We address these questions through a combination of empirical analyses, a survey of over 100 network practitioners, and extensive simulations. Our main contributions include the following. We present the first study measuring ROV enforcement, revealing disappointingly low adoption at the core of the Internet. We show, in contrast, that without almost ubiquitous ROV adoption by large ISPs significant security benefits cannot be attained. We next expose a critical security vulnerability: about a third of RPKI authorizations issued for IP prefixes do not protect the prefix from hijacking attacks. We examine potential reasons for scarce adoption of RPKI and ROV, including human error in issuing RPKI certificates and inter-organization dependencies, and present recommendations for addressing these challenges.

UR - http://www.scopus.com/inward/record.url?scp=85171626817&partnerID=8YFLogxK

U2 - 10.14722/ndss.2017.23123

DO - 10.14722/ndss.2017.23123

M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???

AN - SCOPUS:85171626817

T3 - 24th Annual Network and Distributed System Security Symposium, NDSS 2017

BT - 24th Annual Network and Distributed System Security Symposium, NDSS 2017

PB - The Internet Society

T2 - 24th Annual Network and Distributed System Security Symposium, NDSS 2017

Y2 - 26 February 2017 through 1 March 2017

ER -

Are We There Yet? On RPKI’s Deployment and Security

Abstract

Publication series

Conference

Bibliographical note

Access to Document

Other files and links

Fingerprint

Cite this