Abstract
The Resource Public Key Infrastructure (RPKI) binds IP address blocks to owners’ public keys. RPKI enables routers to perform Route Origin Validation (ROV), thus preventing devastating attacks such as IP prefix hijacking. Yet, despite extensive effort, RPKI’s deployment is frustratingly sluggish, leaving the Internet largely insecure. We tackle fundamental questions regarding today’s RPKI’s deployment and security: What is the adoption status of RPKI and ROV? What are the implications for global security of partial adoption? What are the root-causes for slow adoption? How can deployment be pushed forward? We address these questions through a combination of empirical analyses, a survey of over 100 network practitioners, and extensive simulations. Our main contributions include the following. We present the first study measuring ROV enforcement, revealing disappointingly low adoption at the core of the Internet. We show, in contrast, that without almost ubiquitous ROV adoption by large ISPs significant security benefits cannot be attained. We next expose a critical security vulnerability: about a third of RPKI authorizations issued for IP prefixes do not protect the prefix from hijacking attacks. We examine potential reasons for scarce adoption of RPKI and ROV, including human error in issuing RPKI certificates and inter-organization dependencies, and present recommendations for addressing these challenges.
| Original language | English |
|---|---|
| Title of host publication | 24th Annual Network and Distributed System Security Symposium, NDSS 2017 |
| Publisher | The Internet Society |
| ISBN (Electronic) | 1891562460, 9781891562464 |
| DOIs | |
| State | Published - 2017 |
| Event | 24th Annual Network and Distributed System Security Symposium, NDSS 2017 - San Diego, United States Duration: 26 Feb 2017 → 1 Mar 2017 |
Publication series
| Name | 24th Annual Network and Distributed System Security Symposium, NDSS 2017 |
|---|
Conference
| Conference | 24th Annual Network and Distributed System Security Symposium, NDSS 2017 |
|---|---|
| Country/Territory | United States |
| City | San Diego |
| Period | 26/02/17 → 1/03/17 |
Bibliographical note
Publisher Copyright:© 2017 24th Annual Network and Distributed System Security Symposium, NDSS 2017. All Rights Reserved.
Funding
This work was supported by ISF grants 420/12 and 1354/11, Israel Ministry of Science grants 3-9772 and 3-10884, the Israeli Center for Research Excellence in Algorithms, NSF grant 1414119, and an ERC Starting Grant. We thank Steve Bellovin, Randy Bush, Sharon Goldberg, Joel Halpern, Ethan Heilman, Tomas Hlavacek, Hezi Moriel, Hank Nussbacher, Alvaro Retana, and Nickolai Zeldovich for their helpful comments and suggestions. Special thanks to Daniel Davidovitch for helping us create ROAlet’s web interface, to Matthias Waehlisch and his research group at Freie University Berlin for helping us utilize Miro [48], and to Christian Teuschel from RIPE for helping us utilize the RIPEStat database.
| Funders | Funder number |
|---|---|
| Israel Ministry of Science | 3-10884, 3-9772 |
| Israeli Center for Research Excellence in Algorithms | |
| RIPE | |
| National Science Foundation | 1414119 |
| Iowa Science Foundation | 1354/11, 420/12 |
| European Commission |