DISCO: Sidestepping RPKI's Deployment Barriers

Tomas Hlavacek, Italo Cunha, Yossi Gilad, Amir Herzberg, Ethan Katz-Bassett, Michael Schapira, Haya Shulman

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

21 Scopus citations

Abstract

BGP is a gaping security hole in today's Internet, as evidenced by numerous Internet outages and blackouts, repeated traffic hijacking, and surveillance incidents. To protect against prefix hijacking, the Resource Public Key Infrastructure (RPKI) has been standardized. Yet, despite Herculean efforts, ubiquitous deployment of the RPKI remains distant, due to RPKI's manual and error-prone certification process. We argue that deploying origin authentication at scale requires substituting the standard requirement of certifying legal ownership of IP address blocks with the goal of certifying de facto ownership. We show that settling for de facto ownership is sufficient for protecting against hazardous prefix hijacking and can be accomplished without requiring any changes to today's routing infrastructure. We present DISCO, a readily deployable system that automatically certifies de facto ownership and generates the appropriate BGP-path-filtering rules at routers. We evaluate DISCO's security and deployability via live experiments on the Internet using a prototype implementation of DISCO and through simulations on empirically-derived datasets. To facilitate the reproducibility of our results, we open source our prototype, simulator, and measurement analysis code [30].

Original languageEnglish
Title of host publication27th Annual Network and Distributed System Security Symposium, NDSS 2020
PublisherThe Internet Society
ISBN (Electronic)1891562614, 9781891562617
DOIs
StatePublished - 2020
Externally publishedYes
Event27th Annual Network and Distributed System Security Symposium, NDSS 2020 - San Diego, United States
Duration: 23 Feb 202026 Feb 2020

Publication series

Name27th Annual Network and Distributed System Security Symposium, NDSS 2020

Conference

Conference27th Annual Network and Distributed System Security Symposium, NDSS 2020
Country/TerritoryUnited States
CitySan Diego
Period23/02/2026/02/20

Bibliographical note

Publisher Copyright:
© 2020 27th Annual Network and Distributed System Security Symposium, NDSS 2020. All Rights Reserved.

Funding

We thank our shepherd Brad Reaves and the NDSS reviewers for valuable feedback. We appreciate the support and feedback from Job Snijders and others in the network operator community. Donald Sharp and others in the FRR community fixed the FRR bug triggered by our announcements, enabling further experiments. Michael Schapira is supported by an ERC Starting Grant. Ethan Katz-Bassett and Italo Cunha were partially supported by NSF grants CNS-1740883 and CNS-1835252, as well as a Google Faculty Research Award. Italo Cunha is additionally funded by RNP project 2955, CNPq award 311049, and CAPES award 88881.17164. Amir Herzberg was partially supported by an endowment from the Comcast corporation and by NSF grant 1840041. Yossi Gilad is supported by the Alon fellowship, the Hebrew university cybersecurity research center, and Mobileye. This research work has been funded in part by the German Federal Ministry of Education and Research and the Hessen State Ministry for Higher Education, Research and the Arts within their joint support of ATHENE – National Research Center for Applied Cybersecurity, and co-funded by the DFG as part of project S3 within the CRC 1119 CROSSING. The opinions expressed in the paper are those of the researchers themselves and not of their universities or sources of funding. We thank our shepherd Brad Reaves and the NDSS reviewers for valuable feedback. We appreciate the support and feedback from Job Snijders and others in the network operator community. Donald Sharp and others in the FRR community fixed the FRR bug triggered by our announcements, enabling further experiments. Michael Schapira is supported by an ERC Starting Grant. Ethan Katz-Bassett and Italo Cunha were partially supported by NSF grants CNS-1740883 and CNS-1835252, as well as a Google Faculty Research Award. Italo Cunha is additionally funded by RNP project 2955, CNPq award 311049, and CAPES award 88881.17164. Amir Herzberg was partially supported by an endowment from the Comcast corporation and by NSF grant 1840041. Yossi Gilad is supported by the Alon fellowship, the Hebrew university cybersecurity research center, and Mobileye. This research work has been funded in part by the German Federal Ministry of Education and Research and the Hessen State Ministry for Higher Education, Research and the Arts within their joint support of ATHENE - National Research Center for Applied Cybersecurity, and co-funded by the DFG as part of project S3 within the CRC 1119 CROSSING. The opinions expressed in the paper are those of the researchers themselves and not of their universities or sources of funding.

FundersFunder number
Alon fellowship
Hebrew university cybersecurity research center
National Research Center for Applied Cybersecurity
National Science FoundationCNS-1740883, CNS-1835252
Google
Comcast1840041
Rede Nacional de Ensino e Pesquisa
European Research Council
Deutsche Forschungsgemeinschaft
Coordenação de Aperfeiçoamento de Pessoal de Nível Superior88881.17164
Bundesministerium für Bildung und Forschung
Hessisches Ministerium für Wissenschaft und Kunst
Conselho Nacional de Desenvolvimento Científico e Tecnológico311049

    Fingerprint

    Dive into the research topics of 'DISCO: Sidestepping RPKI's Deployment Barriers'. Together they form a unique fingerprint.

    Cite this