poster

Poster: RPKI Kill Switch

Authors:

Donika Mirdita,

Haya Shulman,

Michael WaidnerAuthors Info & Claims

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Pages 3423 - 3425

https://doi.org/10.1145/3548606.3563536

Published: 07 November 2022 Publication History

Get Access

Abstract

Relying party implementations are an important component of RPKI: they fetch and validate the signed authorizations mapping prefixes to their owners. Border routers use this information to check which Autonomous Systems (ASes) are authorized to originate given prefixes and to enforce Route Origin Validation (ROV) in order to block bogus BGP announcements, preventing accidental and malicious prefix hijacks. In 2021 the RPKI relying party implementations were patched against attacks by malicious publication points. In such attacks the relying parties are stalled processing malformed RPKI objects. In this work we perform a black-box analysis of the patched relying party implementations and find that out of five popular relying parties, two major implementations (Routinator and OctoRPKI) have vulnerabilities that can be exploited to cause large scale blackouts in the RPKI ecosystem. We show that the vulnerabilities we found apply to 84.9% of the networks supporting RPKI. We analyze the code to understand the factors causing the bugs. We show that these vulnerabilities can be exploited to crash the deployed relying parties, disabling RPKI validation and exposing the networks to prefix hijack attacks.

References

[1]

Arstechnica. 2019. BGP event sends European mobile traffic through China Telecom for 2 hours. https://arstechnica.com/informationtechnology/2019/06/bgp-mishap-sends-europeanmobile-traffic-through-china-telecom-for-2-hours. (2019).

Google Scholar

[2]

Alex Band. 2011. Certification in the real world. In RIPE NCC. https://ripe62.ripe.net/presentations/214-Cert-RIPE62-RoutingWG.pdf

Google Scholar

[3]

Randy Bush, Rob Austein, Steve Bellovin, and Michael Elkins. 2009. The RPKI & Origin Validation. https://ripe60.ripe.net/presentations/Bush-The_RPKI_Origin_Validation.pdf

Google Scholar

[4]

Cloudflare. 2022. OctoRPKI. https://github.com/cloudflare/cfrpki. (2022).

Google Scholar

[5]

Tomas Hlavacek, Philipp Jeitner, Donika Mirdita, Haya Shulman, and Michael Waidner. 2022. Stalloris: RPKI Downgrade Attack. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA. https://www.usenix.org/conference/usenixsecurity22/presentation/hlavacek

Google Scholar

[6]

Mitre. 2021. CVE-2021--43172. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021--43172 . (2021).

Google Scholar

[7]

NIST. 2022. RIPEStat. https://stat.ripe.net/about/. (2022).

Google Scholar

[8]

NIST. 2022. RPKI Deployment Monitor. https://rpki-monitor.antd.nist.gov/. (2022).

Google Scholar

[9]

NLnetLabs. 2022a. Routinator. 2022. https://routinator.docs.nlnetlabs.nl/. (2022).

Google Scholar

[10]

NLnetLabs. 2022b. RPKI Certificate Authority and Publication Server. https://github.com/NLnetLabs/krill. (2022).

Google Scholar

[11]

Marshall Pierce. 2021. base64. https://github.com/marshallpierce/rust-base64 . (2021).

Google Scholar

[12]

Renesys. 2013. The New Threat: Targeted Internet Traffic Misdirection. http://www.renesys.com/2013/11/mitm-internet-hijacking/. (2013).

Google Scholar

[13]

Haya Shulman, Niklas Vogel, and Michael Waidner. 2022. Poster: Insights into Global Deployment of RPKI Validation. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security.

Digital Library

Google Scholar

[14]

Andree Toonk. 2014. Turkey Hijacking IP Addresses for Popular Global DNSProviders. https://www.bgpmon.net/turkey-hijacking-ip-addresses-for-popular-global-dns-providers/. (2014).

Google Scholar

Cited By

View all

Rodday NCunha ÍBush RKatz-Bassett ERodosek GSchmidt TWählisch M(2024)The Resource Public Key Infrastructure (RPKI): A Survey on Measurements and Future ProspectsIEEE Transactions on Network and Service Management10.1109/TNSM.2023.332745521:2(2353-2373)Online publication date: Apr-2024
https://doi.org/10.1109/TNSM.2023.3327455

Index Terms

Poster: RPKI Kill Switch
1. Security and privacy
  1. Network security

Recommendations

Behind the Scenes of RPKI
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Best practices for making RPKI resilient to failures and attacks recommend using multiple URLs and certificates for publication points as well as multiple relying parties. We find that these recommendations are already supported by 63% of the ASes with ...
Poster: Insights into Global Deployment of RPKI Validation
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

IP prefix hijacks, due to malicious attacks or benign misconfigurations, pose a threat to the Internet's stability and security. RPKI was designed to enable networks to block prefix hijacks by enforcing Route Origin Validation (ROV). In this work we ...
Poster: Taking the Low Road: How RPKI Invalids Propagate
ACM SIGCOMM '23: Proceedings of the ACM SIGCOMM 2023 Conference

The Border Gateway Protocol (BGP) includes no mechanism to verify the correctness of routing information exchanged between networks. To defend against unauthorized use of address space, the IETF developed the Resource Public Key Infrastructure (RPKI), a ...

Comments

Information & Contributors

Information

Published In

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

November 2022

3598 pages

ISBN:9781450394505

DOI:10.1145/3548606

General Chairs:
Heng Yin
University of California, Riverside
,
Angelos Stavrou
Virginia Tech
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Elaine Shi
Carnegie Mellon University

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2022

Check for updates

Author Tags

Qualifiers

Poster

Funding Sources

Deutsche Forschungsgemeinschaft
National Research Center for Applied Cybersecurity ATHENE

Conference

CCS '22

Sponsor:

SIGSAC

CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security

November 7 - 11, 2022

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
178
Total Downloads

Downloads (Last 12 months)63
Downloads (Last 6 weeks)9

Reflects downloads up to 07 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Rodday NCunha ÍBush RKatz-Bassett ERodosek GSchmidt TWählisch M(2024)The Resource Public Key Infrastructure (RPKI): A Survey on Measurements and Future ProspectsIEEE Transactions on Network and Service Management10.1109/TNSM.2023.332745521:2(2353-2373)Online publication date: Apr-2024
https://doi.org/10.1109/TNSM.2023.3327455

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Behind the Scenes of RPKI

Poster: Insights into Global Deployment of RPKI Validation

Poster: Taking the Low Road: How RPKI Invalids Propagate

Comments

Published In

Sponsors

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Upcoming Conference

Other Metrics

Article Metrics

Other Metrics

Cited By

Login options

Full Access

PDF

eReader

Abstract

References

Cited By

Index Terms

Recommendations

Behind the Scenes of RPKI

Poster: Insights into Global Deployment of RPKI Validation

Poster: Taking the Low Road: How RPKI Invalids Propagate

Comments

Information

Published In

Sponsors

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Upcoming Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations