[lacnog] Paper: "Are We There Yet?: On RPKI’s Deployment and Security"

Fernando Gont fgont en si6networks.com
Jue Ene 12 07:35:24 BRST 2017


FYI: <https://eprint.iacr.org/2016/1010.pdf>

Comentarios y discusiones bienvenidas...

-- cut here ----
—  The  Resource  Public  Key  Infrastructure  (RPKI)
binds  IP  address  blocks  to  owners’  public  keys.  RPKI  enables
routers to perform Route Origin Validation (ROV), thus preventing
devastating  attacks  such  as  IP  prefix  hijacking.  Yet,  despite
extensive  effort,  RPKI’s  deployment  is  frustratingly  sluggish,
leaving  the  Internet  largely  insecure.  We  tackle  fundamental
questions  regarding  today’s  RPKI’s  deployment  and  security:
What  is  the  adoption  status  of  RPKI  and  ROV?  What  are  the
implications for global security of partial adoption? What are the
root-causes  for  slow  adoption?  How  can  deployment  be  pushed
forward?  We  address  these  questions  through  a  combination  of
empirical  analyses,  a  survey  of  over  100  network  practitioners,
and  extensive  simulations.  Our  main  contributions  include  the
following. We present the first study measuring ROV enforcement,
revealing disappointingly low adoption at the core of the Internet.
We   show,   in   contrast,   that   without   almost   ubiquitous   ROV
adoption  by  large  ISPs  significant  security  benefits  cannot  be
attained. We next expose a critical security vulnerability:
about a third of RPKI authorizations issued for IP prefixes do not
protect the prefix from hijacking attacks. We examine potential reasons
for  scarce  adoption  of  RPKI  and  ROV,  including  human  error
in issuing RPKI certificates and inter-organization dependencies,
and  present  recommendations  for  addressing  these  challenges.
---- cut here ----

Fernando Gont
SI6 Networks
e-mail: fgont en si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

Más información sobre la lista de distribución LACNOG