TY - GEN
T1 - Are We There Yet? On RPKI’s Deployment and Security
AU - Gilad, Yossi
AU - Cohen, Avichai
AU - Herzberg, Amir
AU - Schapira, Michael
AU - Shulman, Haya
N1 - Publisher Copyright: © 2017 24th Annual Network and Distributed System Security Symposium, NDSS 2017. All Rights Reserved.
PY - 2017
Y1 - 2017
N2 - The Resource Public Key Infrastructure (RPKI) binds IP address blocks to owners’ public keys. RPKI enables routers to perform Route Origin Validation (ROV), thus preventing devastating attacks such as IP prefix hijacking. Yet, despite extensive effort, RPKI’s deployment is frustratingly sluggish, leaving the Internet largely insecure. We tackle fundamental questions regarding today’s RPKI’s deployment and security: What is the adoption status of RPKI and ROV? What are the implications for global security of partial adoption? What are the root-causes for slow adoption? How can deployment be pushed forward? We address these questions through a combination of empirical analyses, a survey of over 100 network practitioners, and extensive simulations. Our main contributions include the following. We present the first study measuring ROV enforcement, revealing disappointingly low adoption at the core of the Internet. We show, in contrast, that without almost ubiquitous ROV adoption by large ISPs significant security benefits cannot be attained. We next expose a critical security vulnerability: about a third of RPKI authorizations issued for IP prefixes do not protect the prefix from hijacking attacks. We examine potential reasons for scarce adoption of RPKI and ROV, including human error in issuing RPKI certificates and inter-organization dependencies, and present recommendations for addressing these challenges.
AB - The Resource Public Key Infrastructure (RPKI) binds IP address blocks to owners’ public keys. RPKI enables routers to perform Route Origin Validation (ROV), thus preventing devastating attacks such as IP prefix hijacking. Yet, despite extensive effort, RPKI’s deployment is frustratingly sluggish, leaving the Internet largely insecure. We tackle fundamental questions regarding today’s RPKI’s deployment and security: What is the adoption status of RPKI and ROV? What are the implications for global security of partial adoption? What are the root-causes for slow adoption? How can deployment be pushed forward? We address these questions through a combination of empirical analyses, a survey of over 100 network practitioners, and extensive simulations. Our main contributions include the following. We present the first study measuring ROV enforcement, revealing disappointingly low adoption at the core of the Internet. We show, in contrast, that without almost ubiquitous ROV adoption by large ISPs significant security benefits cannot be attained. We next expose a critical security vulnerability: about a third of RPKI authorizations issued for IP prefixes do not protect the prefix from hijacking attacks. We examine potential reasons for scarce adoption of RPKI and ROV, including human error in issuing RPKI certificates and inter-organization dependencies, and present recommendations for addressing these challenges.
UR - http://www.scopus.com/inward/record.url?scp=85171626817&partnerID=8YFLogxK
U2 - 10.14722/ndss.2017.23123
DO - 10.14722/ndss.2017.23123
M3 - منشور من مؤتمر
T3 - 24th Annual Network and Distributed System Security Symposium, NDSS 2017
BT - 24th Annual Network and Distributed System Security Symposium, NDSS 2017
PB - The Internet Society
T2 - 24th Annual Network and Distributed System Security Symposium, NDSS 2017
Y2 - 26 February 2017 through 1 March 2017
ER -