RPKI is Coming of Age: A Longitudinal Study of RPKI Deployment and Invalid Route Origins

Taejoong Chung, E. Aben, Tim Bruijnzeels, B. Chandrasekaran, D. Choffnes, Dave Levin, B. Maggs, A. Mislove, R. V. Rijswijk-Deij, John P. Rula, N. Sullivan
{"title":"RPKI is Coming of Age: A Longitudinal Study of RPKI Deployment and Invalid Route Origins","authors":"Taejoong Chung, E. Aben, Tim Bruijnzeels, B. Chandrasekaran, D. Choffnes, Dave Levin, B. Maggs, A. Mislove, R. V. Rijswijk-Deij, John P. Rula, N. Sullivan","doi":"10.1145/3355369.3355596","DOIUrl":null,"url":null,"abstract":"Despite its critical role in Internet connectivity, the Border Gateway Protocol (BGP) remains highly vulnerable to attacks such as prefix hijacking, where an Autonomous System (AS) announces routes for IP space it does not control. To address this issue, the Resource Public Key Infrastructure (RPKI) was developed starting in 2008, with deployment beginning in 2011. This paper performs the first comprehensive, longitudinal study of the deployment, coverage, and quality of RPKI. We use a unique dataset containing all RPKI Route Origin Authorizations (ROAs) from the moment RPKI was first deployed, more than 8 years ago. We combine this dataset with BGP announcements from more than 3,300 BGP collectors worldwide. Our analysis shows the after a gradual start, RPKI has seen a rapid increase in adoption over the past two years. We also show that although misconfigurations were rampant when RPKI was first deployed (causing many announcements to appear as invalid) they are quite rare today. We develop a taxonomy of invalid RPKI announcements, then quantify their prevalence. We further identify suspicious announcements indicative of prefix hijacking and present case studies of likely hijacks. Overall, we conclude that while misconfigurations still do occur, RPKI is \"ready for the big screen,\" and routing security can be increased by dropping invalid announcements. To foster reproducibility and further studies, we release all RPKI data and the tools we used to analyze it into the public domain.","PeriodicalId":20640,"journal":{"name":"Proceedings of the Internet Measurement Conference 2018","volume":"113 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2019-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"49","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the Internet Measurement Conference 2018","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3355369.3355596","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 49

Abstract

Despite its critical role in Internet connectivity, the Border Gateway Protocol (BGP) remains highly vulnerable to attacks such as prefix hijacking, where an Autonomous System (AS) announces routes for IP space it does not control. To address this issue, the Resource Public Key Infrastructure (RPKI) was developed starting in 2008, with deployment beginning in 2011. This paper performs the first comprehensive, longitudinal study of the deployment, coverage, and quality of RPKI. We use a unique dataset containing all RPKI Route Origin Authorizations (ROAs) from the moment RPKI was first deployed, more than 8 years ago. We combine this dataset with BGP announcements from more than 3,300 BGP collectors worldwide. Our analysis shows the after a gradual start, RPKI has seen a rapid increase in adoption over the past two years. We also show that although misconfigurations were rampant when RPKI was first deployed (causing many announcements to appear as invalid) they are quite rare today. We develop a taxonomy of invalid RPKI announcements, then quantify their prevalence. We further identify suspicious announcements indicative of prefix hijacking and present case studies of likely hijacks. Overall, we conclude that while misconfigurations still do occur, RPKI is "ready for the big screen," and routing security can be increased by dropping invalid announcements. To foster reproducibility and further studies, we release all RPKI data and the tools we used to analyze it into the public domain.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
RPKI正在成熟:RPKI部署与无效路由起源的纵向研究
尽管边界网关协议(BGP)在互联网连接中起着至关重要的作用,但它仍然极易受到前缀劫持等攻击,即自治系统(as)宣布它无法控制的IP空间的路由。为了解决这个问题,资源公钥基础设施(Resource Public Key Infrastructure, RPKI)于2008年开始开发,并于2011年开始部署。本文首次对RPKI的部署、覆盖和质量进行了全面的纵向研究。我们使用一个独特的数据集,其中包含自RPKI首次部署以来的所有路由起源授权(roa),超过8年前。我们将此数据集与来自全球3300多个BGP收集器的BGP公告相结合。我们的分析显示,在经历了一个渐进的开始之后,RPKI在过去两年中得到了快速的普及。我们还指出,尽管在首次部署RPKI时错误配置非常猖獗(导致许多公告显示为无效),但它们在今天已经非常罕见了。我们开发了无效RPKI公告的分类,然后量化它们的流行程度。我们进一步识别指示前缀劫持的可疑公告,并提供可能劫持的案例研究。总的来说,我们得出的结论是,尽管错误配置仍然存在,但RPKI已经“为大屏幕做好了准备”,并且可以通过删除无效通知来提高路由安全性。为了促进可重复性和进一步的研究,我们将所有RPKI数据和我们用于分析它的工具发布到公共领域。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Reducing Permission Requests in Mobile Apps A Look at the ECS Behavior of DNS Resolvers RPKI is Coming of Age: A Longitudinal Study of RPKI Deployment and Invalid Route Origins Scanning the Scanners: Sensing the Internet from a Massively Distributed Network Telescope Learning Regexes to Extract Router Names from Hostnames
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1