Taejoong Chung, E. Aben, Tim Bruijnzeels, B. Chandrasekaran, D. Choffnes, Dave Levin, B. Maggs, A. Mislove, R. V. Rijswijk-Deij, John P. Rula, N. Sullivan
{"title":"RPKI is Coming of Age: A Longitudinal Study of RPKI Deployment and Invalid Route Origins","authors":"Taejoong Chung, E. Aben, Tim Bruijnzeels, B. Chandrasekaran, D. Choffnes, Dave Levin, B. Maggs, A. Mislove, R. V. Rijswijk-Deij, John P. Rula, N. Sullivan","doi":"10.1145/3355369.3355596","DOIUrl":null,"url":null,"abstract":"Despite its critical role in Internet connectivity, the Border Gateway Protocol (BGP) remains highly vulnerable to attacks such as prefix hijacking, where an Autonomous System (AS) announces routes for IP space it does not control. To address this issue, the Resource Public Key Infrastructure (RPKI) was developed starting in 2008, with deployment beginning in 2011. This paper performs the first comprehensive, longitudinal study of the deployment, coverage, and quality of RPKI. We use a unique dataset containing all RPKI Route Origin Authorizations (ROAs) from the moment RPKI was first deployed, more than 8 years ago. We combine this dataset with BGP announcements from more than 3,300 BGP collectors worldwide. Our analysis shows the after a gradual start, RPKI has seen a rapid increase in adoption over the past two years. We also show that although misconfigurations were rampant when RPKI was first deployed (causing many announcements to appear as invalid) they are quite rare today. We develop a taxonomy of invalid RPKI announcements, then quantify their prevalence. We further identify suspicious announcements indicative of prefix hijacking and present case studies of likely hijacks. Overall, we conclude that while misconfigurations still do occur, RPKI is \"ready for the big screen,\" and routing security can be increased by dropping invalid announcements. To foster reproducibility and further studies, we release all RPKI data and the tools we used to analyze it into the public domain.","PeriodicalId":20640,"journal":{"name":"Proceedings of the Internet Measurement Conference 2018","volume":"113 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2019-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"49","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the Internet Measurement Conference 2018","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3355369.3355596","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 49
Abstract
Despite its critical role in Internet connectivity, the Border Gateway Protocol (BGP) remains highly vulnerable to attacks such as prefix hijacking, where an Autonomous System (AS) announces routes for IP space it does not control. To address this issue, the Resource Public Key Infrastructure (RPKI) was developed starting in 2008, with deployment beginning in 2011. This paper performs the first comprehensive, longitudinal study of the deployment, coverage, and quality of RPKI. We use a unique dataset containing all RPKI Route Origin Authorizations (ROAs) from the moment RPKI was first deployed, more than 8 years ago. We combine this dataset with BGP announcements from more than 3,300 BGP collectors worldwide. Our analysis shows the after a gradual start, RPKI has seen a rapid increase in adoption over the past two years. We also show that although misconfigurations were rampant when RPKI was first deployed (causing many announcements to appear as invalid) they are quite rare today. We develop a taxonomy of invalid RPKI announcements, then quantify their prevalence. We further identify suspicious announcements indicative of prefix hijacking and present case studies of likely hijacks. Overall, we conclude that while misconfigurations still do occur, RPKI is "ready for the big screen," and routing security can be increased by dropping invalid announcements. To foster reproducibility and further studies, we release all RPKI data and the tools we used to analyze it into the public domain.
尽管边界网关协议(BGP)在互联网连接中起着至关重要的作用,但它仍然极易受到前缀劫持等攻击,即自治系统(as)宣布它无法控制的IP空间的路由。为了解决这个问题,资源公钥基础设施(Resource Public Key Infrastructure, RPKI)于2008年开始开发,并于2011年开始部署。本文首次对RPKI的部署、覆盖和质量进行了全面的纵向研究。我们使用一个独特的数据集,其中包含自RPKI首次部署以来的所有路由起源授权(roa),超过8年前。我们将此数据集与来自全球3300多个BGP收集器的BGP公告相结合。我们的分析显示,在经历了一个渐进的开始之后,RPKI在过去两年中得到了快速的普及。我们还指出,尽管在首次部署RPKI时错误配置非常猖獗(导致许多公告显示为无效),但它们在今天已经非常罕见了。我们开发了无效RPKI公告的分类,然后量化它们的流行程度。我们进一步识别指示前缀劫持的可疑公告,并提供可能劫持的案例研究。总的来说,我们得出的结论是,尽管错误配置仍然存在,但RPKI已经“为大屏幕做好了准备”,并且可以通过删除无效通知来提高路由安全性。为了促进可重复性和进一步的研究,我们将所有RPKI数据和我们用于分析它的工具发布到公共领域。