Info: Zenodo’s user support line is staffed on regular business days between Dec 23 and Jan 5. Response times may be slightly longer than normal.

Published February 20, 2020 | Version v1
Conference paper Open

RPKI is Coming of Age: A Longitudinal Study of RPKI Deployment and Invalid Route Origins

  • 1. Rochester Institute of Technology
  • 2. RIPE NCC
  • 3. NLNetLabs
  • 4. Max Planck Institute for Informatics
  • 5. Northeastern University
  • 6. University of Maryland
  • 7. Duke University and Akamai Technologies
  • 8. University of Twente and NLNetLabs
  • 9. Akamai Technologies
  • 10. Cloudflare

Description

Despite its critical role in Internet connectivity, the Border Gateway Protocol (BGP) remains highly vulnerable to attacks such as prefix hijacking, where an Autonomous System (AS) announces routes for IP space it does not control. To address this issue, the Resource Public Key Infrastructure (RPKI) was developed starting in 2008, with deployment beginning in 2011. This paper performs the first comprehensive, longitudinal study of the deployment, coverage, and quality of RPKI.

We use a unique dataset containing all RPKI Route Origin Authorizations (ROAs) from the moment RPKI was first deployed, more than 8 years ago. We combine this dataset with BGP announcements from more than 3,300 BGP collectors worldwide. Our analysis shows the after a gradual start, RPKI has seen a rapid increase in adoption over the past two years. We also show that although misconfigurations were rampant when RPKI was first deployed (causing many announcements to appear as invalid) they are quite rare today. We develop a taxonomy of invalid RPKI announcements, then quantify their prevalence. We further identify suspicious announcements indicative of prefix hijacking and present case studies of likely hijacks.

Overall, we conclude that while misconfigurations still do occur, RPKI is "ready for the big screen," and routing security can be increased by dropping invalid announcements. To foster reproducibility and further studies, we release all RPKI data and the tools we used to analyze it into the public domain.

Files

2019_RPKI_Is_coming_of_age.pdf

Files (1.3 MB)

Name Size Download all
md5:cd73f54b18500c1412830d6977013ab3
1.3 MB Preview Download

Additional details

Funding

CONCORDIA – Cyber security cOmpeteNCe fOr Research anD InnovAtion 830927
European Commission