From the consent of the routed

The Resource Public Key Infrastructure (RPKI) is a new infrastructure that prevents some of the most devastating attacks on interdomain routing. However, the security benefits provided by the RPKI are accomplished via an architecture that empowers centralized authorities to unilaterally revoke any IP prefixes under their control. We propose mechanisms to improve the transparency of the RPKI, in order to mitigate the risk that it will be used for IP address takedowns. First, we present tools that detect and visualize changes to the RPKI that can potentially take down an IP prefix. We use our tools to identify errors and revocations in the production RPKI. Next, we propose modifications to the RPKI's architecture to (1) require any revocation of IP address space to receive consent from all impacted parties, and (2) detect when misbehaving authorities fail to obtain consent. We present a security analysis of our architecture, and estimate its overhead using data-driven analysis.

[1]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[2]  Bruce Schneier,et al.  Automatic Event-Stream Notarization Using Digital Signatures , 1996, Security Protocols Workshop.

[3]  Peter Gemmell,et al.  Efficient and Fresh Cerification , 2000, Public Key Cryptography.

[4]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[5]  Fred B. Schneider,et al.  COCA: a secure distributed online certification authority , 2002 .

[6]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[7]  Deployment Considerations for Secure Origin BGP (soBGP) , 2003 .

[8]  Robbert van Renesse,et al.  COCA: a secure distributed online certification authority , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[9]  Patrick D. McDaniel,et al.  Origin authentication in interdomain routing , 2003, CCS '03.

[10]  Christian Cachin,et al.  Secure distributed DNS , 2004, International Conference on Dependable Systems and Networks, 2004.

[11]  Emin Gün Sirer,et al.  The design and implementation of a next generation name service for the internet , 2004, SIGCOMM.

[12]  Paul Francis,et al.  A study of prefix hijacking and interception in the internet , 2007, SIGCOMM 2007.

[13]  Dan S. Wallach,et al.  Efficient Data Structures For Tamper-Evident Logging , 2009, USENIX Security Symposium.

[14]  Sharon Goldberg,et al.  How secure are secure interdomain routing protocols , 2010, SIGCOMM '10.

[15]  Patrick D. McDaniel,et al.  A Survey of BGP Security Issues and Solutions , 2010, Proceedings of the IEEE.

[16]  Daniel Massey,et al.  The great IPv4 land grab: resource certification for the IPv4 grey market , 2011, HotNets-X.

[17]  Xin Zhang,et al.  SCION: Scalability, Control, and Isolation on Next-Generation Networks , 2011, 2011 IEEE Symposium on Security and Privacy.

[18]  Grenville J. Armitage,et al.  Securing BGP — A Literature Survey , 2011, IEEE Communications Surveys & Tutorials.

[19]  Milton L. Mueller,et al.  Negotiating a New Governance Hierarchy: An Analysis of the Conflicting Incentives to Secure Internet Routing , 2011 .

[20]  Geoff Huston,et al.  Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations (ROAs) , 2012, RFC.

[21]  Geoff Huston,et al.  A Profile for X.509 PKIX Resource Certificates , 2012, RFC.

[22]  Stephen T. Kent,et al.  Certification Authority (CA) Key Rollover in the Resource Public Key Infrastructure (RPKI) , 2012, RFC.

[23]  Olaf Maennel,et al.  Towards detecting BGP route hijacking using the RPKI , 2012, SIGCOMM.

[24]  Leo Vegoda,et al.  Resource Public Key Infrastructure (RPKI) Objects Issued by IANA , 2012, RFC.

[25]  Stephen T. Kent,et al.  An Infrastructure to Support Secure Internet Routing , 2012, RFC.

[26]  Daniel Anderson,et al.  Splinternet Behind the Great Firewall of China , 2012 .

[27]  Stephen T. Kent,et al.  Manifests for the Resource Public Key Infrastructure (RPKI) , 2012, RFC.

[28]  Geoff Huston,et al.  A Profile for Resource Certificate Repository Structure , 2012, RFC.

[29]  Collin Jackson,et al.  Accountable key infrastructure (AKI): a proposal for a public-key validation infrastructure , 2013, WWW.

[30]  Milton L. Mueller,et al.  Internet Security and Networked Governance in International Relations , 2013 .

[31]  Sharon Goldberg,et al.  BGP security in partial deployment: is the juice worth the squeeze? , 2013, SIGCOMM.

[32]  Ethan Heilman,et al.  On the risk of misbehaving RPKI authorities , 2013, HotNets.

[33]  Randy Bush RPKI Local Trust Anchor Use Cases , 2013 .

[34]  John G. Scudder,et al.  BGP Prefix Origin Validation , 2013, RFC.

[35]  Roque Gagliano,et al.  Multiple Repository Publication Points support in the Resource Public Key Infrastructure (RPKI) , 2013 .

[36]  Ben Laurie Certificate Transparency , 2014, ACM Queue.

[37]  Randy Bush Responsible Grandparenting in the RPKI , 2014 .

[38]  David Mandelberg,et al.  Suspenders: A Fail-safe Mechanism for the RPKI , 2015 .

[39]  Chris Palmer,et al.  Public Key Pinning Extension for HTTP , 2015, RFC.