The Resource Public Key Infrastructure (RPKI) is not the straightforward solution for the security vulnerabilities of the internet’s Border Gateway Protocol (BGP) that many in the communications sector believe it to be, according to a team of researchers from Germany.
In a recently released paper, RPKI: Not Perfect But Good Enough, contributors Haya Schulmann and Niklas Vogel from Germany’s ATHENE National Research Center for Applied Cybersecurity and Goethe-Universität Frankfurt, along with Michael Waidner from ATHENE and Technische Universität Darmstadt, highlight a significant number of RPKI challenges that still need resolution for it to realize its full potential.
This paper casts a shadow over the optimism exhibited by the US White House Office of the National Cyber Director (ONCD), which recently released a roadmap urging US Internet Service Providers (ISPs) to expedite the adoption of RPKI to remedy the well-documented insufficiencies of BGP.
The core issue with the BGP protocol, which serves as the foundation for internet routing today, is that it was created without what the authors refer to as “cryptographic authentication of announcements.”
In clear terms, service providers have the potential to introduce misleading or incorrect routes that can hijack or reroute traffic, either intentionally or due to accidental misconfigurations.
This issue has become increasingly relevant in recent years, marked by several reported BGP routing incidents. One significant case was in 2018 involving China Telecom, which caught the attention of the US government. Previously, BGP was primarily a concern for engineers who understood its complexities.
BGP lacks a mechanism for authenticating routing modifications. The introduction of RPIK a little over a decade ago aimed to address this gap by implementing a digital record known as Route Origin Authorization (ROA), which verifies an ISP’s authority over particular IP resources.
Route origin validation (ROV) is the procedure a router follows to ensure that an advertised route is sanctioned by the appropriate ROA certificate. Ideally, this would prevent any unauthorized router from falsely claiming a route it isn’t entitled to. The RPKI serves as the public key infrastructure that integrates these security measures.
For the system to function effectively, RPKI requires a much larger number of ISPs to embrace its framework, a process that has, until recently, progressed at a rather sluggish pace.
Nonetheless, while the researchers acknowledge some advancements, they point out that there are even more profound issues at play. Many of these challenges mirror those faced by software in general.
“Current RPKI implementations still lack the necessary resilience for production use and are burdened by software weaknesses, inconsistent specifications, and operational hurdles, raising significant security concerns,” the authors stated in their introduction.
Thus, RPKI must establish a methodology for addressing vulnerabilities. It also requires tools dedicated to remediate those weaknesses, along with a mechanism to prevent any malicious code from infiltrating the development supply chain.
At the same time, internet service providers (ISPs) implementing the technology are missing the automated tools needed to address vulnerabilities as they come up, according to the authors. This gap in automation necessitates that ISPs rely on manual methods, which result in mistakes and sluggish connections due to misconfigurations.
“The implementations show a lack of expertise with comprehensive strict RPKI-validation in operational settings and are functioning in fail-open testing mode,” the authors reported.
This “fail-open” mode allows invalid routes to be propagated, even when they do not pass RPKI, resembling the experience of learning to ride a bicycle with stabilizers while still crashing.
Additionally, there is a significant concern that bad actors could attempt to introduce backdoors into RPKI software.
“Given that all major RPKI software versions are open source and welcome community code contributions, the risk of intentional backdoors is significant in the realm of RPKI,” they noted.
They argue that a software supply chain responsible for developing such critical software for internet routing ought to undergo more extensive testing and validation.
The authors do not provide straightforward solutions to the existing challenges faced by RPKI, acknowledging, “expecting complete maturity before large-scale implementation is a rather theoretical viewpoint; in reality, perfection and full maturity do not exist, only varying degrees of adequacy.”
What they appear to convey is that RPKI’s critical role in the internet requires more focus than typical security initiatives. It calls for improved automation tools to facilitate management and updates, along with increased emphasis on assurance in its software supply chain.
Above all, with the recent adjustments made by the White House, public expectations have been recalibrated, making this topic increasingly pertinent. Up to this point, RPKI has progressed steadily. However, as government engagement grows—driven by the significant implications of internet routing for digital security—we are entering a new phase that necessitates improved implementation.