The Border Gateway Protocol (BGP) is responsible for managing how packets are routed across the Internet by exchanging routing related messages (path announcements) between routers. While the Border Gateway Protocol plays a critical role in the Internet communications, it remains highly vulnerable to many attacks. This is because the protocol was originally designed for each BGP router to trust all protocol related messages, especially path announcements, sent by its neighboring routers. As a result, incorrect and malicious path information would be accepted by routers at face value, potentially leading to destination unreachable problems in the Internet. To address this issue, Resource Public Key Infrastructure (RPKI) was introduced in 2012 to allow routers to verify path announcements in the Border Gateway Protocol. However, today there is a dearth of information available about the vulnerability of the RPKI, and how routers in the Internet have actually deployed and managed it. This project will develop techniques to better understand and improve the management of RPKI, helping to better secure the Internet. Given the early stage of the RPKI protocol, the findings in this project stand a good chance of being integrated to improve the state of the system. The project would train students in related research. The findings of the project would identify what the current security problems of RPKI are and help spur a greater adoption of RPKI by releasing the codes, datasets and analysis tools developed in the project and presenting the research outcomes to other researchers, administrators, and Internet operations related working groups. This project has two research foci, each examining the management and improving security challenges of the Resource Public Key Infrastructure. First, the project will analyze existing RPKI repositories from multiple vantage points in an effort to understand how much of actual Border Gateway Protocol feeds in the Internet are verifiable. It will also determine what fraction of routers are actually using RPKI to validate paths. For this focus, the investigators will collaborate with one of the biggest network operators that have the most-peered global networks in existence. Second, the project will develop new techniques to detect misconfigurations of routers and potential security vulnerabilities. For this purpose, the project will host a custom RPKI repository that have multiple invalid routes, which will be used to test RPKI validators or routers.
CRII: SaTC: Measuring and Improving the Management of Resource Public Key Infrastructure (RPKI)