The Fix For BGP's Weaknesses Has Big, Scary, Issues Of Its Own, Boffins Find
The Resource Public Key Infrastructure (RPKI) protocol has "software vulnerabilities, inconsistent specifications, and operational challenges" according to a pre-press paper from a trio of German researchers.
RPKI was designed to fix problems caused by the fact that Border Gateway Protocol (BGP) – the protocol that manages the routes traffic can traverse across the internet – was not secure by design. The newer protocol theoretically fixes that by adding Route Origin Validation (ROV) and Route Origin Authorization (ROA) – techniques that let network operators verify that advertised routes are authentic and represent accurate BGP announcements.
In early September, the White House made RPKI part of its Roadmap to Enhancing Internet Routing Security – an initiative US national cyber director Harry Coker, Jr, said would "mitigate a longstanding vulnerability and lead to a more secure internet that is vital to our national security and the economic prosperity of all Americans."
And the rest of us, too, given that one impact of an attack on BGP could be to re-route traffic away from a website's actual address to another that hosts malware.
But according to a pre-press paper [PDF] by Haya Schulmann and Niklas Vogel of Germany's National Research Center for Applied Cybersecurity and Goethe-Universität Frankfurt, and Michael Waidner from the Center and TU Darmstadt, RPKI is far from perfect.
Schulmann and Vogel summarized the paper in a post on the Asia Pacific Network Information Center's blog:
The trio are optimistic that the many packages comprising RPKI will be improved. But for now they worry it is "attractive for attackers, with the relative abundance of vulnerabilities that have potentially devastating consequences for RPKI validation and might even open a backdoor into the local network running the vulnerable software component."
That's not just a theory. The paper outlines a Remote Code Execution attack the authors discovered during their research.
They also fear supply chain attacks that embed backdoors in open source RPKI components.
- Mind your MANRS: Internet Society names and shames network operators that bungle their routing security
- FCC takes some action against notorious BGP
- That thing to help protect internet traffic from hijacking? Here's how to break it
- Networking boffins detect wide abuse of IPv4 addresses bought on secondary market
One saving grace is that the researchers found many operators struggle to keep their RPKI code patched, as it lacks automated means to do so – so a supply chain attack might take a while to have any effect. Of course, slow patching also means some users may not have patched dangerous flaws: the trio reckon 41.2 percent of those who use RPKI "are vulnerable to at least one long-disclosed attack."
But they also worry that RPKI may not scale well, and that lack of automation tools means misconfigurations are possible. If that happens, the benefits of the protocol – making verifiable info about routes available – will be hard to realize.
The paper assesses RPKI as "far from being fully mature" and the authors therefore ask "Did the White House push for the adoption of an immature technology, potentially doing more harm than good?"
Their answer is probably not, because all internet technologies were deployed before being perfected – even BGP – but were battle-tested and improved over time.
The authors therefore suggest using their paper as a To-Do list for those who work on RPKI.
"The roadmap of the White House is a huge leap for RPKI, and therefore also for internet routing, to truly mature and meet the expectations of security, reliability, and scalability for production-level deployments across the global internet," the authors conclude. ®
From Chip War To Cloud War: The Next Frontier In Global Tech Competition
The global chip war, characterized by intense competition among nations and corporations for supremacy in semiconductor ... Read more
The High Stakes Of Tech Regulation: Security Risks And Market Dynamics
The influence of tech giants in the global economy continues to grow, raising crucial questions about how to balance sec... Read more
The Tyranny Of Instagram Interiors: Why It's Time To Break Free From Algorithm-Driven Aesthetics
Instagram has become a dominant force in shaping interior design trends, offering a seemingly endless stream of inspirat... Read more
The Data Crunch In AI: Strategies For Sustainability
Exploring solutions to the imminent exhaustion of internet data for AI training.As the artificial intelligence (AI) indu... Read more
Google Abandons Four-Year Effort To Remove Cookies From Chrome Browser
After four years of dedicated effort, Google has decided to abandon its plan to remove third-party cookies from its Chro... Read more
LinkedIn Embraces AI And Gamification To Drive User Engagement And Revenue
In an effort to tackle slowing revenue growth and enhance user engagement, LinkedIn is turning to artificial intelligenc... Read more