Secure and Scalable Deployment of Resource Public Key

Infrastructure (RPKI)

Zhiwei Yan¹, Guanggang Geng¹⁺, Hidenori Nakazato², and Yong-Jin Park³
 

¹China Internet Network Information Center, Beijing, 100190, P. R. China

{yan, gengguanggang}@cnnic.cn

²Waseda University, Tokyo, 169-8555, Japan

nakazato@waseda.jp

³University of Malaysia Sabah, Sabah, 88400, Malaysia

yjpark@ums.edu.my

Abstract

The Border Gateway Protocol (BGP) is considered to be vulnerable to some typical security risks due to its lack of schemes to verify the received BGP messages. To address BGP security issues, Internet Engineering Task Force (IETF) proposed RPKI to verify the route origination contained in the BGP message. Currently, the standardization of basic RPKI protocol have been finished. Some organizations have deployed RPKI services and some are under the process for that. However, RPKI faces additional threats during the actual deployment especially the malfunctioning of the Certification Authority (CA) when it issues certificates bound to the resources. We analyze the threats to RPKI from the perspective of its large-scale deployment and then focus on the CA operation with empirical tests. We propose a comprehensive CA-Safeguard scheme in order to support the secure and scalable deployment of RPKI in the near future¹.

Keywords: BGP, RPKI, BGPsec, Route origination, CA-Safeguard

+: Corresponding author: Guanggang Geng

Tel: +86-18901099861

1: This paper is an extension work of: Liu, X., Yan, Z., Geng, G., Lee, X., Tseng, S.-S. and Ku, C.-H.. RPKI Deployment: Risks and Alternative Solutions. In the Ninth International Conference on Genetic and Evolutionary Computing (ICGEC’15). Yangon, Myanmar. August 26-28 2015. 

Journal of Internet Services and Information Security (JISIS), 8(1): 31-45, February 2018