Secure and Scalable Deployment of
Resource Public Key Infrastructure (RPKI) 1China
Internet Network Information Center, Beijing, 100190, P. R. China {yan, gengguanggang}@cnnic.cn 2Waseda
University, Tokyo, 169-8555, Japan nakazato@waseda.jp 3University
of Malaysia Sabah, Sabah, 88400, Malaysia yjpark@ums.edu.my
Abstract The Border Gateway Protocol (BGP) is considered to
be vulnerable to some typical security risks due to its lack of schemes to
verify the received BGP messages. To address BGP security issues, Internet
Engineering Task Force (IETF) proposed RPKI to verify the route origination
contained in the BGP message. Currently, the standardization of basic RPKI
protocol have been finished. Some organizations have deployed RPKI services
and some are under the process for that. However, RPKI faces additional
threats during the actual deployment especially the malfunctioning of the
Certification Authority (CA) when it issues certificates bound to the
resources. We analyze the threats to RPKI from the perspective of its
large-scale deployment and then focus on the CA operation with empirical
tests. We propose a comprehensive CA-Safeguard scheme in order to support the
secure and scalable deployment of RPKI in the near future1. Keywords: BGP, RPKI, BGPsec,
Route origination, CA-Safeguard +: Corresponding author: Guanggang Geng Tel: +86-18901099861 1: This paper is an extension work of: Liu, X., Yan, Z., Geng, G., Lee, X., Tseng, S.-S. and Ku, C.-H.. RPKI Deployment: Risks and Alternative Solutions. In the Ninth International Conference on Genetic and Evolutionary Computing (ICGEC’15). Yangon, Myanmar. August 26-28 2015. Journal of Internet Services and Information Security (JISIS), 8(1): 31-45, February 2018 |
DOI: 10.22667/JISIS.2018.02.28.031 [pdf]