Resource Public Key Infrastructure (RPKI) is not yet the simple fix for the security weaknesses of the internet’s Border Gateway Protocol (BGP) many in the communications industry think it is, a team of German researchers has warned.
In a newly published paper, RPKI: Not Perfect But Good Enough, Haya Schulmann and Niklas Vogel from Germany’s ATHENE National Research Center for Applied Cybersecurity & Goethe-Universität Frankfurt, and Michael Waidner from ATHENE and Technische Universität Darmstadt, outline a daunting range of RPKI issues that still need to be addressed for it to fulfil its promise.
The paper puts a dampener on the optimism of the US White House Office of the National Cyber Director (ONCD), which last month published a roadmap asking US ISPs to hurry up with implementing RPIK to fix the widely acknowledged insecurity of BGP.
Attack surface
The underlying problem with the BGP protocol upon which internet routing today depends is that it was designed without what the authors describe as “cryptographic authentication of announcements.”
To put it bluntly, service providers can, intentionally or though accidental misconfiguration, introduce false or misleading routes that hijack or redirect traffic, or spoof legitimate routes.
It’s been a recurring theme in recent times, with multiple BGP routing incidents reported, including more than one in 2018 involving China Telecom. That’s when the US government sat up and became interested in BGP, which had previously been an aspect of the internet that only engineers angsted about.
Under BGP, there is no way to authenticate routing changes. The arrival of RPIK just over a decade ago was intended to fix that, using a digital record called a Route Origin Authorization (ROA) that identifies an ISP as having authority over specific IP infrastructure.
Route origin validation (ROV) is the process a router undergoes to check that an advertised route is authorized by the correct ROA certificate. In principle, this makes it impossible for a rogue router to maliciously claim a route it does not have any right to. RPKI is the public key infrastructure that glues this all together, security-wise.
The catch is that, for this system to work, RPIK needs a lot more ISPs to adopt it, something which until recently has happened only very slowly.
Nevertheless, while the researchers note progress, they argue there are even deeper problems. Many of the problems are the same as with any software.
“We find that current RPKI implementations still lack production-grade resilience and are plagued by software vulnerabilities, inconsistent specifications, and operational challenges, raising significant security concerns,” wrote the authors in their introduction.
So RPKI needs a process for dealing with vulnerabilities. It needs tools to fix those vulnerabilities, and it needs a way of ensuring no malicious code ends up finding its way into the development supply chain.
Meanwhile, ISPs deploying the technology lack the automated tools necessary to patch vulnerabilities as they arise, said the authors. This lack of automation also forces ISPs to fall back on manual processes that are leading to errors and slow connections caused by misconfiguration.
“The deployments lack experience with full-fledged strict RPKI-validation in production environments and operate in fail-open test mode,” the authors said.
Because “fail-open” mode propagates invalid routes even though they fail RPKI, it’s like learning to ride a bicycle with training wheels but still falling off.
And then there’s the not inconsiderable risk that malicious actors might look to place backdoors in RPKI software.
“Since all popular RPKI software implementations are open source and accept code contributions by the community, the threat of intentional backdoors is substantial in the context of RPKI,” they explained.
A software supply chain that creates such vital software enabling internet routing should be subject to a greater degree of testing and validation, they argue.
Just good enough
The authors don’t offer simple solutions to RPKI’s current shortcomings, admitting, “demanding full maturity before large-scale deployment is a very academic expectation; in real life, there is nothing like full maturity and perfection, only more or less good enough.”
What they seem to be saying is that RPKI’s importance for the internet deserves more attention than the average security project. It needs better automation tools to aid management and patching, and more focus on assurance in its software supply chain.
Most of all, with the White House roadmap having reset people’s expectations, it needs this attention now. So far, RPKI has trundled along quite happily. However, the involvement of governments, which will only increase given internet routing’s huge relevance for digital security, marks the beginning of a phase demanding better implementation.
Source:: Network World