The fix for BGP's weaknesses has big, scary, issues of its own, boffins find
Bother, given the White House has bet big on RPKI – just like we all rely on immature internet infrastructure that usually works
The Resource Public Key Infrastructure (RPKI) protocol has "software vulnerabilities, inconsistent specifications, and operational challenges" according to a pre-press paper from a trio of German researchers.
RPKI was designed to fix problems caused by the fact that Border Gateway Protocol (BGP) – the protocol that manages the routes traffic can traverse across the internet – was not secure by design. The newer protocol theoretically fixes that by adding Route Origin Validation (ROV) and Route Origin Authorization (ROA) – techniques that let network operators verify that advertised routes are authentic and represent accurate BGP announcements.
In early September, the White House made RPKI part of its Roadmap to Enhancing Internet Routing Security – an initiative US national cyber director Harry Coker, Jr, said would "mitigate a longstanding vulnerability and lead to a more secure internet that is vital to our national security and the economic prosperity of all Americans."
And the rest of us, too, given that one impact of an attack on BGP could be to re-route traffic away from a website's actual address to another that hosts malware.
But according to a pre-press paper [PDF] by Haya Schulmann and Niklas Vogel of Germany's National Research Center for Applied Cybersecurity and Goethe-Universität Frankfurt, and Michael Waidner from the Center and TU Darmstadt, RPKI is far from perfect.
Schulmann and Vogel summarized the paper in a post on the Asia Pacific Network Information Center's blog:
The RPKI specifications, RPKI software packages, and RPKI repository implementations are still not sufficiently stable and contain critical vulnerabilities. Overall, at least 53 vulnerabilities in RPKI software packages were disclosed, including persistent DoS, authentication bypass, cache poisoning, and remote-code-execution. While the large majority of these vulnerabilities were swiftly fixed, they still raise the question of the resilience of implementations and the potential existence of other zero days.
The trio are optimistic that the many packages comprising RPKI will be improved. But for now they worry it is "attractive for attackers, with the relative abundance of vulnerabilities that have potentially devastating consequences for RPKI validation and might even open a backdoor into the local network running the vulnerable software component."
That's not just a theory. The paper outlines a Remote Code Execution attack the authors discovered during their research.
They also fear supply chain attacks that embed backdoors in open source RPKI components.
- Mind your MANRS: Internet Society names and shames network operators that bungle their routing security
- FCC takes some action against notorious BGP
- That thing to help protect internet traffic from hijacking? Here's how to break it
- Networking boffins detect wide abuse of IPv4 addresses bought on secondary market
One saving grace is that the researchers found many operators struggle to keep their RPKI code patched, as it lacks automated means to do so – so a supply chain attack might take a while to have any effect. Of course, slow patching also means some users may not have patched dangerous flaws: the trio reckon 41.2 percent of those who use RPKI "are vulnerable to at least one long-disclosed attack."
But they also worry that RPKI may not scale well, and that lack of automation tools means misconfigurations are possible. If that happens, the benefits of the protocol – making verifiable info about routes available – will be hard to realize.
The paper assesses RPKI as "far from being fully mature" and the authors therefore ask "Did the White House push for the adoption of an immature technology, potentially doing more harm than good?"
Their answer is probably not, because all internet technologies were deployed before being perfected – even BGP – but were battle-tested and improved over time.
The authors therefore suggest using their paper as a To-Do list for those who work on RPKI.
"The roadmap of the White House is a huge leap for RPKI, and therefore also for internet routing, to truly mature and meet the expectations of security, reliability, and scalability for production-level deployments across the global internet," the authors conclude. ®