The ByzRP Solution: A Global Operational Shield for RPKI Validators

The ByzRP Solution: A Global Operational Shield for RPKI Validators

MediaVideo
Yanac

The Border Gateway Protocol (BGP) is the core routing protocol on the Internet, but it lacks security mechanisms. At the same time, the democratization of access has transformed the Internet into the default platform, where global services and communications happen. As a result, routing security quickly became an issue of great economic and national security concern. The US Federal Communications Commission and the White House Office of the National Cyber Director formally recognized the urgent need to invest more on protecting Internet routing, and standardize efficient security protocols.

The Resource Public Key Infrastructure (RPKI) protocol is rapidly becoming the global standard for enforcing Internet routing security for BGP. It currently covers over 50% of IPv4 and IPv6 prefixes and has been deployed by at least 27% of networks in the world, including major Tier-1 providers. However, RPKI is not secure by design. Research on its robustness and security properties has shown that despite the minimal public facing interfaces, RPKI suffers from widespread crash-inducing vulnerabilities and exploitable protocol loopholes. Attacks on RPKI have been well-documented over the years, including previous Black Hat talks. Now that RPKI is poised to go global, with the potential of being included into strict security regulations, it is time to reconsider the current vulnerable deployments and improve their robustness.

In this work, we introduce Byzantine RPKI (ByzRP), a secure, robust, and distributed intermediate RPKI service that provides a stable output for all RPKI clients worldwide, while being able to completely bypass stalling and denial-of-service attacks on the RPKI infrastructure, with no downtime and service failure. We also offer a secure live ByzRP deployment for all interested parties worldwide to test it and eventually incorporate it into their networks.

By:
Donika Mirdita | Security Researcher, Technical University Darmstadt | ATHENE
Jens Frieß | Security Researcher, Technical University Darmstadt | ATHENE
Haya Schulmann | Professor, Goethe University Frankfurt | ATHENE
Michael Waidner | Professor, Technical University Darmstadt | ATHENE | Fraunhofer SIT

Full Abstract and Presentation Materials Available:
https://www.blackhat.com/asia-25/briefings/schedule/#the-byzrp-solution-a-global-operational-shield-for-rpki-validators-44176Black HatRead More