IPv6 RPKI Implementation Validator: A Security Utility for BGP Administrators
Michael Ham Dakota State University
Kyle Cronin Dakota State University
Tom Halverson Dakota State University
Abstract The Border Gateway Protocol (BGP) plays a critical role in the Internet’s sustained communications. The last major update to the protocol occurred in 2006 creating BGP-4. Several vulnerabilities still exist from shortcomings in the overall protocol design. One potential result stemming from such oversights is a sub-prefix hijacking attack where an Autonomous System (AS) may falsely claim a portion of another AS’s public network space.
The flaws in BGP affect the IPv4 and IPv6 address space. With the exhaustion of available public IPv4 address and the growing adoption of IPv6 address, BGP security solutions need to be examined in the context of IPv6.
Security solutions exist and attempt to address weaknesses of the BGP protocol. One of the most prominent solutions, Resource Public Key Infrastructure (RPKI), was developed by the IETF in 2008. Since RPKI’s standardization, adoption has been slow, but is growing in popularity. However, certain implementation strategies of RPKI leave AS owners open to BGP attacks including forged-origin sub-prefix hijack attacks. Flaws in RPKI deployment leading to BGP attacks can include using loose Route Origin Authorizations (ROAs), advertising network prefix lengths that violate the BGP protocol specification and specifying incorrect ROAs with erroneous validity times.
While adoption of RPKI is slowly gaining traction as a mechanism to validate route origins, system administrators are hesitant to adopt the technology to a variety of different reasons. Concerns with the RPKI technology include the complexity of the protocol, limited adoption among the greater Internet community, and technical/financial costs associated with deployment. These perceived barriers result in autonomous system operators either not implementing RPKI or doing so with without using best practices as specified in the protocol design.
Our preliminary data analysis shows approximately 113/21,853 (0.52%) of ASes originating IPv6 prefixes are signing their prefixes with RPKI. The IPv6 prefixes advertised with RPKI attributes account for 1,022 unique network advertisements. Among the 1,022 ROAs studied, 243 (23.78%) are allowing for loose originations. Furthermore, 122 (11.94%) ROAs are advertising prefix lengths that do not follow the BGP protocol specification. The cross-sectional data analysis did not reveal any ROAs with incorrect validity times. These numbers highlight focus areas in RPKI implementations that may lead to BGP hijacking attacks.
Our research will result in an easy-to-use utility for network administrators to accomplish two primary tasks: 1. verifying already deployed RPKI ROAs; 2. Generating proper ROAs for use in RPKI to minimize potential vulnerabilities. This utility can also be used in an educational setting to help students better understand optimal implementation strategies. Ultimately, this artifact should help reduce barriers to widespread RPKI adoption in IPv6 networks.