Search Icon
2026 Program

Crack in the Armor: Underlying Infrastructure Threats to RPKI Publication Point Reachability

Yunhao Liu (Tsinghua University & Zhongguancun Laboratory), Jessie Hui Wang (Tsinghua University & Zhongguancun Laboratory), Yuedong Xu (Fudan University), Zongpeng Li (Tsinghua University), Yangyang Wang (Tsinghua University & Zhongguancun Laboratory), Jilong Wang (Tsinghua University & Zhongguancun Laboratory)

The effectiveness of the RPKI in preventing BGP prefix hijacking relies not only on the presence of valid ROAs but also on the successful retrieval of ROAs from publication points (PPs) by relying parties (RPs). Guaranteeing the integrity of data and uninterrupted connectivity during this retrieval process necessitates the proper implementation of security measures in the underlying infrastructure, textit{i.e.}, the DNS and routing infrastructures.

In this paper, we collect information on the specific DNS and routing infrastructures used during the information retrieval process and analyze the infrastructure threats to the reachability of RPKI PPs. Regarding the DNS infrastructure, we report that 31 PPs (48.4%) are susceptible to DNS spoofing attacks and pinpoint the reasons for the appearance of DNSSEC-unprotected zones, such as CNAME redirections to unprotected zones and NS delegations to third-party insecure DNS servers. Regarding the routing infrastructure for communicating with nameservers, our analysis shows that a significant 55 PPs (85.9%) have at least one ROA-unprotected nameserver on their resolution paths, and highlights that the absence of ROA registration for gTLD nameservers accounts for vulnerabilities in 44 of these 55 PPs. Regarding the routing infrastructure for RP-PP communications, we report that 5 PPs fail to register ROAs for the IP addresses of their PP servers. Simulations of routing hijack attacks show that, in the case of the most vulnerable PP, up to 65% to 83% of ASes may experience a loss of connectivity to the PP.

Furthermore, we investigate the deterministic and probabilistic dependencies among publication points and uncover a critical issue: some RIR-operated PPs rely on less secure lower-level PPs, which can significantly amplify the impact of vulnerabilities within insecure PPs, potentially leading to cascading failures.

Paper

View More Papers

TBTrackerX: Fantastic Trigger Bots and Where to Find Malicious...

Mohammad Majid Akhtar (School of Computer Science and Engineering, University of New South Wales, Sydney, Australia), Rahat Masood (School of Computer Science and Engineering, University of New South Wales, Sydney, Australia), Muhammad Ikram (School of Computing, Macquarie University, Sydney, Australia), Salil S. Kanhere (School of Computer Science and Engineering, University of New South Wales, Sydney,…

Read More

CryptPEFT: Efficient and Private Neural Network Inference via Parameter-Efficient...

Saisai Xia (State Key Laboratory of Cyberspace Security Defense, Institute of Information Engineering, CAS and School of Cyber Security, University of Chinese Academy of Sciences), Wenhao Wang (State Key Laboratory of Cyberspace Security Defense, Institute of Information Engineering, CAS and School of Cyber Security, University of Chinese Academy of Sciences), Zihao Wang (Nanyang Technological University),…

Read More

Beyond Raw Bytes: Towards Large Malware Language Models

Luke Kurlandski (Rochester Institute of Technology, Rochester New York USA), Harel Berger (Ariel University, Israel), Yin Pan (Rochester Institute of Technology, Rochester New York USA), Matthew Wright (Rochester Institute of Technology, Rochester New York USA)

Read More