Yunhao Liu (Tsinghua University & Zhongguancun Laboratory), Jessie Hui Wang (Tsinghua University & Zhongguancun Laboratory), Yuedong Xu (Fudan University), Zongpeng Li (Tsinghua University), Yangyang Wang (Tsinghua University & Zhongguancun Laboratory), Jilong Wang (Tsinghua University & Zhongguancun Laboratory)
The effectiveness of the RPKI in preventing BGP prefix hijacking relies not only on the presence of valid ROAs but also on the successful retrieval of ROAs from publication points (PPs) by relying parties (RPs). Guaranteeing the integrity of data and uninterrupted connectivity during this retrieval process necessitates the proper implementation of security measures in the underlying infrastructure, textit{i.e.}, the DNS and routing infrastructures.
In this paper, we collect information on the specific DNS and routing infrastructures used during the information retrieval process and analyze the infrastructure threats to the reachability of RPKI PPs. Regarding the DNS infrastructure, we report that 31 PPs (48.4%) are susceptible to DNS spoofing attacks and pinpoint the reasons for the appearance of DNSSEC-unprotected zones, such as CNAME redirections to unprotected zones and NS delegations to third-party insecure DNS servers. Regarding the routing infrastructure for communicating with nameservers, our analysis shows that a significant 55 PPs (85.9%) have at least one ROA-unprotected nameserver on their resolution paths, and highlights that the absence of ROA registration for gTLD nameservers accounts for vulnerabilities in 44 of these 55 PPs. Regarding the routing infrastructure for RP-PP communications, we report that 5 PPs fail to register ROAs for the IP addresses of their PP servers. Simulations of routing hijack attacks show that, in the case of the most vulnerable PP, up to 65% to 83% of ASes may experience a loss of connectivity to the PP.
Furthermore, we investigate the deterministic and probabilistic dependencies among publication points and uncover a critical issue: some RIR-operated PPs rely on less secure lower-level PPs, which can significantly amplify the impact of vulnerabilities within insecure PPs, potentially leading to cascading failures.