BGP is a gaping security hole in today's Internet, as evidenced by numerous Internet outages and blackouts, repeated traffic hijacking, and surveillance incidents. Yet, despite Herculean efforts, ubiquitous deployment of the Resource Public Key Infrastructure (RPKI), designed to protect against prefix hijacking attacks, remains distant, due to RPKI's manual and error-prone certification process. We argue that deploying origin authentication at scale requires substituting the standard requirement of certifying legal ownership of IP address blocks with the goal of certifying de facto ownership. We show that settling for de facto ownership is sufficient for protecting against hazardous prefix hijacking and can be accomplished without requiring any changes to today's routing infrastructure. We present APKI, a readily deployable system that automatically certifies de facto ownership and generates the appropriate BGP-path-filtering rules at routers. We evaluate APKI's security and deployability via live experiments on the Internet using a prototype implementation of APKI and through simulations on empirically-derived datasets. To facilitate the reproducibility of our results, we open source our prototype, simulator, and measurement analysis code.
DISCO: Sidestepping RPKI's Deployment Barriers
Tomas Hlavacek (Fraunhofer SIT), Italo Cunha (Universidade Federal de Minas Gerais), Yossi Gilad (Hebrew University of Jerusalem), Amir Herzberg (University of Connecticut), Ethan Katz-Bassett (Columbia University), Michael Schapira (Hebrew University of Jerusalem), Haya Shulman (Fraunhofer SIT)
View More Papers
Packet-Level Signatures for Smart Home Devices
Rahmadi Trimananda (University of California, Irvine), Janus Varmarken (University of California, Irvine), Athina Markopoulou (University of California, Irvine), Brian Demsky...
Read MoreTowards Plausible Graph Anonymization
Yang Zhang (CISPA Helmholtz Center for Information Security), Mathias Humbert (armasuisse Science and Technology), Bartlomiej Surma (CISPA Helmholtz Center for...
Read MoreLet's Revoke: Scalable Global Certificate Revocation
Trevor Smith (Brigham Young University), Luke Dickenson (Brigham Young University), Kent Seamons (Brigham Young University)
Read MoreUnicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats
Xueyuan Han (Harvard University), Thomas Pasquier (University of Bristol), Adam Bates (University of Illinois at Urbana-Champaign), James Mickens (Harvard University),...
Read More