pwshub.com

The fix for BGP’s weaknesses – RPKI – has issues of its own

The Resource Public Key Infrastructure (RPKI) protocol has "software vulnerabilities, inconsistent specifications, and operational challenges" according to a pre-press paper from a trio of German researchers.

RPKI was designed to fix problems caused by the fact that Border Gateway Protocol (BGP) – the protocol that manages the routes traffic can traverse across the internet – was not secure by design. The newer protocol theoretically fixes that by adding Route Origin Validation (ROV) and Route Origin Authorization (ROA) – techniques that let network operators verify that advertised routes are authentic and represent accurate BGP announcements.

In early September, the White House made RPKI part of its Roadmap to Enhancing Internet Routing Security – an initiative US national cyber director Harry Coker, Jr, said would "mitigate a longstanding vulnerability and lead to a more secure internet that is vital to our national security and the economic prosperity of all Americans."

And the rest of us, too, given that one impact of an attack on BGP could be to re-route traffic away from a website's actual address to another that hosts malware.

But according to a pre-press paper [PDF] by Haya Schulmann and Niklas Vogel of Germany's National Research Center for Applied Cybersecurity and Goethe-Universität Frankfurt, and Michael Waidner from the Center and TU Darmstadt, RPKI is far from perfect.

Schulmann and Vogel summarized the paper in a post on the Asia Pacific Network Information Center's blog:

The duo are optimistic that the many packages comprising RPKI will be improved. But for now they worry it is "attractive for attackers, with the relative abundance of vulnerabilities that have potentially devastating consequences for RPKI validation and might even open a backdoor into the local network running the vulnerable software component."

That's not just a theory. The paper outlines a Remote Code Execution attack the authors discovered during their research.

They also fear supply chain attacks that embed backdoors in open source RPKI components.

  • Mind your MANRS: Internet Society names and shames network operators that bungle their routing security
  • FCC takes some action against notorious BGP
  • That thing to help protect internet traffic from hijacking? Here's how to break it
  • Networking boffins detect wide abuse of IPv4 addresses bought on secondary market

One saving grace is that the researchers found many operators struggle to keep their RPKI code patched, as it lacks automated means to do so – so a supply chain attack might take a while to have any effect. Of course, slow patching also means some users may not have patched dangerous flaws: the trio reckon 41.2 percent of those who use RPKI "are vulnerable to at least one long-disclosed attack."

But they also worry that RPKI may not scale well, and that lack of automation tools means misconfigurations are possible. If that happens, the benefits of the protocol – making verifiable info about routes available – will be hard to realize.

The paper assesses RPKI as "far from being fully mature" and the authors therefore ask "Did the White House push for the adoption of an immature technology, potentially doing more harm than good?"

Their answer is probably not, because all internet technologies were deployed before being perfected – even BGP – but were battle-tested and improved over time.

The authors therefore suggest using their paper as a To-Do list for those who work on RPKI.

"The roadmap of the White House is a huge leap for RPKI, and therefore also for internet routing, to truly mature and meet the expectations of security, reliability, and scalability for production-level deployments across the global internet," the authors conclude. ®

Source: theregister.com

Related stories
1 week ago - Attacks began the day after public disclosure "Patch yesterday" is the advice from infosec researchers as the latest critical vulnerability affecting Zimbra mail servers is now being mass-exploited.…
1 week ago - Trademark royalties is one way to force support of open source, we guess WordPress developer Automattic on Wednesday published details of its efforts to pressure rival WP Engine to sign a trademark license agreement costing millions of...
1 month ago - Web services celebrates 'leader' designation for Q Developer Amazon Web Services on Tuesday took a moment to pat itself on the back for being thought of inside the box, specifically, the upper right-hand square that's part of Gartner's...
1 month ago - Now do your patriotic duty and fill one of those 500k open roles, please? The White House has unveiled a new strategy to fill some of the hundreds of thousands of critical cybersecurity vacancies across the US: Pitch cyber as a national...
3 weeks ago - get a handle on it — The company is still working on a remedy to the problem. Enlarge / Instead of...
Other stories
24 minutes ago - Why You Can Trust CNET Our expert, award-winning staff selects the products we cover and rigorously researches and tests our top picks. If you buy...
24 minutes ago - Need a gift now? Avoid the crowds at the store and get one of these online gifts that'll arrive instantly. Don't fret -- these great and useful last-minute gifts won't make you look like a panicked shopper who ditched creativity for...
24 minutes ago - Are you really using Alexa to its full potential when you're only calling on it for the basics? Read on for details on some surprising things your Amazon Echo can do.
24 minutes ago - AI can give you advice on everything from super scary elements to kid-friendly spooks, so you have the best decor on the street.
24 minutes ago - It's a commonplace part of morning routines to brew up a hot cup of coffee. Make sure the appliance that keeps you running is nice and clean with these quick tips.