limiting the power of rpki authorities · rpki is a prerequisite for bgpsec [rfc 8205] that...

39
Applied Networking Research Workshop 2020 acm sigcomm Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer SIT

Upload: others

Post on 16-Aug-2020

4 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Applied Networking Research Workshop 2020

acm sigcomm

Limiting the Power of RPKI Authorities

Kris Shrishak Haya Shulman

TU Darmstadt and Fraunhofer SIT

Page 2: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Motivation

- Resource Public Key Infrastructure (RPKI) secures the interdomain routingagainst prefix and subprefix hijacks

- However, significant power lies with the Regional Internet Registries (RIRs)

This Work

- Distributed RPKI system that relies on threshold signatures

- Prevention rather than detection

- Ensures that any change to the RPKI objects requires a joint action by a numberof RIRs, avoiding unilateral IP address takedowns

- No changes required at Relying Parties

1 / 19

Page 3: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Outline

RPKI

MPC

Our work

Page 4: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Prefix hijacks

2 / 19

Page 5: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

RPKI

RPKI [RFC 6480] is a hierarchical PKI that includes:

Routing Certificate (RC) Binds IP prefix to a public key

Route Origin Authorization (ROA) Binds the prefix to AS

- Signed by the public key associated with the RC

Route Origin Validation (ROV) Validates the origin of BGP route announcements

RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation.

3 / 19

Page 6: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Delegated and Hosted RPKI

Delegated RPKI

- Members run their own CA

- Member generates its own certificate, gets it signed by the parent CA

Hosted RPKI

- RIR runs the CA for the members and manages the keys and repo

- Convenient option for members as they do need to run their own CAs

- Even some large providers such as Cloudflare use hosted RPKI 1

1https://ripe77.ripe.net/presentations/156-RPKI-deployment-at-scale-RIPE-1.pdf4 / 19

Page 7: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Delegated and Hosted RPKI

Delegated RPKI

- Members run their own CA

- Member generates its own certificate, gets it signed by the parent CA

Hosted RPKI

- RIR runs the CA for the members and manages the keys and repo

- Convenient option for members as they do need to run their own CAs

- Even some large providers such as Cloudflare use hosted RPKI 1

1https://ripe77.ripe.net/presentations/156-RPKI-deployment-at-scale-RIPE-1.pdf4 / 19

Page 8: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Delegated and Hosted RPKI

Delegated RPKI

- Members run their own CA

- Member generates its own certificate, gets it signed by the parent CA

Hosted RPKI

- RIR runs the CA for the members and manages the keys and repo

- Convenient option for members as they do need to run their own CAs

- Even some large providers such as Cloudflare use hosted RPKI 1

1https://ripe77.ripe.net/presentations/156-RPKI-deployment-at-scale-RIPE-1.pdf4 / 19

Page 9: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Power imbalance

- RPKI authorities can revoke and allocations

- RPKI authorities can unilaterally takedown IP prefixes

- Law enforcement 2 3

- ASes not necessarily in the same country as the RIR(no recourse, loss of business)

- RIRs do not usually collude with each other, and often disagree with each otherwhen it comes to their response to law enforcement agencies 4

2RIPE NCC Blocks Registration in RIPE Registry Following Order from Dutch Police (2011)3ICANN Tells U.S. Court That ccTLDs Are Not “Property” — Files Motion to Quash in U.S. Legal Action

Aimed at Seizing Top-Level Domains (2014)4M. Mueller, M. van Eeten, and B. Kuerbis. In important case, RIPE-NCC seeks legal clarity on how it

responds to foreign court orders (2011)5 / 19

Page 10: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Prior Works

- Adding transparency logs and .dead objects to signify consent 5

- Relying parties take a part of the burden- Detection after the fact- Parent manages the signing in hosted RPKI and can sign the .dead objects itself

- Blockchain to replace RPKI 6

- Scalability- Deployment issues such as consensus algorithm and incentive for the nodes to run

the blockchain- If Proof-of-Stake is used, large providers will become powerful players; another form

of power imbalance

5Heilman, et. al. From the consent of the routed: Improving the transparency of the RPKI (SIGCOMM’14)6Adiseshu Hari and T. V. Lakshman. The Internet blockchain: A distributed, tamper-resistant transaction

framework for the Internet (HotNets’16)6 / 19

Page 11: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Outline

RPKI

MPC

Our work

Page 12: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Multiparty Computation (MPC)

x1

x2

x3

Trusted Third Party

x1

x2

x3

MPC

7 / 19

Page 13: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Multiparty Computation (MPC)

x1

x2

x3

Trusted Third Partyx1

x2

x3

MPC

7 / 19

Page 14: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

MPCThreshold Signatures

Traditional Signatures

sk

Indistinguishable

Threshold Signatures{sk1, sk2, sk3} ← Share(sk)

sk1

sk2

sk3

MPC

8 / 19

Page 15: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

MPCThreshold Signatures

Traditional Signatures

sk

Indistinguishable

Threshold Signatures{sk1, sk2, sk3} ← Share(sk)

sk1

sk2

sk3

MPC

8 / 19

Page 16: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Outline

RPKI

MPC

Our work

Page 17: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Threat model

x1

x2

x3

x2

x3

MPC

Individual RIRs not entirely trusted

Adversary power

- Passive

- Active

How many can be corrupt?

- Minority

- Majority

9 / 19

Page 18: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Threat model

x1

x2

x3

x2

x3

MPC

Individual RIRs not entirely trusted

Adversary power

- Passive

- Active

How many can be corrupt?

- Minority

- Majority

9 / 19

Page 19: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Threat model

x1

x2

x3

x2

x3

MPC

Individual RIRs not entirely trusted

Adversary power

- Passive

- Active

How many can be corrupt?

- Minority

- Majority

9 / 19

Page 20: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Threat model

x1

x2

x3

x2

x3

MPC

Individual RIRs not entirely trusted

Adversary power

- Passive

- Active

How many can be corrupt?

- Minority

- Majority

9 / 19

Page 21: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

System Setup

Trust Anchor

Hosted CAThreshold Signature

ModuleRPKIDB

Hosted RPKI

RIR CAThreshold Signature

ModuleRPKIDB

reposrepos

10 / 19

Page 22: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Distributed RPKI

CAThreshold Signature

Module

RIPE NCC

ARIN

LACNIC

AFRINIC

APNIC

reposrepos

MPC

11 / 19

Page 23: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Threshold signatures for RPKI

{sk1, sk2, sk3, sk4, sk5} ← Share(sk)

Threshold signing should not be expensive

sk1

sk2

sk3

sk4

sk5

consent

MPC

reposrepos

12 / 19

Page 24: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Threshold signatures for RPKI

{sk1, sk2, sk3, sk4, sk5} ← Share(sk)

Threshold signing should not be expensive

sk1

sk2

sk3

sk4

sk5

consent

MPC

reposrepos

12 / 19

Page 25: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Threshold signatures for RPKI

{sk1, sk2, sk3, sk4, sk5} ← Share(sk)

Threshold signing should not be expensive

sk1

sk2

sk3

sk4

sk5

consent

MPC

reposrepos

12 / 19

Page 26: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Threshold signatures for RPKI

{sk1, sk2, sk3, sk4, sk5} ← Share(sk)

Threshold signing should not be expensive

sk1

sk2

sk3

sk4

sk5

consent

MPC

reposrepos

12 / 19

Page 27: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Threshold signatures for RPKI

{sk1, sk2, sk3, sk4, sk5} ← Share(sk)

Threshold signing should not be expensive

sk1

sk2

sk3

sk4

sk5

consent

MPC

reposrepos

12 / 19

Page 28: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Threshold signatures for RPKI

{sk1, sk2, sk3, sk4, sk5} ← Share(sk)Threshold signing should not be expensive

sk1

sk2

sk3

sk4

sk5

consent

MPC

reposrepos

12 / 19

Page 29: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Threshold Signature in 3 phases

MPC

Preprocessing- Member independent

Preprocessing- Member independent- Message independent

Online phase

13 / 19

Page 30: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Threshold Signature in 3 phases

MPC

Preprocessing- Member independent

Preprocessing- Member independent- Message independent

Online phase

13 / 19

Page 31: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Threshold Signature in 3 phases

sk1

sk2

sk3

sk4

sk5

MPC

Preprocessing- Member independent

Preprocessing- Member independent- Message independent

Online phase

13 / 19

Page 32: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Threshold Signature in 3 phases

sk1, M

sk2, M

sk3, M

sk4, M

sk5, M

MPC

Preprocessing- Member independent

Preprocessing- Member independent- Message independent

Online phase

13 / 19

Page 33: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Deployment Scenarios

- Two-layered

- Is compatible with delegated RPKI- Upper layer generates a distributed TA to the five RIRs- Distributed key generation- All RIRs have the same subjectPublicKeyInfo in their TAL- Lower layer uses the threshold signing module for the Hosted CAs- Generates signed objects- Not entirely immune to state coercion

- Flat

- Combines RIR CA and hosted CA- Replaces the hierarchical RPKI with a flat architecture- Not compatible with delegated RPKI

14 / 19

Page 34: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Evaluations

Frankfurt

SydneySao Paolo

MumbaiN. Virginia

114.9|10985.6|142

228.3|49196.7|57

119.9|99301.0|36

180.6|64

203.7|56 283.2|39

308.7|35

Figure: Latency in milliseconds|Bandwidth in Mbits/s between regions

15 / 19

Page 35: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

EvaluationshhhhhhhhhhhhMajority

Adversary powerPassive Active

Honest Shamir Mal. ShamirDishonest Semi. OT MASCOT

Table: Four MPC protocols

LAN WAN

Preprocessing Online Preprocessing Online

MASCOT 209 529 20 0.95Semi OT 1042 662 111 2.05Mal. Shamir 699 714 91 3.53Shamir 1020 769 265 3.54

Table: Breakdown of throughput for preprocessing (tuples/sec) and online phases(signatures/sec)

16 / 19

Page 36: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

ROAs

2015-012016-01

2017-012018-01

2019-012020-01

Dates

0

20000

40000

60000

80000

100000

ROAs

add

ed

AFRINICAPNIC

ARINLACNIC

RIPENCC

2015-012016-01

2017-012018-01

2019-012020-01

Dates

0

20000

40000

60000

80000

100000

ROAs

rem

oved

AFRINICAPNIC

ARINLACNIC

RIPENCC

Figure: Number of ROAs added and removed from March 2015 to February 2020

17 / 19

Page 37: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Evaluations

In the WAN setting,

- MASCOT: 0.95 signatures/sec or 82080 signatures/day

- Shamir: 3.53 signatures/sec or 304992 signatures/day

- Even our slowest protocol is able to satisfy the requirements on an average day.

- Our other protocols are able to generate enough signatures even on peak days

18 / 19

Page 38: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

Summary of our work

- Distributed RPKI with a stronger threat model

- Using threshold signatures in preprocessing model

- No changes at Relying Parties

- Technical solution that requires legal and policy barriers to be addressed to makethe work truly practical

19 / 19

Page 39: Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor

[email protected]

CAThreshold Signature

Module

RIPE NCC

ARIN

LACNIC

AFRINIC

APNIC

reposrepos

MPC