Volume 8 - Issue 1
Secure and Scalable Deployment of Resource Public Key Infrastructure (RPKI)
- Zhiwei Yan
China Internet Network Information Center, Beijing, 100190, P. R. China
yan@cnnic.cn
- Guanggang Geng
China Internet Network Information Center, Beijing, 100190, P. R. China
gengguanggang@cnnic.cn
- Hidenori Nakazato
Waseda University, Tokyo, 169-8555, Japan
nakazato@waseda.jp
- Yong-Jin Park
University of Malaysia Sabah, Sabah, 88400, Malaysia
yjpark@ums.edu.my
Keywords: BGP, RPKI, BGPsec, Route origination, CA-Safeguard
Abstract
The Border Gateway Protocol (BGP) is considered to be vulnerable to some typical security risks
due to its lack of schemes to verify the received BGP messages. To address BGP security issues,
Internet Engineering Task Force (IETF) proposed RPKI to verify the route origination contained in
the BGP message. Currently, the standardization of basic RPKI protocol have been finished. Some
organizations have deployed RPKI services and some are under the process for that. However, RPKI
faces additional threats during the actual deployment especially the malfunctioning of the Certification
Authority (CA) when it issues certificates bound to the resources. We analyze the threats to
RPKI from the perspective of its large-scale deployment and then focus on the CA operation with
empirical tests. We propose a comprehensive CA-Safeguard scheme in order to support the secure
and scalable deployment of RPKI in the near future1.