Impacting IP prefix reachability via RPKI manipulations
Brogle, Kyle; Cooper, Danny; Goldberg, Sharon; Reyzin, Leonid
The RPKI is an infrastructure that will provide digitally signed attestations for the hierarchical allocation and suballocation of IP addresses. Its goal is to improve security of interdomain routing by providing reliable data showing which autonomous system (AS) is authorized to originate which IP prefix. We discuss how the hierarchical nature of the RPKI makes it technically possible for any party above a target IP prefix in the RPKI hierarchy to revoke that target IP prefix. We show that such revocation can be ``surgical''---i.e., impacting only the desired IP address or prefix---and difficult to detect. We also discuss the impact such revocation has on routing.
This note focuses only on the issues of technical feasibility (rather than legal or operational issues), and should not be taken as recommendation for or against the use of the RPKI.
↧