An internet security mechanism called Resource Public Key Infrastructure (RPKI), intended to safeguard the routing of data traffic, can be broken.
Or so the folks at Germany’s ATHENE, the National Research Center for Applied Cybersecurity, argue.
That means if you were hoping RPKI would prevent state spies and rogue operators from redirecting people’s connections to snoop on them or upend their connectivity, you may be disappointed: in the right circumstances, it can be circumvented.
For those who don’t know, the internet is a network of connected networks. These networks communicate using the Border Gateway Protocol (BGP) to ultimately build up a routing map of the internet, so that when you try to connect to something, your packets of data are sent along the right pipes to the right place. More specifically, the internet consists of networks called autonomous systems (ASes) that advertise their IP address prefixes via routers to neighboring networks using BGP, again to ultimately construct this routing map.
Malicious ASes can lie to their neighbors, claiming address prefixes they don’t own. On March 28, 2022, for example, Russian telecoms provider RTComm.ru started advertising one of Twitter’s network prefixes, presumably to intercept Twitter traffic or at least redirect it into a sinkhole, blocking access to the social network.
RPKI aspires to prevent prefix hijacking by binding IP addresses to ASes using digital signatures called ROAs (Route Origin Authorizations). Only about 40 percent of all IP address blocks have RPKI certificates and only about 27 percent verify them, according to ATHENE.
But where deployed, RPKI provides ASes with the ability to validate the IP prefix advertisements of other ASes. Using ROV (Route Origin Validation), BGP routers may classify routes as valid or invalid. But when an ROV isn’t available from network publication points, the BGP router considers the route unknown and RPKI isn’t used for routing decisions.
This design choice – prioritizing network reachability over security – represents the source of the vulnerability, the ATHENE researchers argue.
In research [PDF] presented earlier this year at both the Usenix and Black Hat security conferences, Tomas Hlavacek, Philipp Jeitner, Donika Mirdita, Haya Shulman, and Michael Waidner describe an attack called “Stalloris.”
The attack requires adversarial control of an RPKI publication point – a router or network – something within the reach of state-level adversaries and other sophisticated miscreants. The adversarial RKPI source is set up to answer requests as slowly as possible and to keep the victim looking for information from controlled publication points. As the name suggests, the technique stalls the network route verification process, which ultimately disables RPKI, so no network route validation occurs.
“[W]e show that a combination of Stalloris with just a single iteration of low rate off-path packet loss attack suffices to remove the RPKI validation,” the researchers explain in their paper. “The idea behind our Stalloris attack is to create a deep delegation path so that the relying party [validating ROAs for the victim] opens RRDP (RPKI Repository Delta Protocol) connections to multiple publication points controlled by the adversary.”
Given a scenario in which the adversary wishes to make AS1 accept the hijacked BGP advertisement for AS2, the technique involves identifying the relying party of AS1 and the DNS resolver involved. It also requires identifying the public repository (publication point) that serves RKPI information for AS2.
With the relying party of AS1 and the publication point of AS2 known, the attacker then prevents the relying party from communicating with the RKPI repository of AS2. This has to be done repeatedly for records to be removed from the DNS resolvers’ cache.
This low-rate attack gets combined with the Stalloris attack, which is designed to slow the performance of the relying party, in order to reduce the number of low-rate attack iterations to disable RKPI protection.
Using low rate bursts synchronized with queries from the relying party to find RPKI publication points, the attacker can effectively take RPKI protection out of the picture, forcing the target network to make routing decisions based on unvalidated information.
See the above paper for the full technical details; we’re just summarizing here so you get the idea this is a non-trivial attack for well-placed and resourced snoopers. Think of it as either an interesting design challenge to overcome, or a possible means of attack some way down the line in future.
“In our measurements we found 47 percent of the publication points to be vulnerable to rate-limiting downgrade attacks,” the paper says. “This corresponds to 60 percent of the RPKI protected IPv4 address space in the Internet.”
The boffins say that at the start of 2021, all popular products used by networks to validate RPKI certificates were vulnerable and that they notified product makers about the attack. Presumably, some of the mitigations suggested by the researchers – limiting delegation chains, rethinking how “unknown” routes are handled, etc. – have been implemented by makers of network equipment.
But ATHENE isn’t certain how broadly its recommendations have been implemented. “We have not measured how many updated their systems already,” a spokesperson said in an email. “We know that the developers integrated patches into the relying party software (except for software of RIPE NCC which is no longer maintained) to prevent the attacks.”
Google at least says it has implemented defenses. “Google has protections in place that protect against this threat on our RPKI infrastructure,” a spokesperson told The Register.
But with about 60 percent of IP address blocks lacking RPKI, network route hijacking remains a risk. ®
Addendum
After we published this story, it was pointed out that the fail-open nature of RPKI makes it usefully deployable in the real world. A fail-close approach would probably expose the internet to greater disruption. So take note when reviewing ATHENE’s criticisms.