Search for: All records

Recognizing the relevance of securing inter-domain routing to protect traffic flows in the Internet, the Internet Engineering Task Force (IETF) standardized the Resource Public Key Infrastructure (RPKI), a framework to provide networks with a system to cryptographically validate routing data. Despite many obstacles, RPKI has emerged as the consensus to improve routing security and currently about 50% of routed IP address blocks are part of the system. The Regional Internet Registries (RIRs) are in charge of allocating address space in five different geographical zones and play a crucial role in RPKI: they are the roots of trust of the cryptographic system and provide the infrastructure to host RPKI certificates and keys for the Internet resources allocated in their region. Organizations and networks wanting to issue RPKI records for their address space need to follow the process from the RIR that delegated their address space. In this paper, we analyze the RIRs’ implementation of RPKI infrastructure from the perspective of network operators. Based on in-depth interviews with 13 network engineers who have been involved in their organizations’ efforts to adopt RPKI, we examine the RIR initiatives that have or would have most supported RPKI adoption for different types of organizations. Given RIRs have independently developed and implemented the cryptographic infrastructure as well as the tooling to issue and manage certificates, we offer recommendations on strategies that have encouraged RPKI adoption. 

Accurate mapping of Autonomous Systems (ASes) to their owner organizations is fundamental for understanding the structure and dynamics of the Internet. However, as AS numbers have traditionally been delegated in an ad-hoc manner and organizational ownership has evolved over time, many organizations have registered resources under different names. Traditionally, researchers have relied on datasets like AS2Org, which map ASNs to organizations primarily using WHOIS records, but WHOIS inconsistencies often lead to missed and false relationships. We propose a new approach by leveraging the Resource Public Key Infrastructure (RPKI) to map ASNs to their managing organization. Our methodology combines multiple data sources: WHOIS records to extract organization names, RPKI certificates to identify potential siblings, and Large Language Models (LLMs) to find evidence not visible in WHOIS records currently. This integrated approach enables a more robust and accurate mapping of ASNs to organizations, notably improving inferences for 14% of multi-ASN clusters. 

No description provided. 

Abstract Although Internet routing security best practices have recently seen auspicious increases in uptake, Internet Service Providers (ISPs) have limited incentives to deploy them. They are operationally complex and expensive to implement and provide little competitive advantage. The practices with significant uptake protect only against origin hijacks, leaving unresolved the more general threat of path hijacks. We propose a new approach to improved routing security that achieves four design goals: improved incentive alignment to implement best practices; protection against path hijacks; expanded scope of such protection to customers of those engaged in the practices; and reliance on existing capabilities rather than needing complex new software in every participating router. Our proposal leverages an existing coherent core of interconnected ISPs to create a zone of trust, a topological region that protects not only all networks in the region, but all directly attached customers of those networks. Customers benefit from choosing ISPs committed to the practices, and ISPs thus benefit from committing to the practices. We discuss the concept of a zone of trust as a new, more pragmatic approach to security that improves security in a region of the Internet, as opposed to striving for global deployment. We argue that the aspiration for global deployment is unrealistic, since the global Internet includes malicious actors. We compare our approach to other schemes and discuss how a related proposal, ASPA, could be used to increase the scope of protection our scheme achieves. We hope this proposal inspires discussion of how the industry can make practical, measurable progress against the threat of route hijacks in the short term by leveraging institutionalized cooperation rooted in transparency and accountability. 

Society increasingly relies on the Internet as a critical infrastructure. Inter-domain routing is a core Internet protocol that enables trac to flow globally across independent networks. Concerns about Internet infrastructure security have prompted policymakers to promote stronger routing security and the Resource Public Key Infrastructure (RPKI) in particular. RPKI is a cryptographic framework to secure routing that was standardized in 2012. In 2024, almost 50% of routed IP address blocks are still not covered by RPKI certificates. It is unclear what barriers are preventing net- works from adopting RPKI. This paper investigates networks with low RPKI adoption to understand where and why adoption is low or non-existent. We find that networks’ geographical area of service, size, business category and complexity of address space delegation impact RPKI adoption. Our analysis may help direct policymakers’ efforts to promote RPKI adoption and improve the state of routing security.