Experts at the National Research Center for Applied Cybersecurity say that they have found a method to break Resource Public Key Infrastructure (RPKI), a “mechanism … [that] is actually designed to prevent cybercriminals or government attackers from diverting traffic on the Internet.” The team of scientists say attackers can circumvent RPKI without being detected by network operators.
Note
- The real problem isn’t that it fails “open” if a key cannot be found, but the fact that the majority of networks do not have RPKI configured at all.
- As ATHENE points out, currently only 40% of address blocks have RPKI certificates and only 27% of networks are verifying RPKI certs. This attack takes advantage of the way connectivity is allowed when RPKI certs can’t be found or validated and is not effective with full participation. Google and other BGP network providers have put mitigation measures in place to deal with the issue, but faster adoption of RPKI and other MANRS (Mutually Agreed Norms for Routing Security) that The Internet Society has been recommending will be the best solution for upgrading BGP security.
- The exploit takes advantage of RPKI allowing traffic to flow when the identifying certificate for that block cannot be found. About 40% of networks have an identifying certificate, while 27% of networks verify them. As this is a design flaw, don’t expect a rapid change to be issued to fix this issue.
Read more in
