Pruning the Tree: Rethinking RPKI Architecture From The Ground Up
- URL: http://arxiv.org/abs/2507.01465v2
- Date: Mon, 14 Jul 2025 09:45:34 GMT
- Title: Pruning the Tree: Rethinking RPKI Architecture From The Ground Up
- Authors: Haya Schulmann, Niklas Vogel,
- Abstract summary: Resource Public Key Infrastructure (RPKI) is a critical security mechanism for BGP.<n>RPKI design heavily reuses legacy PKI components, such as X.509 EE-certificates, ASN.1 encoding, and XML-based repository protocols.<n>We show that these design choices, although based on established standards, create significant performance bottlenecks, increase the vulnerability surface, and hinder scalability for wide-scale Internet deployment.
- Score: 2.340368527699536
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Resource Public Key Infrastructure (RPKI) is a critical security mechanism for BGP, but the complexity of its architecture is a growing concern as its adoption scales. Current RPKI design heavily reuses legacy PKI components, such as X.509 EE-certificates, ASN.1 encoding, and XML-based repository protocols, which introduce excessive cryptographic validation, redundant metadata, and inefficiencies in both storage and processing. We show that these design choices, although based on established standards, create significant performance bottlenecks, increase the vulnerability surface, and hinder scalability for wide-scale Internet deployment. In this paper, we perform the first systematic analysis of the root causes of complexity in RPKI's design and experimentally quantify their real-world impact. We show that over 70\% of validation time in RPKI relying parties is spent on certificate parsing and signature verification, much of it unnecessary. Building on this insight, we introduce the improved RPKI (iRPKI), a backwards-compatible redesign that preserves all security guarantees while substantially reducing protocol overhead. iRPKI eliminates EE-certificates and ROA signatures, merges revocation and integrity objects, replaces verbose encodings with Protobuf, and restructures repository metadata for more efficient access. We experimentally demonstrate that our implementation of iRPKI in the Routinator validator achieves a 20x speed-up of processing time, 18x improvement of bandwidth requirements and 8x reduction in cache memory footprint, while also eliminating classes of vulnerabilities that have led to at least 10 vulnerabilities in RPKI software. iRPKI significantly increases the feasibility of deploying RPKI at scale in the Internet, and especially in constrained environments. Our design may be deployed incrementally without impacting existing operations.
Related papers
- PRISM: Distributed Inference for Foundation Models at Edge [73.54372283220444]
PRISM is a communication-efficient and compute-aware strategy for distributed Transformer inference on edge devices.<n>We evaluate PRISM on ViT, BERT, and GPT-2 across diverse datasets.
arXiv Detail & Related papers (2025-07-16T11:25:03Z) - Rudraksh: A compact and lightweight post-quantum key-encapsulation mechanism [5.002862916626837]
Resource-constrained devices such as wireless sensors and Internet of Things (IoT) devices have become ubiquitous in our digital ecosystem.<n>Due to the impending threat of quantum computers on our existing public-key cryptographic schemes and the limited resources available on IoT devices, it is important to lightweight post-quantum cryptographic schemes suitable for these devices.<n>In this work, we explore the design space of learning with error-based PQC schemes to design a lightweight key-encapsulation mechanism (KEM) suitable for resource-constrained devices.
arXiv Detail & Related papers (2025-01-23T16:16:23Z) - ACRIC: Securing Legacy Communication Networks via Authenticated Cyclic Redundancy Integrity Check [98.34702864029796]
Recent security incidents in safety-critical industries exposed how the lack of proper message authentication enables attackers to inject malicious commands or alter system behavior.<n>These shortcomings have prompted new regulations that emphasize the pressing need to strengthen cybersecurity.<n>We introduce ACRIC, a message authentication solution to secure legacy industrial communications.
arXiv Detail & Related papers (2024-11-21T18:26:05Z) - RPKI: Not Perfect But Good Enough [18.399905446335904]
The Resource Public Key Infrastructure protocol was standardized to add cryptographic security to Internet routing.
The White House indicated in its Roadmap to Enhance Internet Security, on 4 September 2024, that RPKI is a mature and readily available technology for securing inter-domain routing.
This work presents the first comprehensive study of the maturity of RPKI as a viable production-grade technology.
arXiv Detail & Related papers (2024-09-22T16:21:14Z) - The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach [56.4040698609393]
Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition.
Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies.
We propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings.
arXiv Detail & Related papers (2024-09-10T10:12:37Z) - SoK: An Introspective Analysis of RPKI Security [19.075820340282938]
The Resource Public Key Infrastructure (RPKI) is the main mechanism to protect inter-domain routing with BGP from prefix hijacks.
Almost half of all the global prefixes are now covered by RPKI and measurements show that 27% of networks are already using RPKI to validate BGP announcements.
arXiv Detail & Related papers (2024-08-22T12:57:09Z) - Securing the Open RAN Infrastructure: Exploring Vulnerabilities in Kubernetes Deployments [60.51751612363882]
We investigate the security implications of and software-based Open Radio Access Network (RAN) systems.
We highlight the presence of potential vulnerabilities and misconfigurations in the infrastructure supporting the Near Real-Time RAN Controller (RIC) cluster.
arXiv Detail & Related papers (2024-05-03T07:18:45Z) - Byzantine-Secure Relying Party for Resilient RPKI [17.461853355858022]
We develop BRP, a Byzantine-Secure relying party implementation.
We show through simulations and experiments that BRP, as an intermediate RPKI service, results in less load on RPKI publication points and a robust output despite RPKI repository failures, jitter, and attacks.
arXiv Detail & Related papers (2024-05-01T14:04:48Z) - The CURE To Vulnerabilities in RPKI Validation [19.36803276657266]
RPKI has seen increasing adoption, with now 37.8% of the major networks filtering bogus BGP routes.
We report a total of 18 vulnerabilities that can be exploited to downgrade RPKI validation in border routers.
We generate over 600 million test cases and tested all popular RPs on them.
arXiv Detail & Related papers (2023-12-04T13:09:37Z) - Is Vertical Logistic Regression Privacy-Preserving? A Comprehensive
Privacy Analysis and Beyond [57.10914865054868]
We consider vertical logistic regression (VLR) trained with mini-batch descent gradient.
We provide a comprehensive and rigorous privacy analysis of VLR in a class of open-source Federated Learning frameworks.
arXiv Detail & Related papers (2022-07-19T05:47:30Z) - Structured Sparsity Learning for Efficient Video Super-Resolution [99.1632164448236]
We develop a structured pruning scheme called Structured Sparsity Learning (SSL) according to the properties of video super-resolution (VSR) models.
In SSL, we design pruning schemes for several key components in VSR models, including residual blocks, recurrent networks, and upsampling networks.
arXiv Detail & Related papers (2022-06-15T17:36:04Z) - ISTR: End-to-End Instance Segmentation with Transformers [147.14073165997846]
We propose an instance segmentation Transformer, termed ISTR, which is the first end-to-end framework of its kind.
ISTR predicts low-dimensional mask embeddings, and matches them with ground truth mask embeddings for the set loss.
Benefiting from the proposed end-to-end mechanism, ISTR demonstrates state-of-the-art performance even with approximation-based suboptimal embeddings.
arXiv Detail & Related papers (2021-05-03T06:00:09Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.