Byzantine-Secure Relying Party for Resilient RPKI

BGP is a gaping hole in Internet security, as evidenced by numerous hijacks and outages. The significance of BGP for stability and security of the Internet has made it a top priority on the cyber security agenda of nation states, with the US government, in particular CISA, FCC, and other federal agencies leading the efforts 1 . To protect against prefix hijacks, Resource Public Key Infrastructure (RPKI) has been standardized. Yet, RPKI validation is not widely supported. To enjoy the security guarantees of RPKI validation, the networks need to install a new component, the relying party validator, which fetches and validates RPKI objects and provides them to border routers. However, recent works showed that relying parties experience failures when retrieving RPKI objects and are vulnerable to different attacks, all of which can disable RPKI validation. Therefore even the few adopters are not necessarily secure. We make the first proposal that significantly improves the resilience and security of RPKI validation. We develop BRP, a Byzan-tine-secure relying party implementation. In BRP the relying party nodes redundantly validate RPKI objects and arrive at a global consensus through a voting process. BRP provides an RPKI equivalent of public DNS, removing the need for networks to install, operate, and upgrade their own relying party instances while avoiding the need to trust operators of BRP nodes. We show through simulations and experimental evaluations that BRP, as an intermediate RPKI service, results in less load on RPKI publication points and a robust output despite RPKI repository failures, jitter, and attacks. We engineer BRP to be fully backward compatible and readily deployable -it does not require any changes to the border routers and the RPKI repositories. BRP enables independent verification by users of its correct operation. We demonstrate that BRP can protect many networks transparently, with either a decentralized or a centralized deployment. BRP can beset up as a network of decentralized volunteer deployments, similarly to NTP and TOR, where different operators participate in the peering process with their relying party node, and provide resilient and secure relying party validation to the Internet. BRP can also be hosted by a single operator as a centralized service, e.g., on one cloud or CDN, and even provides RPKI validation benefits when hosted on just a single network. We make the code of BRP and the evaluation data public 2 .