CRII: SaTC: Measuring and Improving the Management of Resource Public Key Infrastructure (RPKI)

CRII：SaTC：衡量和改进资源公钥基础设施 (RPKI) 的管理

• 批准号: 2051166
• 负责人: Taejoong Chung
• 金额: $ 14.94万
• 依托单位: Virginia Polytechnic Institute and State University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2020
• 资助国家: 美国
• 起止时间: 2020-08-01 至 2022-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2051166&HistoricalAwards=false
• 关键词: CRII; SaTC; Measuring; Improving; Management

The Border Gateway Protocol (BGP) is responsible for managing how packets are routed across the Internet by exchanging routing related messages (path announcements) between routers. While the Border Gateway Protocol plays a critical role in the Internet communications, it remains highly vulnerable to many attacks. This is because the protocol was originally designed for each BGP router to trust all protocol related messages, especially path announcements, sent by its neighboring routers. As a result, incorrect and malicious path information would be accepted by routers at face value, potentially leading to destination unreachable problems in the Internet. To address this issue, Resource Public Key Infrastructure (RPKI) was introduced in 2012 to allow routers to verify path announcements in the Border Gateway Protocol. However, today there is a dearth of information available about the vulnerability of the RPKI, and how routers in the Internet have actually deployed and managed it. This project will develop techniques to better understand and improve the management of RPKI, helping to better secure the Internet. Given the early stage of the RPKI protocol, the findings in this project stand a good chance of being integrated to improve the state of the system. The project would train students in related research. The findings of the project would identify what the current security problems of RPKI are and help spur a greater adoption of RPKI by releasing the codes, datasets and analysis tools developed in the project and presenting the research outcomes to other researchers, administrators, and Internet operations related working groups.This project has two research foci, each examining the management and improving security challenges of the Resource Public Key Infrastructure. First, the project will analyze existing RPKI repositories from multiple vantage points in an effort to understand how much of actual Border Gateway Protocol feeds in the Internet are verifiable. It will also determine what fraction of routers are actually using RPKI to validate paths. For this focus, the investigators will collaborate with one of the biggest network operators that have the most-peered global networks in existence. Second, the project will develop new techniques to detect misconfigurations of routers and potential security vulnerabilities. For this purpose, the project will host a custom RPKI repository that have multiple invalid routes, which will be used to test RPKI validators or routers.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

边界网关协议（BGP）负责管理数据包如何通过路由器之间交换路由相关的消息（路径通告）在Internet上路由。虽然边界网关协议在互联网通信中起着至关重要的作用，但它仍然非常容易受到许多攻击。这是因为该协议最初是为每个BGP路由器设计的，以信任其相邻路由器发送的所有协议相关消息，特别是路径公告。因此，路由器会接受不正确和恶意的路径信息，从而可能导致Internet中的目的地不可达问题。为了解决这个问题，2012年引入了资源公钥基础设施（RPKI），允许路由器验证边界网关协议中的路径公告。然而，目前关于RPKI的脆弱性以及互联网上的路由器如何实际部署和管理它的信息非常缺乏。本项目将开发技术，以更好地了解和改进RPKI的管理，帮助更好地保护互联网。鉴于RPKI协议的早期阶段，在这个项目中的研究结果站在一个很好的机会被集成，以改善系统的状态。该项目将对学生进行相关研究方面的培训。该项目的研究结果将通过发布项目中开发的代码、数据集和分析工具，并将研究成果展示给其他研究人员、管理员和互联网运营相关工作组，来确定RPKI当前的安全问题，并帮助推动RPKI的更广泛采用。该项目有两个研究重点，每一个都检查资源公钥基础设施的管理和改进安全挑战。首先，该项目将从多个Vantage位置分析现有的RPKI存储库，以了解互联网上有多少实际的边界网关协议源是可验证的。它还将确定实际使用RPKI来验证路径的路由器的比例。为了实现这一目标，调查人员将与拥有现有全球对等网络最多的最大网络运营商之一合作。其次，该项目将开发新技术来检测路由器的错误配置和潜在的安全漏洞。为此，该项目将托管一个自定义RPKI存储库，其中包含多个无效路由，用于测试RPKI验证器或路由器。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。