Hasty Briefsbeta

Bilingual

Who's running all those tiny RPKI servers?

4 hours ago
  • #BGP
  • #RPKI
  • #Internet Security
  • BGP lacks trust, making it vulnerable to prefix hijacks.
  • RPKI uses cryptographic ROAs to authorize ASes for prefixes, improving security.
  • Small, independent RPKI publication servers exist alongside RIR servers, with diverse operators.
  • RPKI prevents BGP hijacks by validating route origins with signed records.
  • Small servers are defined as having fewer than 1,300 ROAs.
  • Reasons for operating independent servers include RPKIaaS, cross-RIR simplicity, research, control, and learning.
  • Dataset analysis shows modest IP space coverage but includes critical services like government domains.
  • Most ROAs (91%) are valid, but 7.6% are unknown, and maxLength usage poses risks.
  • Many ROAs use maxLength, risking sub-prefix hijacks if not covered by BGP announcements.
  • BGPsec is not deployed, limiting additional security.
  • Operators cite cross-RIR simplicity and education as motivations for running servers.
  • Small server failures could affect specific prefixes and Internet verifiability.