Who's running all those tiny RPKI servers?
4 hours ago
- #BGP
- #RPKI
- #Internet Security
- BGP lacks trust, making it vulnerable to prefix hijacks.
- RPKI uses cryptographic ROAs to authorize ASes for prefixes, improving security.
- Small, independent RPKI publication servers exist alongside RIR servers, with diverse operators.
- RPKI prevents BGP hijacks by validating route origins with signed records.
- Small servers are defined as having fewer than 1,300 ROAs.
- Reasons for operating independent servers include RPKIaaS, cross-RIR simplicity, research, control, and learning.
- Dataset analysis shows modest IP space coverage but includes critical services like government domains.
- Most ROAs (91%) are valid, but 7.6% are unknown, and maxLength usage poses risks.
- Many ROAs use maxLength, risking sub-prefix hijacks if not covered by BGP announcements.
- BGPsec is not deployed, limiting additional security.
- Operators cite cross-RIR simplicity and education as motivations for running servers.
- Small server failures could affect specific prefixes and Internet verifiability.