CRII: SaTC: Measuring and Improving the Management of Resource Public Key Infrastructure (RPKI)

CRII：SaTC：衡量和改进资源公钥基础设施 (RPKI) 的管理

• 批准号: 2051166
• 负责人: Taejoong Chung
• 金额: $ 14.94万
• 依托单位: Virginia Polytechnic Institute and State University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2020
• 资助国家: 美国
• 起止时间: 2020-08-01 至 2022-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2051166&HistoricalAwards=false
• 关键词: CRII; SaTC; Measuring; Improving; Management

The Border Gateway Protocol (BGP) is responsible for managing how packets are routed across the Internet by exchanging routing related messages (path announcements) between routers. While the Border Gateway Protocol plays a critical role in the Internet communications, it remains highly vulnerable to many attacks. This is because the protocol was originally designed for each BGP router to trust all protocol related messages, especially path announcements, sent by its neighboring routers. As a result, incorrect and malicious path information would be accepted by routers at face value, potentially leading to destination unreachable problems in the Internet. To address this issue, Resource Public Key Infrastructure (RPKI) was introduced in 2012 to allow routers to verify path announcements in the Border Gateway Protocol. However, today there is a dearth of information available about the vulnerability of the RPKI, and how routers in the Internet have actually deployed and managed it. This project will develop techniques to better understand and improve the management of RPKI, helping to better secure the Internet. Given the early stage of the RPKI protocol, the findings in this project stand a good chance of being integrated to improve the state of the system. The project would train students in related research. The findings of the project would identify what the current security problems of RPKI are and help spur a greater adoption of RPKI by releasing the codes, datasets and analysis tools developed in the project and presenting the research outcomes to other researchers, administrators, and Internet operations related working groups.This project has two research foci, each examining the management and improving security challenges of the Resource Public Key Infrastructure. First, the project will analyze existing RPKI repositories from multiple vantage points in an effort to understand how much of actual Border Gateway Protocol feeds in the Internet are verifiable. It will also determine what fraction of routers are actually using RPKI to validate paths. For this focus, the investigators will collaborate with one of the biggest network operators that have the most-peered global networks in existence. Second, the project will develop new techniques to detect misconfigurations of routers and potential security vulnerabilities. For this purpose, the project will host a custom RPKI repository that have multiple invalid routes, which will be used to test RPKI validators or routers.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

边界网关协议（BGP）负责通过路由器之间的路由器之间交换相关消息（路径公告）来管理如何在互联网上进行路由。尽管边境网关协议在Internet通信中起着至关重要的作用，但它仍然很容易受到许多攻击的影响。这是因为该协议最初是为每个BGP路由器设计的，以信任其相邻路由器发送的所有相关消息，尤其是路径公告。结果，路由器以表面价值接受了不正确和恶意的路径信息，这可能导致互联网中目的地无法达到的问题。为了解决此问题，资源公共密钥基础架构（RPKI）于2012年引入，以允许路由器在边界网关协议中验证路径公告。但是，今天，缺乏有关RPKI脆弱性的信息，以及互联网中的路由器实际上是如何部署和管理的。该项目将开发技术，以更好地理解和改善RPKI的管理，从而更好地保护互联网。鉴于RPKI协议的早期阶段，该项目的发现很有可能被整合起来改善系统状态。该项目将培训学生进行相关研究。 The findings of the project would identify what the current security problems of RPKI are and help spur a greater adoption of RPKI by releasing the codes, datasets and analysis tools developed in the project and presenting the research outcomes to other researchers, administrators, and Internet operations related working groups.This project has two research foci, each examining the management and improving security challenges of the Resource Public Key Infrastructure.首先，该项目将从多个有利位置分析现有的RPKI存储库，以了解Internet中有多少实际边境网关协议提要是可以验证的。它还将确定哪些路由器实际使用RPKI来验证路径。为了重点，调查人员将与拥有最多的全球网络的最大网络运营商之一合作。其次，该项目将开发新技术，以检测路由器和潜在安全漏洞的构造错误。为此，该项目将托管一个具有多个无效路线的自定义RPKI存储库，该存储库将用于测试RPKI验证器或路由器。该奖项反映了NSF的法定任务，并被认为是通过基金会的知识分子优点和更广泛影响的审查标准通过评估来获得支持的。