Beyond Limits: How to Disable Validators in Secure Networks

Relying party validator is a critical component of RPKI: it fetches and validates signed authorizations mapping prefixes to their owners. Routers use this information to block bogus BGP routes. Since the processing time of validators is not limited, malicious repositories could stall them. To limit the time that RPKI validators spend on downloading RPKI objects, thresholds were introduced into all popular implementations. We perform the first analysis of the thresholds. On the one hand, we show that the current thresholds are too permissive and hence do not prevent attacks. On the other hand, we show that even those permissive thresholds cause 11.78% failure rate in validators. We find experimentally that although stricter thresholds would make attacks more difficult they would significantly increase the failure rates. Our analysis shows that no matter what balance between permissive-strict thresholds is struck, one of the problems, either failures or exposure to attacks, will always persist. As a solution against attacks and failures we develop a sort-and-limit algorithm for validators. We demonstrate through extensive evaluations on a simulated platform that our algorithm prevents the attacks and failures not only in the current but also in full RPKI deployment.