The difficulty of applying a hierarchically organized PKI to the decentralized world of Internet routing is being fully exposed in a new Internet-draft. The document represents a rational response to an RPKI that closely ties address resources to a handful of Internet governance institutions, nicely illustrates how governments and national security policy are influencing Internet security, and portends substantial costs for network operators and beyond if adopted widely.
To start, a quick reminder of the three informational components that together comprise RPKI. First, there are the statements created by network operators that authorize route origination and are contained in the RPKI. Second, there are the certificates issued by the RIRs and other parties in the RPKI hierarchy that are used by relying parties (i.e., other network operators) to validate the authenticity and integrity those statements. Finally, there are public keys used by relying parties to validate the chain of certificates in the PKI, starting with a trust anchor. In theory, these pieces of information can be used together by network operators to help prevent unauthorized routing.
The Internet-draft, entitled Suspenders: A Fail-safe Mechanism for the RPKI, was authored by participants affiliated with longtime US defense contractor BBN/Raytheon. It describes a system for protecting against “inappropriate” changes to the data in the RPKI. The motivation for it was presented in a set of slides at IETF 87 this summer:
A nation might worry that some entity in the resource allocation hierarchy could (accidentally or maliciously) revoke a certificate for critical infrastructure resources (in that nation, or elsewhere)
A nation can protect nets within its administrative jurisdiction against such mishaps IF it can direct internal nets to rely on a national authority for RPKI for these critical infrastructure resources
If the country could externally declare the ROA [route origin authorization] data for its ISPs, that would be even better (subject to appropriate controls).
To accomplish this, Suspenders proposes a LOCK record stored in the RPKI which points to an externally hosted Internet Number Resource Declaration (INRD) file. The INRD file, validated independently of the RPKI, can be used by a relying party to corroborate the routing origin authorization information stored in the RPKI. If the data does not match, the relying party makes a determination of whether or not to trust information in the RPKI and routes accordingly.
Practically, Suspenders decouples the publication and validation of routing origin authorization information from the RIRs. In the colorful words of the authors, it eliminates under specific conditions the threat of a certificate authority accidentally or deliberately “whacking” an ISPs route origin authorizations by rescinding a certificate. And the threat of “whacking” is real from technical, policy and legal perspectives. According to work done at Boston University to be presented at Hotnets, the revocation of certificates could have significant extraterritorial implications for routing. While the RIRs have deployed RPKI as an opt-in service with terms and conditions to which subscribers must adhere, bottom up policies governing certificates used in the RPKI have not been developed. And it’s legally uncertain how RIRs would respond to LEA requests to revoke certificates, but we already know one RIR has no legal standing in objecting to certain requests about registry data.
So, now we know at least one U.S. government agency is concerned with the flip side of security that RPKI enables, i.e., control of routing. The motivation for Suspenders is generally consistent with larger national-security oriented policy objectives, e.g., the 2013 Executive Office order and Commerce Dept recommendations, which are concerned with protecting U.S. “critical infrastructure,” much of which happens to run over networks using the Internet protocol. Apparently, the motivation is shared by more than one government. Engineers at the Chinese Network Information Center (CNNIC), according to one author, expressed concerns about foreign influence and the RPKI and helped to refine the work.
Unsurprisingly, nation-states aren’t very interested in global Internet governance when it potentially impacts their critical infrastructure. Therefore they adapt. In some sense, Suspenders is the emergence of “separate system policy” for governments, similar to the experience with DNSSEC. Nonetheless, network operators shouldn’t expect pressure to use the RIR’s RPKI to abate. A single rooted RPKI will continue to be cautiously advocated by the institutions that stand to benefit from it, namely the RIRs and ICANN.
Possible fallout from Suspenders
It is still just a draft, but if Suspenders is standardized and deployed it could come with substantial cost depending on where you sit. For one, it could provide an avenue for governments to exert direct control over what network operators route. In the authors’ words:
For example, Elbonia might mandate that every INR holder within the country make use of Suspenders. Every Elbonian INR holder will be required to include a LOCK record in its publication point [within RPKI], no matter where that publication point is realized. The URL in each LOCK points to a file on a server managed by an Elbonian government organization.
Another concern is the cost is related to validating numerous INRD files required by governments or used by network operators with similar concerns about the RPKI. Similar to DNSSEC’s islands of trust problem, disparate INRD files introduces more complexity for operators. Federations of operators might emerge, but these would similarly require coordination within and between them to maintain seamless validation and secure routing.
To date, reaction from the Working Group reviewing the draft has been muted. It will be interesting to see where the various interests come down and how influential the supporters of the draft turn out to be. It may be possible to accommodate governments concerns using Suspenders, but it is also perfectly legitimate to question how closely routing security should be tied to a territorial view of the world.