[Sidrops] Stalloris: RPKI Downgrade Attack
"Hove, K.W. van (Koen, Student M-CS)" <k.w.vanhove@student.utwente.nl> Tue, 03 May 2022 13:23 UTC
Return-Path: <k.w.vanhove@student.utwente.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 004D4C14F727 for <sidrops@ietfa.amsl.com>; Tue, 3 May 2022 06:23:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=universiteittwente.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pSIKAnes_Vgt for <sidrops@ietfa.amsl.com>; Tue, 3 May 2022 06:23:33 -0700 (PDT)
Received: from out45-ams.mf.surf.net (out45-ams.mf.surf.net [145.0.1.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A960C159492 for <sidrops@ietf.org>; Tue, 3 May 2022 06:23:32 -0700 (PDT)
Received: from exedge62.ad.utwente.nl (exedge62.ad.utwente.nl [130.89.9.13]) by outgoing2-ams.mf.surf.net (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 243DNUo3012006 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <sidrops@ietf.org>; Tue, 3 May 2022 15:23:30 +0200
Received: from exmrs65.ad.utwente.nl (2001:67c:2564:a187::2:65) by mail.ad.utwente.nl (2001:67c:2564:a187::2:162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.22; Tue, 3 May 2022 15:23:29 +0200
Received: from exmrs66.ad.utwente.nl (130.89.9.21) by exmrs65.ad.utwente.nl (130.89.9.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.22; Tue, 3 May 2022 15:23:29 +0200
Received: from exedge62.ad.utwente.nl (2001:67c:2564:a187::2:162) by exmrs66.ad.utwente.nl (2001:67c:2564:a187::2:66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.22 via Frontend Transport; Tue, 3 May 2022 15:23:29 +0200
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (104.47.17.169) by mail.ad.utwente.nl (130.89.9.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.22; Tue, 3 May 2022 15:23:29 +0200
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iolYq5ESi089zT9dDVt5/bnMHq7Sde7T9+7ClLnlrSkRNSBFZ7qWCJK2l/uVtboF45c8gBfTM2WpzSP+B+RmsuKibFNCm3jBdCbl9ld9idtFOc4mlCIbLYgzDGxoHDeo8MKoGzfVx+nzdIQLLTAbTR7n1u7hcvdJ1/OAQpnxM7F2/qnd5GV246E3HSN2BJ3EUL1+jsdEVdZbBSP9Sn/IGvMHY6lXznUveDJ2wG+ncuSGoAj3Hmm4YQb8lS+GRfAzUe4JNMYs6/iRp5DuFl+1evY/9rIeFMKE4pHMrrz/0b5xgZSKr7ani+TgkaTQgHJK5kfrZlHcjH5MuC2VWt0pdw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ssKkHKi6HiW26K0tj+ZMJPLZQWsx9iGBJU3hIu6t8PE=; b=ZIEJxyoL0o96Yv6nulczfuFQxE2zLXLtnV25RsQrux56U55iSr31PaZiIqfNN+kieGhfHNRLmvq1CeFca805gPGhFLrr8ERMxyiTXL9+BtancNG4chVO1ycVjGMAx4hsR7XyqelQwxkUi5IzBtXfo4jZes/uoxQ/7Y9IK9eFaSczQXHcIyB6epJ4Jepbd6X8sa2HuGfPCHplSVKvOGEK/kK23ePmOIShhud5yfeBtaaccApe0FYstfJ1PBIy/fKM87y4HCFPxcUffyky4ZQ0htqSQORUsBKRjjMjNDr1CBE86PELD4y9ZHlVMbDDilpFOnpSu8VRDn1hdmnJaMy/7g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=student.utwente.nl; dmarc=pass action=none header.from=student.utwente.nl; dkim=pass header.d=student.utwente.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=universiteittwente.onmicrosoft.com; s=selector2-universiteittwente-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ssKkHKi6HiW26K0tj+ZMJPLZQWsx9iGBJU3hIu6t8PE=; b=dPPCTk2BwgLxQouMXgPpmjggFNRnrigDzAXG0bsKHFDnkEKoVukvq7ZOho9UN9Yln2yczUbJGa0gSg+KhHIjkfiOKaNmQfNtiZFAVzGU5MAWZnRi7o67PVnYL1Vi9mR0lnLsrwvB54DyMtre3V1QZtPTdtYUyPaN++26H8dm8NM=
Received: from AS4P195MB1429.EURP195.PROD.OUTLOOK.COM (2603:10a6:20b:4c1::18) by AM9P195MB1046.EURP195.PROD.OUTLOOK.COM (2603:10a6:20b:1f7::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5206.13; Tue, 3 May 2022 13:23:23 +0000
Received: from AS4P195MB1429.EURP195.PROD.OUTLOOK.COM ([fe80::415c:65d4:ce14:1102]) by AS4P195MB1429.EURP195.PROD.OUTLOOK.COM ([fe80::415c:65d4:ce14:1102%7]) with mapi id 15.20.5206.013; Tue, 3 May 2022 13:23:23 +0000
From: "Hove, K.W. van (Koen, Student M-CS)" <k.w.vanhove@student.utwente.nl>
To: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: Stalloris: RPKI Downgrade Attack
Thread-Index: Adhe70MsMgAMu1jtQryE1y7NKtcg7Q==
Date: Tue, 03 May 2022 13:23:23 +0000
Message-ID: <AS4P195MB142948CC066435891815A8C88CC09@AS4P195MB1429.EURP195.PROD.OUTLOOK.COM>
Accept-Language: nl-NL, en-US
Content-Language: nl-NL
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=student.utwente.nl;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b1a97483-1014-45fb-c5c4-08da2d081972
x-ms-traffictypediagnostic: AM9P195MB1046:EE_
x-microsoft-antispam-prvs: <AM9P195MB1046B59C242CAA884AA725638CC09@AM9P195MB1046.EURP195.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SlGAbCMzXTdPs7IZ0bhUVy8jWZW4NR6OqSv/8o7KLUEWdy0Dhx/0/NjC6+Du7hlTGiwvHlROTmpGkZDm8hY31E2rOYKe2S8r7/At4B8tDIoqtoCc6s/YThCLZRpc/uuNoVeLYCmzhG7zAdqpragoVWnkD8CyScJlT8U/U421zkob+aNvW3AxShKTNrqDNHDpb/Fd9lEFu6rBb/dCuXQmIGnIoGxvxTqR4zmu/O/NDSmy2CHLVR5J36kT2OBVwQujEYgOHz8FYEv+9CqK10r+F+ifGnosaPg5t+oHK16QlbOq0ehMmMvlLURcdSaj7IYCopNUmHqUedP9Le1ryxJxxnMLrluY9hiXNkAPFOiZTcSfB/ZF1RhWaArnPPomtlnm0DrHczDtcgSurB/TDu2u2OJ+QZiigO/bXqYap8i+/WWFW8sBJbS3WdR56Dku6VN/IMfRw7h19b1zvSRgf9pmnXR9cjejMY+LZSyWU7ab+p+Aw7hNgZiu1r1ce8t0yNE1Ha/G76s4j83ycfHtcXdrappJNP0IXrbkkqTwOKgX3wmLuaEZfzjPedkuHXO0n/jTfQMSGKXezFft9l75LpQYsVWXlyXfl12G9PKgY0W/Gt0SG1mAOHNDWBOzI5slImqMTxfezywa/+GrQC8rutVL6JlN2gL6nj5ycO4TmfmHOvTW5Tk4tUs4v6wkkgpomb+kE+plEaT0283MkbHdpMNsMMds0H2T/DAo4SZmNolwm2SXQTUZ5edwKjFtVo/nyVwjYM3urjrHlCN3z3QrqMOPgvGzsoAcDZSpy22LepzWiJQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AS4P195MB1429.EURP195.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(8936002)(2906002)(52536014)(83380400001)(5660300002)(316002)(6916009)(64756008)(66946007)(33656002)(8676002)(786003)(66476007)(66556008)(76116006)(66446008)(186003)(66574015)(26005)(122000001)(9686003)(55016003)(6506007)(7696005)(38070700005)(71200400001)(38100700002)(508600001)(86362001)(966005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: B0zD1YaBRHiweLLG+yNJoILWesrBFKFpBv9As8OnqbRPbgBBVkWH9iQo25Z9KZx6dxVLuRVjxumJ3NQHy3IJC+tUTPA0d955bhMEKHEcGfCvAQ3OjGvRWAbw8KjEE0kffoODf2ESLjmCSW3UHcIq5UPMrII8y0i71H5caUu0r65dhQTUcpcV0PwnqXFrBWUgzbUeC8fYXuHUr71eluF6sdOSPEvJgPL2gZTqa5utqRMYOlessguXpMqOTtWReJF6t77EVGWY/XapOU8XM3igpcs5rExfgSZ2U1WahLhTT73TUX8K7Zd8qKwFUx+yvwvvWCUMJ9g/UYonzDjPOEKsoajj3vNRzSfPd2iIqJ20ZpWbc4GyS6Vll7q9qNXhWSOzbVZvUoqBIap9GiQELYpjKCgVIOYMbipAI/5rmalRDDrX0dNHnq7jGwJJ5SBla2DiTOS4FOwltLxrq7xYC6wIz+YNGuJFf7GuP4DcD15QSAIXgsMxh2sSyH98q0QjcBt/UoRKmdGAsLRbRbuLQaQxW9b1nDTckedbVTp3ZkH2LYZEr+lqPz5KzAsL6mR3bkROYmqUlCO6J4ktVp6UTS7FfpA+r0SxjA9bZVH95xrCflDITrZM/3SGHx3jvSU4fPUHkP36l/puu1rJJb/iTvjGRv1wpSTgGt3plsiT3vpoZCsOO2HvB9DB5gUKFcrhEUTXuW4rOQbsxkWCuUjX1SKX6l3Gsrj+z0dTqdFqWr+4iynR2eldDJMNAoNLaCE6gMjBXYoLz7O4iXDHpiZsKF8Q5H6hNnrYAOGwwjYgBLcl5Mm/F/qjMqeLB7XtLOcIy++T7g3CV/Zmilv1HXPlwHj2eDk8kAKYOLIYZVf6tTo85h/7On2Oj8ME7TQygIQrLRknFa+PM0fS1PnSLYrNIxEGZjZ/bQFGHWehPooA7ezuD7zgfDWYPvLESZn4pTR9idxJQKlKX42h4i7c5jamvIoTUC6eqstIqod1AhUn4mmAcTHmDQMJPDzJuO+mLaXwGgU0W1NRphIUHkXSRlNrRvfSQae/fAANK7IISJUB5IsGiSlXT9I2Wwp1m2k5QMLTiDd0pUOlN2Jqq0+7vJ7GXErlgQ4e396d+j00mLIq+P7HiLkBB4Nek9wuwsZRH8t+DJbDAfqYjJ1yBfMSQaI8cIDQ2hgS1USJJGovo7Army0D1vwrC7We3lgBat6j/TBcPH3B7Zf0L/3LZJvdhD0UkyG0/FcMS1VpY+LN2fePUxgeNE01o1fQIkKwEmKSuAT7FBdtaGyo/IJS2f0A3GXJyKnWHkfnRqPGpQT0gLvTj89FPB6SnscpZGilia36uoX8lbG60WiETZprC47X11X2uIZ45wX3aCwaxY7N7/7jQQ/dB4cLIDtND18ntjLXV2vQJwYWRNLWJPr3PjjuW/ujgxouqtWnFf/nqHs1R/f47tfx9409zLlKQuTx8R0Db0FKzw0nDmhveLSgfcjnxgpIdEkXISGcFJRJMLsw9fAEcNLpatWGR5F2m2i4dBOgVPY2aTe7DM8PvyGQJzFBeg3aLhCW52ESRV4Ok1RI+E6gWTLOgFrxbMSH9jpYLm438hF9pbUAzq04bD5SGcEmy0u6iA7hsYzuAFbZZW9CNiS6pyAl5/ih8l1Ad/5glZG/pmBwBD7M9Lw5A2di83/SaRQ+YJyOW/uc6e5+IJFVB1gcKTbIdFSVnaJIdpITfTa5tj23gqCPy/OrpzaHS+mU8jIAwD2jKfQ0ziM2zAzGwsTNhO5R4Bw=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS4P195MB1429.EURP195.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: b1a97483-1014-45fb-c5c4-08da2d081972
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 May 2022 13:23:23.5974 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 723246a1-c3f5-43c5-acdc-43adb404ac4d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 7ocdaRTTDuOd/TyzENbrBfOaNKyZbsR8cW+Rj6VZv9V0+7IGFnzg8NTK6zT7Q6owO/MqzJVADlL+WRTFw448FhYUmdCjZC1xBR7riwFK/R0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9P195MB1046
X-OriginatorOrg: student.utwente.nl
X-Bayes-Prob: 0.9999 (Score 4.9, tokens from: utwente-out:default, utwente:default, base:default, @@RPTN)
X-CanIt-Geo: ip=130.89.9.13; country=NL; latitude=52.3824; longitude=4.8995; http://maps.google.com/maps?q=52.3824,4.8995&z=6
X-CanItPRO-Stream: utwente-out:default (inherits from utwente:default, base:default)
X-Canit-Stats-ID: 0v7qdnuAh - e83beafee249 - 20220503
X-Scanned-By: CanIt (www . roaringpenguin . com)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/cxvMBMZLHtI6kkT_m998mqsApcg>
Subject: [Sidrops] Stalloris: RPKI Downgrade Attack
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 May 2022 13:23:38 -0000
Dear all, I recently became aware of this new pre-publication [1] from the Fraunhofer Institute for Secure Information Technology SIT and National Research Center for Applied Cybersecurity ATHENE titled " Stalloris: RPKI Downgrade Attack", that I believe might be of interest to you as well. The abstract reads: > We demonstrate the first downgrade attacks against RPKI. The key design property in RPKI that allows our attacks is the tradeoff between connectivity and security: when networks cannot retrieve RPKI information from publication points, they make routing decisions in BGP without validating RPKI. We exploit this tradeoff to develop attacks that prevent the retrieval of the RPKI objects from the public repositories, thereby disabling RPKI validation and exposing the RPKI-protected networks to prefix hijack attacks. > We demonstrate experimentally that at least 47% of the public repositories are vulnerable against a specific version of our attacks, a rate-limiting off-path downgrade attack. We also show that all the current RPKI relying party implementations are vulnerable to attacks by a malicious publication point. This translates to 20.4% of the IPv4 address space. > We provide recommendations for preventing our downgrade attacks. However, resolving the fundamental problem is not straightforward: if the relying parties prefer security over connectivity and insist on RPKI validation when ROAs cannot be retrieved, the victim AS may become disconnected from many more networks than just the one that the adversary wishes to hijack. Our work shows that the publication points are a critical infrastructure for Internet connectivity and security. Our main recommendation is therefore that the publication points should be hosted on robust platforms guaranteeing a high degree of connectivity. Personally, I do wonder how feasible this is in practice. I am in the process of trying to reproduce the experiment using the methods they describe, but so far to no avail. Should anyone else have any success (or lack thereof), please let me know. Cordially, Koen van Hove [1] https://www.usenix.org/conference/usenixsecurity22/presentation/hlavacek
- [Sidrops] Stalloris: RPKI Downgrade Attack Hove, K.W. van (Koen, Student M-CS)
- Re: [Sidrops] Stalloris: RPKI Downgrade Attack Christopher Morrow
- Re: [Sidrops] Stalloris: RPKI Downgrade Attack Jeroen Massar