| Abstract | The Resource Public Key Infrastructure (RPKI) is increasingly protecting global BGP routing and major players are pushing for wide-scale adoption. RPKI protection relies on correct publication and validity of RPKI objects: If a prefix has no valid covering RPKI object, e.g., because the object is invalid or expired, the prefix is not protected from hijacks. At the same time, ASes that issue RPKI objects lack any feedback whether their objects are considered valid by all RPKI validation software. This lack of feedback has repeatedly led to operational issues, and problems with object validity are persistent to this day. Oftentimes, issues with objects are only detected in production, after they have caused damage to routing. A prominent example of this is an issue with Amazon objects in 2023 that left 6000 of its prefixes open to hijack in any AS using a specific RPKI validator software implementation. In this work, we present a novel RPKI toolsuite that allows for comprehensive testing of RPKI objects, enabling operators to detect issues in their object configurations before production use. For this, our tool allows parsing arbitrary DER/base64 encoded objects, editing their content and structure, and live-testing them against all current RPKI validator implementations to probe for inconsistent validation results, errors, and even vulnerabilities. Our work provides an important foundation to ensure RPKI resilience against misconfigurations and facilitates future research into RPKI security. We make our tool open-source and provide a hosted web application to enable usage by the community. |
|---|
