| Abstract | The Resource Public Key Infrastructure (RPKI) increasingly protects global routing against attacks. RPKI protection builds on the security and availability of RPKI objects, which are stored in public RPKI repositories. Despite their critical role, not much is known about the technical specifics of these repositories. Which implementations do they use? Is the software maintained and secure? Which vulnerabilities persist? Answering these questions is essential to evaluate security and resilience of current RPKI architecture. In this work, we develop the first methods for fingerprinting RPKI repositories based on RPKI specification, using undefined implementation-specifics like arbitrary element order or naming conventions as fingerprinting metrics. We evaluate our methodology on all current production RPKI repositories and identify 7 different deployed implementations. We find implementations diversity, especially for large providers, but also identify that most repositories (56\%) use the same software, Krill. Fingerprinting shows that most deployed software (71\%) is vulnerable to attacks, and 4 repositories use software deprecated over 7 years ago. Our work is not only an important step towards a complete view of RPKI ecosystem security, but it also shows that specification analysis serves as a powerful basis for fingerprinting. |
|---|
