The Resource Public Key Infrastructure (RPKI) is the main mechanism to protect inter-domain routing with BGP from prefix hijacks. It has already been widely deployed by large providers and the adoption rate is getting to a critical point. Almost half of all the global prefixes are now covered by RPKI and measurements show that 27% of networks are already using RPKI to validate BGP announcements. Over the past 10 years, there has been much research effort in RPKI, analyzing different facets of the protocol, such as software vulnerabilities, robustness of the infrastructure or the proliferation of RPKI validation. In this work we compile the first systemic overview of the vulnerabilities and misconfigurations in RPKI and quantify the security landscape of the global RPKI deployments based on our measurements and analysis. Our study discovers that 56% of the global RPKI validators suffer from at least one documented vulnerability. We also do a systematization of knowledge for existing RPKI security research and complement the existing knowledge with novel measurements in which we discover new trends in availability of RPKI repositories, and their communication patterns with the RPKI validators. We weave together the results of existing research and our study, to provide a comprehensive tableau of vulnerabilities, their sources, and to derive future research paths necessary to prepare RPKI for full global deployment.

翻译：资源公钥基础设施（RPKI）是保护BGP域间路由免遭前缀劫持的主要机制。它已被大型提供商广泛部署，采用率正达到一个临界点。目前全球近一半的前缀已受RPKI保护，测量数据显示27%的网络正在使用RPKI验证BGP通告。过去十年间，针对RPKI开展了大量研究，分析了该协议的不同层面，例如软件漏洞、基础设施的鲁棒性或RPKI验证的扩散。本研究首次系统性地梳理了RPKI中的漏洞与配置错误，并基于我们的测量与分析量化了全球RPKI部署的安全态势。我们的研究发现：56%的全球RPKI验证器至少存在一个已记录的漏洞。同时，我们对现有RPKI安全研究进行了知识系统化梳理，并通过新颖的测量数据补充现有认知——我们在测量中发现了RPKI存储库可用性的新趋势，及其与RPKI验证器间的通信模式。我们将现有研究成果与本研究结论交织整合，绘制出关于漏洞及其根源的完整图景，并由此推导出为实现RPKI全球全面部署所必需的未来研究方向。