Frontiers of Data and Domputing


A Revocation Detection Mechanism in RPKI Based on Behavior Transparency

ZOU Hui, LI Yanbiao, YU Chenhui, MA Di, MAO Wei,    

  1. 1. Computer Network Information Center, Chinese Academy of Sciences, Beijing 100190, China
    2. University of Chinese Academy of Sciences, Beijing 100049, China
    3. ZDNS, Beijing 100190, China
  • Received:2021-10-20


[Objective] In response to the issue of resource failure caused by the unilateral revocation in the current Resource Public Key Infrastructure (RPKI), this paper proposes a novel scheme based on Behavior Transparency (BT) to detect unilateral revocations, and demonstrate its effect and performance via extensive experiments. [Methods] This paper first analyzes in detail the issue of unilateral revocation, as well as the risk of resource failures resulting from it, and then proposes to monitor and handle unilateral revocations with the help of a log server that records issuance behaviors of CAs.[Results] According to the experimental results, the efficiency of the proposed scheme satisfies the performance demand posed by the current RPKI system, and its accuracy in detecting unilateral revocations can reach 100% as long as a credible and fully controllable log server is deployed. Moreover, additional transmission overheads resulting from communicating with the log server are negligible. [Limitations] The accuracy, performance, and scalability of the proposed scheme need to be further evaluated in large-scale RPKI systems to verify its value in case that RPKI is fully or near-fully deployed in the future. [Conclusions] In current RPKI systems, the proposed scheme can effectively detect unilateral revocations with negligible overheads, enabling CAs to monitor the effectiveness of their resources and the fact whether their superiors revoke their issuance.

Key words: