Dataplane.org

@dataplane@noc.social
202 Followers
3 Following
4 Posts
We are a US 501(c)(3) nonprofit organization that supports the Internet's network, research, and security communities with systems, data, and analysis.
Homepagehttps://dataplane.org
Dataplane.org6h ago
John Kristoff6h ago

Weekend Reads

* PQC for the RPKI https://labs.ripe.net/author/dirk/pqc-for-the-rpki/
* Big tech in Taiwan https://cset.georgetown.edu/publication/big-tech-in-taiwan/
* China's Internet Control https://locknet.chinafile.com/the-locknet/intro/
* Smartwatch security and privacy https://arxiv.org/abs/2507.07210
* App-layer desync attack TLS attack https://opossum-attack.com

#RPKI #Taiwan #China #AppleWatch #TLS

PQC for the RPKI

Future capabilities of quantum attackers will present a host of new vulnerabilities for RPKI. A research student from SIDN Labs presents the first work on post-quantum cryptography for the RPKI, establishing the foundation for making this critical Internet infrastructure quantum-safe.

RIPE Labs
Dataplane.org5d ago

The Internet Last Week

* Let's Encrypt IP address certs
https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate/
* AFRINIC board elections scheduled
https://lists.afrinic.net/pipermail/announce/2025/002469.html
* Aeza Group sanctioned
https://home.treasury.gov/news/press-releases/sb0185
* RIPE NCC services disruption
https://status.ripe.net/incidents/qjxmb00xhmst
https://mastodon.social/@ripencc/114789368007206778

#Outages #LetsEncrypt #AFRINIC #AS216246 #AS210644 #RIPE

We've Issued Our First IP Address Certificate

Since Let’s Encrypt started issuing certificates in 2015, people have repeatedly requested the ability to get certificates for IP addresses, an option that only a few certificate authorities have offered. Until now, they’ve had to look elsewhere, because we haven’t provided that feature. Today, we’ve issued our first certificate for an IP address, as we announced we would in January. As with other new certificate features on our engineering roadmap, we’ll now start gradually rolling out this option to more and more of our subscribers.

Dataplane.orgJul 5
John KristoffJul 5

Weekend Reads

* A new RPKI design https://arxiv.org/abs/2507.01465
* Finding New IP KVMs https://www.runzero.com/blog/oob-p1-ip-kvm/
* Burner phone basics https://www.hackerfactor.com/blog/index.php?/archives/1071-Feel-the-Burn.html
* Radio frequency basics https://insights.sei.cmu.edu/blog/radio-frequency-101-can-you-really-hack-a-radio-signal/
* Detecting non-spoofed traffic https://labs.ripe.net/author/petros_gigis/openpenny-developing-an-open-source-tool-for-detecting-non-spoofed-traffic/

#RPKI #KVM #Mobile #Radio #BCP38

A new efficient RPKI Design

Resource Public Key Infrastructure (RPKI) is a critical security mechanism for BGP, but the complexity of its architecture is a growing concern as its adoption scales. Current RPKI design heavily reuses legacy PKI components, such as X.509 EE-certificates, ASN.1 encoding, and XML-based repository protocols, all these introduce excessive cryptographic validation, redundant metadata, and inefficiencies in both storage and processing. We show that these design choices, although based on established standards, create significant performance bottlenecks, increase the vulnerability surface, and hinder scalability for wide-scale Internet deployment. In this paper, we perform the first systematic analysis of the root causes of complexity in RPKI's design and experimentally quantify their real-world impact. We show that over 70% of validation time in RPKI relying parties is spent on certificate parsing and signature verification, much of it unnecessary. Building on this insight, we introduce the improved RPKI (iRPKI), a backwards-compatible redesign that preserves all security guarantees while substantially reducing protocol overhead. iRPKI eliminates EE-certificates and ROA signatures, merges revocation and integrity objects, replaces verbose encodings with Protobuf, and restructures repository metadata for more efficient access. We experimentally demonstrate that our implementation of iRPKI in the Routinator validator achieves a 20x speed-up of processing time, 18x improvement of bandwidth requirements and 8x reduction in cache memory footprint, while also eliminating classes of vulnerabilities that have led to at least 10 vulnerabilities in RPKI software. iRPKI significantly increases the feasibility of deploying RPKI at scale in the Internet, and especially in constrained environments. Our design may be deployed incrementally without impacting existing operations.

arXiv.org
Dataplane.orgJul 3

#introduction

We are a US 501(c)(3) nonprofit supporting network operations, Internet research, and security communities with systems, data, and analysis.

We operate a global network of services including sensor and measurement nodes on over 100 different hosting providers.

We are known for our experience in #BGP, #DNS, information security, network measurement, and Internet infrastructure operations.