How (Not) to Deploy Cryptography on the Internet

The core protocols in the Internet infrastructure play a central role in delivering packets to their destination. The inter-domain routing with BGP (Border Gateway Protocol) computes the correct paths in the global Internet, and DNS (Domain Name System) looks up the destination addresses. Due to their critical function they are often attacked: the adversaries redirect victims to malicious servers or networks by making them traverse incorrect routes or reach incorrect destinations, e.g., for cyber-espionage, for spam distribution, for theft of crypto-currency, for censorship [1, 4-6]. This results in relatively stealthy attacks which cannot be immediately detected and prevented [2, 3]. By the time the attacks are detected, damage was already done. The frequent attacks along with the devastating damages that they incur, motivates the deployment of cryptographic defences to secure the Internet infrastructure. Multiple efforts are devoted to protecting the core Internet protocols with cryptographic mechanisms, BGP with RPKI and DNS with DNSSEC. Recently the deployment of these defences took off, and many networks and DNS servers in the Internet already adopted them. We review the deployed defences and show that the tradeoffs made by the operators or developers can be exploited to disable the cryptographic defences. We also provide mitigations and discuss challenges in their adoption.