Pruning the Tree: Rethinking RPKI Architecture from the Ground up
Haya Schulmann
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Network Security
The **Resource Public Key Infrastructure (RPKI)** is the security architecture for internet routing, enabling verification of BGP route announcements. With approximately **60%** of announced prefixes now covered by RPKI objects, deployment has progressed beyond infancy -- making it time to evaluate whether the architecture actually works well. This talk argues that current RPKI design is unnecessarily complex and inefficient, carrying overhead from reusing existing PKI technologies rather than optimizing for its specific use case. The researchers demonstrate that by removing redundant signatures, eliminating per-object end-entity certificates, and combining manifest/CRL files, they can achieve the **same security guarantees with up to 20-fold improvement** in validation time.
AI review
A well-reasoned protocol optimization paper that identifies genuine redundancies in RPKI design and achieves significant validation performance improvements. However, this is protocol engineering, not security research. No new attacks, no vulnerabilities exploited, and the 'same security guarantees' claim means nothing new is defended against. The most interesting security angle -- that complexity causes implementation bugs -- is mentioned but not deeply explored.