Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature request] RPKI Handling #6173

Open
7 of 10 tasks
SkewedZeppelin opened this issue Apr 23, 2024 · 1 comment
Open
7 of 10 tasks

[Feature request] RPKI Handling #6173

SkewedZeppelin opened this issue Apr 23, 2024 · 1 comment
Labels
feature request For issues asking for new features

Comments

@SkewedZeppelin
Copy link

I have checked if others have suggested this already

  • I have checked this issue tracker to see if others have reported similar issues.

Feature description

RPKI is a useful technology to prevent hijacking of routes on the Internet.
There is a testing tool and a somewhat up-to-date list of which ISPs support it here: https://isbgpsafeyet.com/

Please add the ability to filter out exits/locations without RPKI support in order to ensure greater integrity of connections.

Alternative solutions

Alternatives would be phasing out use of providers which don't support RPKI or lobbying them to add it.

Type of feature

  • Better privacy/anonymity
  • Better at circumventing censorship
  • Easier to use
  • Other

Operating System

  • Android
  • iOS
  • Windows
  • macOS
  • Linux
@SkewedZeppelin SkewedZeppelin added the feature request For issues asking for new features label Apr 23, 2024
@SkewedZeppelin SkewedZeppelin changed the title [Feature request] RPKI [Feature request] RPKI Handling Apr 23, 2024
@benjaminhays
Copy link

This may be a convenient thing to have on the list of servers present on the site for those curious about the state of RPKI support in privacy services, but it doesn't really give the user much more sanity or security by restricting exit nodes to solely RPKI compliant ASNs. A lot of the threat models of the users of Mullvad and other VPNs tend to automatically assume that all traffic can and will be inspected and possibly interfered with by a third-party. Mitigating these concerns is one of the main selling points for VPNs as a whole.

Assuming all of Mullvad PKI works and the ciphers involved remain secure to cryptanalysis, a BGP hijack would have no serious effect besides an effective DoS (which would be immediately noticeable, picked up upon, and bypassed via switching locations). Of course, if you're sending plaintext traffic from one of Mullvad's exit servers, you could vulnerable to information leakage, but if you're planning on sending unencrypted data from a VPN in 2024 you've got a whole different problem all-together.

Don't get me wrong, RPKI is a great technology that should be implemented by far more ASNs than currently implement it, but it's generally more a security concern for ISPs than individuals. A BGP-hijack is generally a mild inconvenience for users, but for an ISP its a tremendous loss of money, customer trust, and added potential legal liability due to breach of contract.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request For issues asking for new features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SkewedZeppelin @benjaminhays