May 2026 CACM: Are We Actually There? Assessing RPKI Maturity

The May 2026 Communications of the ACM paper "Are We Actually There? Assessing RPKI Maturity" examines whether the Resource Public Key Infrastructure (RPKI) has reached the maturity level touted by the White House in 2024. While RPKI now protects more than 50% of BGP prefixes, the authors argue that its operational reliability remains incomplete.

Through simulations and field measurements, the researchers found that broader deployment makes the routing ecosystem more intricate, increasing the likelihood of configuration errors and exploitable software bugs. Notable issues include an Amazon‑issued object that validators misinterpreted, leaving those prefixes unprotected, and widespread delays in patching open‑source RPKI implementations, some of which may contain hidden vulnerabilities.

The paper highlights concrete examples: the Amazon organization‑name field error, inconsistent validator behavior across vendors, and the absence of a robust certification process for RPKI components. The authors call for more published operational experiences to give network operators a clear deployment roadmap and stress that the current specification lacks flexibility for future cryptographic algorithms.

The authors conclude that RPKI is a valuable security layer but requires coordinated effort among standards bodies, researchers, and operators to address software quality, patch management, and specification agility. Without such collaboration, the perceived maturity may mask systemic risks that could undermine internet routing security.