Smart RPKI Validation: Avoiding Errors and Preventing Hijacks

AuthorHlavacek, Tomas; Shulman, Haya; Waidner, Michael
TypeConference Paper
AbstractResource Public Key Infrastructure (RPKI) was designed to authorize ownership of prefixes in the Internet, which routers use to filter bogus BGP announcements to prevent prefix hijacks. Although already 360K routes have valid covering Route Origin Authorizations (ROAs), RPKI is not widely validated. Erroneous ROAs are one of the obstacles towards wide filtering of bogus BGP announcements with Route Origin Validation (ROV). Erroneous ROAs conflict with BGP announcements and appear similar to hijacking announcements. Blocking such conflicting announcements can disconnect networks and hence demotivates enforcement of ROV. In this work we analyse the conflicts and develop an extension to ROV, which we call smart ROV (SROV), to automatically differentiate errors from traffic hijacks. The networks can then block only the hijacks and accept conflicting announcements due to errors. We demonstrate the effectiveness of SROV experimentally using real conflicts that we collected in the Internet, with simulations on empirically derived datasets. We also develop a global notification service based on SROV, for alerting networks of errors
ConferenceEuropean Symposium on Research in Computer Security 2022