The Resource Public Key Infrastructure (RPKI) is a system designed to improve Internet routing security. However, the protection scope of RPKI remains limited due to ineffective deployment of Route Origin Validation (ROV), the process that verifies the legitimacy of BGP announcements using RPKI data. Several deployment strategies have been proposed to increase the security benefits of partial ROV deployment. However, these strategies fail to detect the hidden propagation paths that can be exploited by illegitimate routes, resulting in their protection being vulnerable to hijacking attacks. In this paper, we introduce ihege, a novel metric that effectively captures the hidden propagation paths of RPKI-invalid routes. The ihege employs the routing model to discover possible propagation paths that are not observed in BGP data and prioritize ASes by their ability to eliminate the possible propagation paths of RPKI-invalid routes. We then propose ihege-based deployment strategy and evaluate its security impact under various hijacking scenarios. Experimental results show that, when deploying ROV on the same number of ASes, the ihege-based strategy reduces the number of infected ASes by 25.9%–74.7% in comparison with other strategies.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

More Bang for Your Buck: Gaining Collateral Benefit from Partial ROV Deployment

  • Yuxuan Chen,
  • Hui Zou,
  • Yanbiao Li,
  • Xin Wang,
  • Gaogang Xie

摘要

The Resource Public Key Infrastructure (RPKI) is a system designed to improve Internet routing security. However, the protection scope of RPKI remains limited due to ineffective deployment of Route Origin Validation (ROV), the process that verifies the legitimacy of BGP announcements using RPKI data. Several deployment strategies have been proposed to increase the security benefits of partial ROV deployment. However, these strategies fail to detect the hidden propagation paths that can be exploited by illegitimate routes, resulting in their protection being vulnerable to hijacking attacks. In this paper, we introduce ihege, a novel metric that effectively captures the hidden propagation paths of RPKI-invalid routes. The ihege employs the routing model to discover possible propagation paths that are not observed in BGP data and prioritize ASes by their ability to eliminate the possible propagation paths of RPKI-invalid routes. We then propose ihege-based deployment strategy and evaluate its security impact under various hijacking scenarios. Experimental results show that, when deploying ROV on the same number of ASes, the ihege-based strategy reduces the number of infected ASes by 25.9%–74.7% in comparison with other strategies.