The Hanging ROA: A Secure and Scalable Encoding Scheme for Route Origin Authorization

On top of the Resource Public Key Infrastructure (RPKI), the Route Origin Authorization (ROA) creates a cryptographically verifiable binding of an autonomous system to a set of IP prefixes it is authorized to originate. By their design, ROAs can protect the inter-domain routing system against prefix and sub-prefix hijacks. However, inappropriate configurations bring in vulnerabilities to other types of routing security attacks. As such, the state-of-the-art approach implements the minimal-ROA principle, eliminating the risk of using ROAs at the cost of system scalability. This paper proposes the hanging ROA, a novel bitmap-based encoding scheme for ROAs, that not only ensures strong security, but also significantly improves system scalability. According to the performance evaluation with real-world data sets, the hanging ROA outperforms the state-of-the-art approach 2.4 times in terms of the compression ratio, and it can reduce the cost of a router to synchronize all validated ROA payloads by 44.5% similar to 64.7%.