The Hybrid ROA: A Flexible and Scalable Encoding Scheme for Route Origin Authorization

Yanbiao Li,Hui Zou,Yuxuan Chen,Yinbo Xu,Zhuoran Ma,Di Ma,Ying Hu,Gaogang Xie
2024-12-09
Abstract:On top of the Resource Public Key Infrastructure (RPKI), the Route Origin Authorization (ROA) creates a cryptographically verifiable binding of an autonomous system to a set of IP prefixes it is authorized to originate. By their design, ROAs can protect the inter-domain routing system against prefix and sub-prefix hijacks. However, it is hard for the state-of-the-art approach, the maxLength-based ROA encoding scheme, to guarantee security and scalability at the same time when facing various authorization scenarios. To this end, we propose a novel bitmap-based encoding scheme for ROAs to provide flexible and controllable compression. Furthermore, the hybrid ROA encoding scheme (h-ROA) is proposed, which encodes ROAs based on maxLength and bitmap jointly. This approach ensures strong security, provides flexibility and significantly improves system scalability, enabling it to effectively handle various authorization patterns. According to the performance evaluation with real-world data sets, h-ROA outperforms the state-of-the-art approach $1.99 \sim 3.28$ times in terms of the encoding speed, and it can reduce the cost of a router to synchronize all validated ROA payloads by $43.9\% \sim 56.6\%$.
Cryptography and Security
What problem does this paper attempt to address?
The main problem that this paper attempts to solve is how to improve scalability and compression efficiency while ensuring security and flexibility in Route Origin Authorization (ROA) encoding. Specifically: 1. **Security**: The existing maxLength - based ROA encoding schemes are vulnerable to forged source sub - prefix hijacking attacks, so a more secure encoding method is required. 2. **Flexibility**: The number and distribution patterns of IP prefixes authorized by different Autonomous Systems (AS) vary and are constantly changing, so an encoding scheme flexible enough to adapt to different authorization patterns is needed. 3. **Scalability**: As the number of routes in the global Internet increases, the number and size of ROAs directly affect the costs of synchronization, verification, and maintenance, so an encoding scheme with good scalability is required. 4. **Compression efficiency**: In order to improve transmission and processing efficiency and reduce the burden on routers, effective compression of ROAs is required. For this purpose, the authors propose two new encoding schemes: - **Bitmap - based ROA encoding scheme (BM - ROA)**: Use bitmaps to accurately manage authorized IP prefixes, thereby providing flexible and controllable compression. - **Hybrid ROA encoding scheme (h - ROA)**: Combines BM - ROA and maxLength - based ROA (ML - ROA) to deal with the co - existence of decentralized and centralized authorized IP prefixes and achieve the maximum compression effect. Through experimental evaluation, h - ROA improves the encoding speed by 1.99 to 3.28 times compared to existing methods, and can reduce the cost of routers synchronizing all verified ROA loads by 43.9% to 56.6%.