The Hybrid ROA: A Flexible and Scalable Encoding Scheme for Route Origin Authorization

TL;DR

This paper introduces h-ROA, a hybrid encoding scheme for Route Origin Authorization that combines maxLength and bitmap methods to enhance security, flexibility, and scalability in inter-domain routing verification.

Contribution

The paper proposes a novel hybrid encoding scheme for ROAs that improves security, flexibility, and scalability over existing maxLength-based methods.

Findings

h-ROA outperforms existing methods in encoding speed by up to 3.28 times.

It reduces router synchronization costs by up to 56.6%.

Provides flexible encoding to handle various authorization scenarios.

Abstract

On top of the Resource Public Key Infrastructure (RPKI), the Route Origin Authorization (ROA) creates a cryptographically verifiable binding of an autonomous system to a set of IP prefixes it is authorized to originate. By their design, ROAs can protect the inter-domain routing system against prefix and sub-prefix hijacks. However, it is hard for the state-of-the-art approach, the maxLength-based ROA encoding scheme, to guarantee security and scalability at the same time when facing various authorization scenarios. To this end, we propose a novel bitmap-based encoding scheme for ROAs to provide flexible and controllable compression. Furthermore, the hybrid ROA encoding scheme (h-ROA) is proposed, which encodes ROAs based on maxLength and bitmap jointly. This approach ensures strong security, provides flexibility and significantly improves system scalability, enabling it to effectively handle various authorization patterns. According to the performance evaluation with real-world data sets, h-ROA outperforms the state-of-the-art approach $1.99 \sim 3.28$ times in terms of the encoding speed, and it can reduce the cost of a router to synchronize all validated ROA payloads by $43.9\% \sim 56.6\%$.