Learning to Identify Conflicts in RPKI

TL;DR

This paper introduces LOV, a mechanism for whitelisting benign RPKI conflicts, enabling networks to avoid filtering legitimate BGP routes and thus promoting RPKI deployment.

Contribution

The paper presents LOV, a novel whitelisting approach that identifies and allows benign RPKI conflicts at scale, reducing traffic loss and encouraging RPKI adoption.

Findings

Whitelisted 52,846 benign routes during six months of live measurement.

LOV effectively distinguishes benign conflicts from malicious ones.

Enabling RPKI deployment by reducing legitimate traffic loss.

Abstract

The long history of misconfigurations and errors in RPKI indicates that they cannot be easily avoided and will most probably persist also in the future. These errors create conflicts between BGP announcements and their covering ROAs, causing the RPKI validation to result in status invalid. Networks that enforce RPKI filtering with Route Origin Validation (ROV) would block such conflicting BGP announcements and as a result lose traffic from the corresponding origins. Since the business incentives of networks are tightly coupled with the traffic they relay, filtering legitimate traffic leads to a loss of revenue, reducing the motivation to filter invalid announcements with ROV. In this work, we introduce a new mechanism, LOV, designed for whitelisting benign conflicts on an Internet scale. The resulting whitelist is made available to RPKI supporting ASes to avoid filtering RPKI-invalid but benign routes. Saving legitimate traffic resolves one main obstacle towards RPKI deployment. We measure live BGP updates using LOV during a period of half a year and whitelist 52,846 routes with benign origin errors.