资源公钥基础设施部署问题研究综述

doi:10.19678/j.issn.1000-3428.0252551

计算机工程 ›› 2026, Vol. 52 ›› Issue (6): 17-30. doi: 10.19678/j.issn.1000-3428.0252551

资源公钥基础设施部署问题研究综述

杨国正¹^,², 齐冬震¹^,², 陈攀¹^,²^,*(), 沈照斌¹^,², 尹鹏语¹, 霍彦霖¹^,²

1. 国防科技大学电子对抗学院, 安徽合肥 230037
2. 网络空间安全态势感知与评估安徽省重点实验室, 安徽合肥 230037

收稿日期:2025-06-04 修回日期:2025-09-12 出版日期:2026-06-15 发布日期:2025-10-27
通讯作者: 陈攀
作者简介:
杨国正, 男, 教授、博士, 主研方向为网络空间测绘、态势感知
齐冬震, 硕士研究生
陈攀(通信作者), 博士研究生
沈照斌, 硕士研究生
尹鹏语, 本科生
霍彦霖, 博士研究生
基金资助:
国家自然科学基金面上项目(62271496)

Review on Deployment Problems of Resource Public Key Infrastructure

YANG Guozheng¹^,², QI Dongzhen¹^,², CHEN Pan¹^,²^,*(), SHEN Zhaobin¹^,², YIN Pengyu¹, HUO Yanlin¹^,²

1. Electronic Countermeasure College, National University of Defense Technology, Hefei 230037, Anhui, China
2. Cyberspace Security Situation Awareness and Evaluation Key Laboratory of Anhui Province, Hefei 230037, Anhui, China

Received:2025-06-04 Revised:2025-09-12 Online:2026-06-15 Published:2025-10-27
Contact: CHEN Pan

摘要/Abstract

摘要：

资源公钥基础设施(RPKI)是保障边界网关协议(BGP)路由安全性的一项重要机制, 通过路由源授权(ROA)和路由源验证(ROV)两项核心功能, 实现对自治系统(AS)发布路由宣告的合法性验证。近年来, 随着RPKI应用的持续拓展, 研究者围绕ROA配置问题与ROV部署测量开展了大量工作, 从不同维度刻画了RPKI在现实网络中的运行状态与防御能力。当前RPKI相关综述集中于对RPKI体系本身研究的阐述, 着重强调RPKI体系的脆弱性, 对于RPKI实际部署中遇到的关键问题及其相关研究并没有进行系统梳理和深入总结。首先, 对近年来RPKI系统部署问题的相关研究进行了系统综述, 重点梳理了ROA配置中常见错误类型, 包括ROA良性冲突以及松散ROA展开系统性分析, 揭示其成因及其对路由安全的影响; 然后, 对现有的ROV部署测量方法进行了综合归纳与对比分析, 同时总结了对ROV验证有效性与路径传播影响的评估方法; 最后, 给出RPKI部署问题研究的未来发展方向, 为后续在RPKI部署优化、安全评估与策略研究等方向提供了理论基础与方法参考, 有利于促进RPKI体系的部署推广, 有效防御BGP前缀劫持。

关键词: 路由安全, 边界网关协议, 前缀劫持, 资源公钥基础设施, 路由源授权, 路由源验证

Abstract:

Resource Public Key Infrastructure (RPKI) is an important mechanism for safeguarding Border Gateway Protocol (BGP) routing security, which verifies the legitimacy of BGP announcements through Route Origin Authorization (ROA) and Route Origin Validation (ROV). As RPKI continues to advance globally, its deployment status and defense effects have become prominent research hotspots. In recent years, researchers have extensively studied ROA configuration problems and ROV deployment measurements extensively, demonstrating the operational status and protection capability of RPKI in real networks from different dimensions. Current surveys mainly focus on theoretical research on RPKI systems, emphasizing architectural vulnerabilities without systematically organizing or summarizing the key challenges and related studies encountered in their actual deployment. This review systematically summarizes recent studies on the deployment issues of RPKI systems. First, it focuses on classifying common error types in ROA configurations, including benign ROA conflicts and loose ROA registrations, and analyses their causes and impacts on routing security systematically. Then, it comprehensively summarizes and compares existing ROV deployment measurement methods and reviews evaluation methods for assessing ROV validation effectiveness and its impact on path propagation. Finally, the review outlines future research directions to address RPKI deployment issues, providing a theoretical foundation and methodological reference for subsequent research on RPKI deployment optimization, security assessment, and strategy research. The findings can promote the widespread adoption of RPKI and enhance the defense against BGP prefix hijacking.

Key words: route security, Border Gateway Protocol (BGP), prefix hijacking, Resource Public Key Infrastructure (RPKI), Route Origin Authorization (ROA), Route Origin Validation (ROV)

杨国正, 齐冬震, 陈攀, 沈照斌, 尹鹏语, 霍彦霖. 资源公钥基础设施部署问题研究综述[J]. 计算机工程, 2026, 52(6): 17-30.

YANG Guozheng, QI Dongzhen, CHEN Pan, SHEN Zhaobin, YIN Pengyu, HUO Yanlin. Review on Deployment Problems of Resource Public Key Infrastructure[J]. Computer Engineering, 2026, 52(6): 17-30.

https://www.ecice06.com/CN/Y2026/V52/I6/17

图/表 5

参考文献 53

1	LOUGHEED K, REKHTER Y. Border Gateway Protocol 3(BGP-3): RFC 1267[R]. T.J. Watson Research Center, IBM Corp., 1991.
2	KENT S , LYNN C , SEO K . Secure Border Gateway Protocol (S-BGP). IEEE Journal on Selected Areas in Communications, 2000, 18 (4): 582- 592. doi: 10.1109/49.839934
3	WHITE R . Securing BGP through secure origin BGP (soBGP). Business Communications Review, 2003, 33 (5): 47- 53.
4	GEORGE W, MURPHY S. BGPSec considerations for autonomous system (as) migration: RFC 8206[R]. PARSONS, Inc., 2017.
5	ZHANG X, HSIAO H C, HASKER G, et al. SCION: scalability, control, and isolation on next-generation networks[C]//Proceedings of the IEEE Symposium on Security and Privacy. Washington D.C., USA: IEEE Press, 2011: 212-227.
6	LEPINSKI M, KENT S. An infrastructure to support secure internet routing: RFC 6480[R]. BBN Technologies, 2012.
7	MONITOR N R. NIST RPKI monitor[EB/OL]. [2025-05-07]. https://www.nist.gov/services-resources/software/nist-rpki-deployment-monitor.
8	苏莹莹, 李丹, 叶洪琳. 资源公钥基础设施RPKI: 现状与问题. 电信科学, 2021, 37 (3): 75- 89.
	SU Y Y , LI D , YE H L . Resource public key infrastructure RPKI: status and problems. Telecommunications Science, 2021, 37 (3): 75- 89.
9	秦超逸, 张宇, 方滨兴. RPKI去中心化安全增强技术综述. 通信学报, 2024, 45 (7): 196- 205.
	QIN C Y , ZHANG Y , FANG B X . Survey on decentralized security-enhanced technologies for RPKI. Journal on Communications, 2024, 45 (7): 196- 205.
10	邹慧, 马迪, 邵晴, 等. 互联网码号资源公钥基础设施(RPKI)研究综述. 计算机学报, 2022, 45 (5): 1100- 1132.
	ZOU H , MA D , SHAO Q , et al. A survey of the resource public key infrastructure. Chinese Journal of Computers, 2022, 45 (5): 1100- 1132.
11	RODDAY N , CUNHA Í , BUSH R , et al. The Resource Public Key Infrastructure (RPKI): a survey on measurements and future prospects. IEEE Transactions on Network and Service Management, 2024, 21 (2): 2353- 2373.
12	CIDR Report for 20 Feb 25[EB/OL]. [2025-05-07]. https://www.cidr-report.org/as2.0/.
13	RIPE NCC. YouTube hijacking a ripe NCC RIS case study[EB/OL]. [2025-05-07]. http://www.ripe.net/news/study-youtube-hijacking.html.
14	ROBACHEVSKY A. 14, 000 Incidents: a 2017 routing security year in review[EB/OL]. [2025-05-07]. https://www.internetsociety.org/blog/2018/01/14000-incidents-2017-routing-security-year-review/.
15	HERDES B, ZHANG M, RYAN T. Cloudflare 1.1. 1.1 incident on june 27, 2024[EB/OL]. [2025-05-07]. https://blog.cloudflare.com/cloudflare-1111-incident-on-june-27-2024.
16	WÄHLISCH M , MAENNEL O , SCHMIDT T C . Towards detecting BGP route hijacking using the RPKI. ACM SIGCOMM Computer Communication Review, 2012, 42 (4): 103- 104. doi: 10.1145/2377677.2377702
17	RIPE Routing Information Service (RIS) [EB/OL]. [2025-05-07]. https://www.ripe.net/analyse/internet-measure.
18	The route views project[EB/OL]. [2025-05-07]. http://www.routeviews.org/routeviews/.ments/routing-information-service-ris/ris-raw-data.
19	IAMARTINO D, PELSSER C, BUSH R. Measuring BGP route origin registration and validation[C]//Proceedings of International Conference on Passive and Active Network Measurement. Berlin, Germany: Springer, 2015: 28-40.
20	CHUNG T, ABEN E, BRUIJNZEELS T, et al. RPKI is coming of age: a longitudinal study of RPKI deployment and invalid route origins[C]//Proceedings of the Internet Measurement Conference. New York, USA: ACM Press, 2019: 406-419.
21	WÄHLISCH M, SCHMIDT R, SCHMIDT T C, et al. RiPKI: the tragic story of RPKI deployment in the Web ecosystem[C]//Proceedings of the 14th ACM Workshop on Hot Topics in Networks. New York, USA: ACM Press, 2015: 1-7.
22	HLAVACEK T, SHULMAN H, WAIDNER M. Smart RPKI validation: avoiding errors and preventing hijacks[C]//Proceedings of ESORICS'22. Berlin, Germany: Springer, 2022: 509-530.
23	HLAVACEK T, SHULMAN H, WAIDNER M. Not all conflicts are created equal: automated error resolution in RPKI deployments[C]//Proceedings of the IEEE Conference on Computer Communications Workshops. Washington D.C., USA: IEEE Press, 2021: 1-2.
24	LI Y B, ZOU H, CHEN Y X, et al. The hanging ROA: a secure and scalable encoding scheme for route origin authorization[C]//Proceedings of the IEEE Conference on Computer Communications. Washington D.C., USA: IEEE Press, 2022: 21-30.
25	OLIVER L, AKIWATE G, LUCKIE M, et al. Stop, DROP, and ROA: effectiveness of defenses through the lens of DROP[C]//Proceedings of the 22nd ACM Internet Measurement Conference. New York, USA: ACM Press, 2022: 730-737.
26	GILAD Y, COHEN A, HERZBERG A, et al. Are we there yet? On RPKI's deployment and security[C]//Proceedings of 2017 Network and Distributed System Security Symposium. San Diego, USA: Internet Society, 2017: 1-10.
27	GILAD Y, SAGGA O, GOLDBERG S. MaxLength considered harmful to the RPKI[C]//Proceedings of the 13th International Conference on Emerging Networking EXperiments and Technologies. New York, USA: ACM Press, 2017: 101-107.
28	BUSH R. Origin validation operation based on the Resource Public Key Infrastructure (RPKI): RFC 7115[R]. Internet Engineering Task Force (IETF), 2014.
29	HLAVACEK T, CUNHA I, GILAD Y, et al. DISCO: sidestepping RPKI's deployment barriers[C]//Proceedings of 2020 Network and Distributed System Security Symposium. San Diego, USA: Internet Society, 2020: 1-12.
30	SCHULMANN H, ZHAO S J. Learning to identify conflicts in RPKI[EB/OL]. [2025-05-07]. https://arxiv.org/abs/2502.03378.
31	REUTER A , BUSH R , CUNHA I , et al. Towards a rigorous methodology for measuring adoption of RPKI route validation and filtering. ACM SIGCOMM Computer Communication Review, 2018, 48 (1): 19- 27. doi: 10.1145/3211852.3211856
32	SCHLINKER B, ZARIFIS K, CUNHA I, et al. PEERING: an as for us[C]//Proceedings of the 13th ACM Workshop on Hot Topics in Networks. New York, USA: ACM Press, 2014: 1-7.
33	REUTER A, BUSH R, CUNHA I, et al. Measuring RPKI route origin validation deployment[Z]. 2016.
34	TESTART C, RICHTER P, KING A, et al. To filter or not to filter: measuring the benefits of registering in the RPKI today[C]//Proceedings of the 21st International Conference Passive and Active Measurement. Berlin, Germany: Springer, 2020: 71-87.
35	QIN L C, CHEN L, LI D, et al. Understanding Route Origin Validation (ROV) deployment in the real world and why MANRS action 1 is not followed[C]//Proceedings of the Network and Distributed System Security Symposium. Washington D.C., USA: IEEE Press, 2024: 1-13.
36	LI W, LI Y, CHUNG T. ImpROV: measurement and practical mitigation of collateral damage in RPKI route origin validation[C]//Proceedings of the USENIX Security Symposium. [S. l. ]: USENIX, 2025: 1-15.
37	CARTWRIGHT-COX B. Are BGPs security features working yet? [EB/OL]. [2025-05-07]. https://benjojo.co.uk/u/benjojo.
38	HLAVACEK T, HERZBERG A, SHULMAN H, et al. Practical experience: methodologies for measuring route origin validation[C]//Proceedings of the 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). Washington D.C., USA: IEEE Press, 2018: 634-641.
39	What is RIPE Atlas? [EB/OL]. [2025-05-07]. https://atlas.ripe.net/about/.
40	CAIDA. Prefix to as mapping[EB/OL]. [2025-05-07]. https://www.caida.org/catalog/datasets/routeviews-prefix2as/.
41	王志强, 陈力园, 代蛟. 基于WTGWO的无线传感器网络三维部署优化方法. 吉林大学学报(理学版), 2024, 62 (2): 410- 416.
	WANG Z Q , CHEN L Y , DAI J . Three-dimensional deployment optimization method of wireless sensor network based on WTGWO. Journal of Jilin University (Science Edition), 2024, 62 (2): 410- 416.
42	RODDAY N, CUNHA F S, BUSH R, et al. Revisiting RPKI route origin validation on the data plane[EB/OL]. [2025-05-07]. https://www.semanticscholar.org/paper/Revisiting-RPKI-Route-Origin-Validation-on-the-Data-Rodday-Cunha/363018c6f2e36d6d0b82c0a2c7cb6fcf1edb2f20/figure/3.
43	HLAVACEK T, SCHULMANN H, VOGEL N, et al. Keep your friends close, but your routeservers closer: insights into RPKI validation in the Internet[C]//Proceedings of the 32nd USENIX Security Symposium. [S. l. ]: USENIX, 2023: 4841-4858.
44	Is BGP safe yet? No[EB/OL]. [2025-05-07]. https://isbgpsafeyet.com/.
45	CHEN W Q, WANG Z L, HAN D Q, et al. ROV-MI: large-scale, accurate and efficient measurement of ROV deployment[C]//Proceedings of the 2022 Network and Distributed System Security Symposium. San Diego, USA: Internet Society, 2022: 1-17.
46	ORSINI C, KING A, GIORDANO D, et al. BGPStream: a software framework for live and historical BGP data analysis[C]//Proceedings of the 2016 Internet Measurement Conference. New York, USA: ACM Press, 2016: 429-444.
47	NLnetLabs. Routinator[EB/OL]. [2025-05-07]. https://github.com/NLnetLabs/routinator.
48	DURUMERIC Z, WUSTROW E, HALDERMAN J A. ZMap: fast Internet-wide scanning and its security applications[C]//Proceedings of the USENIX Security Symposium. [S. l. ]: USENIX, 2013: 605-620.
49	GRAY C, MOSIG C, BUSH R, et al. BGP beacons, network tomography, and Bayesian computation to locate route flap damping[C]//Proceedings of the ACM Internet Measurement Conference. New York, USA: ACM Press, 2020: 492-505.
50	LI W T, LIN Z X, ASHIQ M I, et al. RoVista: measuring and analyzing the Route Origin Validation (ROV) in RPKI[C]//Proceedings of the 2023 ACM on Internet Measurement Conference. New York, USA: ACM Press, 2023: 73-88.
51	RODDAY N, VAN BAAREN R, HENDRIKS L, et al. Evaluating RPKI ROV identification methodologies in automatically generated mininet topologies[C]//Proceedings of the 16th International Conference on Emerging Networking EXperiments and Technologies. New York, USA: ACM Press, 2020: 530-531.
52	DU B, TESTART C, FONTUGNE R, et al. Poster: taking the low road: how RPKI invalids propagate[C]//Proceedings of the ACM SIGCOMM 2023 Conference. New York, USA: ACM Press, 2023: 1144-1146.
53	ZENG M , HUANG X H , ZHANG P , et al. Improving prefix hijacking defense of RPKI from an evolutionary game perspective. IEEE Transactions on Dependable and Secure Computing, 2024, 21 (6): 5170- 5184. doi: 10.1109/TDSC.2024.3371644

[1]	王群, 李馥娟, 马卓. 区块链在BGP路由泄露防护中的应用研究[J]. 计算机工程, 2025, 51(8): 39-52.
[2]	戴仙波, 王娜, 刘颖. 基于改进高斯核函数的BGP异常检测方法[J]. 计算机工程, 2019, 45(10): 122-129.
[3]	陶志勇,王如龙,张锦. 基于负载分离的跨域虚拟专用网解决方案[J]. 计算机工程, 2014, 40(9): 106-110.
[4]	李兆斌, 康志荣, 池亚平, 方勇. 基于AS联盟与信誉机制的域间安全路由协议[J]. 计算机工程, 2012, 38(14): 112-115.
[5]	王文化, 沈庆国, 韩春永, 王滨, 戴三明. 基于染色Petri网的BGP连接过程模型[J]. 计算机工程, 2011, 37(6): 82-84.
[6]	潘艳辉, 王韬, 吴杨, 王文豪. 基于信任的低地球轨道卫星网络路由安全机制[J]. 计算机工程, 2011, 37(20): 149-151.
[7]	徐鑫;吴静;高远. iBGP路由的最佳出口点检查算法[J]. 计算机工程, 2010, 36(7): 17-19.
[8]	包广斌, 马栋林, 张秋余, 袁占亭. 基于SPVP协议的BGP路由收敛算法[J]. 计算机工程, 2010, 36(20): 16-18.
[9]	王文化, 沈庆国, 王滨. BGP收敛性质改善的MRAI时钟设置方案[J]. 计算机工程, 2010, 36(14): 19-21.
[10]	刘焕敏;王华;胡湘江;朱培栋. 域间路由系统AS联盟机制的研究[J]. 计算机工程, 2009, 35(5): 97-100.
[11]	任金秋;马海龙;汪斌强. 跨域BGP/MPLS VPN在高性能路由器中的实现[J]. 计算机工程, 2009, 35(3): 126-129.
[12]	马海龙; 郭云飞; 陈乐然. BGP路由查表算法的分析与改进[J]. 计算机工程, 2009, 35(2): 4-5,9.
[13]	蔡昭权. 边界网关协议的攻击分析与安全防范[J]. 计算机工程, 2008, 34(5): 145-147.
[14]	王振中;关媛;陆建德;陈玉春. 基于邻居节点监测的MANET路由安全机制[J]. 计算机工程, 2007, 33(18): 148-150,.
[15]	梁海英，滕国文，王洪君，王大东，高远. 地址检查 BGP/MPLS VPN 中MP-BGP配置错误的方法[J]. 计算机工程, 2006, 32(5): 89-91，115.

选择文件类型/文献管理软件名称

选择包含的内容

资源公钥基础设施部署问题研究综述

Review on Deployment Problems of Resource Public Key Infrastructure

RichHTML

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 5

参考文献 53

相关文章 15

编辑推荐

Metrics

本文评价

模态框（Modal）标题

选择文件类型/文献管理软件名称

选择包含的内容

资源公钥基础设施部署问题研究综述

Review on Deployment Problems of Resource Public Key Infrastructure

RichHTML

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 5

参考文献 53

相关文章 15

编辑推荐

Metrics

本文评价