Review on Deployment Problems of Resource Public Key Infrastructure

doi:10.19678/j.issn.1000-3428.0252551

Abstract

Abstract: Resource Public Key Infrastructure (RPKI) is an important mechanism to safeguard BGP routing security, which realizes the legitimacy verification of BGP announcements by Route Origin Authorization (ROA) and Route Origin Validation (ROV). As RPKI continues to advance globally, its deployment status and actual defense effect have become the focus of research. In recent years, researchers have carried out a great deal of researches about ROA configuration problems and ROV deployment measurements, portraying the operational status and protection capability of RPKI in real networks from different dimensions. Current RPKI-related surveys mainly focus on the theoretical research of the RPKI system itself, emphasizing its architectural vulnerabilities, without systematically organizing and deeply summarizing the key challenges and related studies encountered in the actual deployment of RPKI. This review systematically summarizes recent studies on deployment issues of the RPKI system. It focuses on classifying common types of errors in ROA configuration, including benign ROA conflicts and loose ROA registrations, providing a systematic analysis that reveals their causes and impacts on routing security. Finally, this review outlines future research directions in the field of RPKI deployment issues, providing a theoretical foundation and methodological reference for subsequent research in the directions of RPKI deployment optimization, security assessment and strategy research. This will help promote the widespread adoption of RPKI and enhance the defense against BGP prefix hijacking.

摘要： 资源公钥基础设施（RPKI）是保障BGP路由安全性的一项重要机制，通过路由源授权（ROA）和路由源验证（ROV）两项核心功能，实现对自治系统（AS）发布路由宣告的合法性验证。近年来，随着RPKI应用的持续拓展，研究者围绕ROA配置问题与ROV部署测量开展了大量工作，从不同维度刻画了RPKI在现实网络中的运行状态与防御能力。当前RPKI相关综述集中于对RPKI体系本身研究的阐述，着重强调RPKI体系的脆弱性，对于RPKI实际部署中遇到的关键问题及其相关研究并没有进行系统梳理和深入总结。对近年来RPKI系统部署问题的相关研究进行了系统综述，重点梳理了ROA配置中常见错误类型，包括ROA良性冲突以及松散ROA展开系统性分析，揭示其成因与对路由安全的影响；对现有的ROV部署测量方法进行了综合归纳，并进行了对比分析，同时总结了对ROV验证有效性与路径传播影响的评估方法，最后给出RPKI部署问题研究的未来发展方向，为后续在RPKI部署优化、安全评估与策略研究等方向提供了理论基础与方法参考，有利于促进RPKI体系的部署推广，有效防御BGP前缀劫持。

Guozheng Yang, Dongzhen Qi, Pan Chen, Zhaobin Shen, Pengyu Yin, Yanlin Huo. Review on Deployment Problems of Resource Public Key Infrastructure[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0252551.

杨国正, 齐冬震, 陈攀, 沈照斌, 尹鹏语, 霍彦霖. 资源公钥基础设施部署问题研究综述[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0252551.

/ Recommend / Download Citations

URL: https://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0252551

References

[1]Lougheed K, Rekhter Y. Border gateway protocol 3 (bgp-3)[R]. 1991.
[2]Kent S, Lynn C, Seo K. Secure border gateway protocol (S-BGP)[J]. IEEE Journal on Selected areas in Communications, 2000, 18(4): 582-592.
[3]White R. Securing BGP through secure origin BGP (soBGP)[J]. Business Communications Review, 2003, 33(5): 47-53.
[4]George W, Murphy S. BGPSec considerations for autonomous system (as) migration[R]. 2017.
[5]Zhang X, Hsiao H C, Hasker G, et al. SCION: Scalability, control, and isolation on next-generation networks[C]//2011 IEEE Symposium on Security and Privacy. IEEE, 2011: 212-227.
[6]Lepinski M, Kent S. An infrastructure to support secure internet routing[R]. 2012.
[7]Monitor N R. NIST RPKI Monitor[EB/OL].(2023)
[8]苏莹莹,李丹,叶洪琳. 资源公钥基础设施RPKI：现状与问题[J]. 电信科学,2021,37(3): 75-89. SU Y Y，LI D，YE H L. Resource Public Key Infrastructure RPKI:Current Situation and Issues[J]. Telecommunications Science,2021,37(3): 75-89.
[9]秦超逸，张宇，方滨兴. RPKI去中心化安全增强技术综述[J]. 通信学报,2024,45(7): 196-205. QIN C Y，ZHANG Y，FANG B X.A Survey on Decentralized Security Enhancement Techniques for RPKI[J].Journal on Communications,2024,45(7): 196-205.
[10]邹慧,马迪,邵晴,等. 互联网码号资源公钥基础设施（RPKI）研究综述[J]. 计算机学报,2022,45(5): 1100-1132. ZHOU H，MA D，SHAO Q etc. A Survey of the Resource Public Key Infrastructure (RPKI) for Secure Internet Number Resource Management[J]. Chinese Journal of Computers,2022,45(5): 1100-1132.
[11]Nils Rodday,Ítalo Cunha,Randy Bush,et al. The Resource Public Key Infrastructure (RPKI): A Survey on Measurements and Future Prospects[J]. IEEE Transactions on Network and Service Management,2023,Vol.21(2): 1.
[12]CIDR Report for 20 Feb 25[EB/OL] (2025-02-20). https://www.cidr-report.org/as2.0/.
[13]Ripe NCC. Youtube hijacking a ripe NCC RIS case study[EB/OL]. http://www. ripe. net/news/study- youtube-hijacking. html, 2008.
[14]Robachevsky A. 14,000 Incidents: A 2017 routing security year in review[J]. Retrieved November, 2018, 30: 2018.
[15]Herdes B, Zhang M, Ryan T. Cloudflare 1.1. 1.1 incident on june 27, 2024[EB/OL].(2024)
[16]Wählisch M, Maennel O, Schmidt T C. Towards detecting BGP route hijacking using the RPKI[J]. ACM SIGCOMM Computer Communication Review, 2012, 42(4): 103-104.
[17]Ripe ris (routing information service)[EB/OL]. https://www.ripe.net/analyse/internet-measure
[18]The route views project[EB/OL]. http://www.routeviews.org/routeviews/.ments/routing-information-service-ris/ris-raw-data.
[19]Iamartino D, Pelsser C, Bush R. Measuring BGP route origin registration and validation[C]//International Conference on Passive and Active Network Measurement. Cham: Springer International Publishing, 2015: 28-40.
[20]Chung T, Aben E, Bruijnzeels T, et al. RPKI is coming of age: A longitudinal study of RPKI deployment and invalid route origins[C]//Proceedings of the Internet Measurement Conference. 2019: 406-419.
[21]Wählisch M, Schmidt R, Schmidt T C, et al. RiPKI: The tragic story of RPKI deployment i
n the Web ecosystem[C]//Proceedings of the 14th ACM Workshop on Hot Topics in Networks. 2015: 1-7. [22]Hlavacek T, Shulman H, Waidner M. Smart RPKI validation: Avoiding errors and preventing hijacks[C]//European Symposium on Research in Computer Security. Cham: Springer International Publishing, 2022: 509-530.
[23]Hlavacek T, Shulman H, Waidner M. Not all conflicts are created equal: Automated error resolution in RPKI deployments[C]//IEEE INFOCOM 2021-IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). IEEE, 2021: 1-2.
[24]Li Y, Zou H, Chen Y, et al. The hanging ROA: A secure and scalable encoding scheme for route origin authorization[C]//IEEE INFOCOM 2022-IEEE Conference on Computer Communications. IEEE, 2022: 21-30. [25]Oliver L, Akiwate G, Luckie M, et al. Stop, DROP, and ROA: Effectiveness of defenses through the lens of DROP[C]//Proceedings of the 22nd ACM Internet Measurement Conference. 2022: 730-737. [26]Gilad Y, Cohen A, Herzberg A, et al. Are we there yet? On RPKI's deployment and security[J]. Cryptology ePrint Archive, 2016. [27]Gilad Y, Sagga O, Goldberg S. Maxlength considered harmful to the RPKI[C]//Proceedings of the 13th International Conference on emerging Networking EXperiments and Technologies. 2017: 101-107. [28]Bush R. Origin validation operation based on the Resource Public Key Infrastructure (RPKI)[R]. 2014. [29]Hlavacek T, Cunha I, Gilad Y, et al. DISCO: Sidestepping RPKI's deployment barriers[C]//Network and Distributed System Security Symposium (NDSS). 2020. [30]Schulmann H, Zhao S. Learning to Identify Conflicts in RPKI[J]. arXiv preprint arXiv:2502.03378, 2025. [31]Reuter A, Bush R, Cunha I, et al. Towards a rigorous methodology for measuring adoption of RPKI route validation and filtering[J]. ACM SIGCOMM Computer Communication Review, 2018, 48(1): 19-27. [32]Schlinker B, Zarifis K, Cunha I, et al. Peering: An as for us[C]//Proceedings of the 13th ACM Workshop on Hot Topics in Networks. 2014: 1-7. [33]Reuter A, Bush R, Cunha I, et al. Measuring RPKI Route Origin Validation Deployment[EB/OL].(2016) [34]Testart C, Richter P, King A, et al. To Filter or not to Filter: Measuring the Benefits of Registering in the RPKI Today[C]//Passive and Active Measurement: 21st International Conference, PAM 2020, Eugene, Oregon, USA, March 30–31, 2020, Proceedings 21. Springer International Publishing, 2020: 71-87. [35]Qin L, Chen L, Li D, et al. Understanding Route Origin Validation (ROV) Deployment in the Real World and Why MANRS Action 1 Is Not Followed[C]. NDSS, 2024. [36]Li W, Li Y, Chung T. ImpROV: Measurement and Practical Mitigation of Collateral Damage in RPKI Route Origin Validation[C]// USENIX Security Symposium (USENIX Security’25), Seattle, USA, August 2025
[37]Cartwright-Cox B. Are BGPs security features working yet?[EB/OL].(2018)
[38]Hlavacek T, Herzberg A, Shulman H, et al. Practical experience: Methodologies for measuring route origin validation[C]//2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 2018: 634-641.
[39]“What is RIPE Atlas?” [EB/OL] https://atlas.ripe.net/about/
[40]CAIDA, “Prefix to as mapping,”[EB/OL] https://www.caida.org/catalog/datasets/routeviews-prefix2as/, accessed: 25.07.2022.
[41]Cartwright-Cox B. Are BGPs security features working yet?, 2018[J]. URL https://blog. benjojo. co. uk/post/are-bgps-security-features-working-yet-rpki.
[42] Rodday N, Cunha Í, Bush R, et al. Revisiting rpki route origin validation on the data plane[C]//Proc. of Network Traffic Measurement and Analysis Conference (TMA), IFIP. 2021.
[43]Hlavacek T, Shulman H, Vogel N, et al. Keep Your Friends Close, but Your Routeservers Closer: Insights into {RPKI} Validation in the Internet[C]//32nd USENIX Security Symposium (USENIX Security 23). 2023: 4841-4858.
[44]“Is BGP safe yet?,”Cloudflare. 2022. [EB/OL].Available: https://isbgpsafeyet.com/
[45]Chen W, Wang Z, Han D, et al. ROV-MI: Large-Scale, Accurate and Efficient Measurement of ROV Deployment[C]//NDSS. 2022.
[46]Orsini C, King A, Giordano D, et al. BGPStream: a software framework for live and historical BGP data analysis[C]//Proceedings of the 2016 Internet Measurement Conference. 2016: 429-444.
[47]NLnetLabs. Routinator. [EB/OL]https://github.com/NLnetLabs/routinator, 2021.
[48]Durumeric Z, Wustrow E, Halderman J A. {ZMap}: Fast internet-wide scanning and its security applications[C]//22nd USENIX Security Symposium (USENIX Security 13). 2013: 605-620. [49]Gray C, Mosig C, Bush R, et al. BGP beacons, network tomography, and Bayesian com
putation to locate route flap damping[C]//Proceedings of the ACM Internet Measurement Conference. 2020: 492-505. [50]Li W, Lin Z, Ashiq M I, et al. RoVista: Measuring and analyzing the route origin validation (ROV) in RPKI[C]//Proceedings of the 2023 ACM on Internet Measurement Conference. 2023: 73-88.
[51]Rodday N, van Baaren R, Hendriks L, et al. Evaluating RPKI ROV identification methodologies in automatically generated mininet topologies[C]//Proceedings of the 16th International Conference on emerging Networking EXperiments and Technologies. 2020: 530-531.
[52]Du B, Testart C, Fontugne R, et al. Poster: Taking the low road: How RPKI invalids propagate[C]//Proceedings of the ACM SIGCOMM 2023 Conference. 2023: 1144-1146.
[53]Zeng M, Huang X, Zhang P, et al. Improving Prefix Hijacking Defense of RPKI from an Evolutionary Game Perspective[J]. IEEE Transactions on Dependable and Secure Computing, 2024.

Please choose a citation manager

Content to export