More Bang for Your Buck: Gaining Collateral Benefit from Partial ROV Deployment
摘要
The Resource Public Key Infrastructure (RPKI) is a system designed to improve Internet routing security. However, the protection scope of RPKI remains limited due to ineffective deployment of Route Origin Validation (ROV), the process that verifies the legitimacy of BGP announcements using RPKI data. Several deployment strategies have been proposed to increase the security benefits of partial ROV deployment. However, these strategies fail to detect the hidden propagation paths that can be exploited by illegitimate routes, resulting in their protection being vulnerable to hijacking attacks. In this paper, we introduce ihege, a novel metric that effectively captures the hidden propagation paths of RPKI-invalid routes. The ihege employs the routing model to discover possible propagation paths that are not observed in BGP data and prioritize ASes by their ability to eliminate the possible propagation paths of RPKI-invalid routes. We then propose ihege-based deployment strategy and evaluate its security impact under various hijacking scenarios. Experimental results show that, when deploying ROV on the same number of ASes, the ihege-based strategy reduces the number of infected ASes by 25.9%–74.7% in comparison with other strategies.