The Hybrid ROA: A Flexible and Scalable Encoding Scheme for Route Origin Authorization
Yanbiao Li, Hui Zou, Yuxuan Chen, Yinbo Xu, Zhuoran Ma, Di Ma, Ying Hu, Gaogang Xie
TL;DR
The paper tackles the encoding challenges of Route Origin Authorizations (ROAs) in the RPKI framework, where maxLength-based schemes trade security for compression and scalability. It introduces bitmap-based ROA (BM-ROA) to encode IP-prefix sub-trees via bitmaps and a sub-tree identifier, enabling secure, fine-grained, and scalable compression, and then couples it with ML-ROA in a hybrid scheme (h-ROA) to adapt to distributions of authorized prefixes. The authors validate BM-ROA and h-ROA through prototype implementation and extensive experiments, showing that h-ROA achieves up to $1.99 \,\sim\, 3.28$ times faster encoding than m-ROA and reduces router synchronization costs by $43.9\% \,\sim\, 56.6\%$, with improved scalability across IPv4/IPv6 and long-term deployment scenarios. The work demonstrates practical gains in security, compression, and scalability for inter-domain routing security and provides guidance for operational ROA deployment, including recommendations to favor the minimal ROA principle while leveraging h-ROA for special-purpose cases.
Abstract
On top of the Resource Public Key Infrastructure (RPKI), the Route Origin Authorization (ROA) creates a cryptographically verifiable binding of an autonomous system to a set of IP prefixes it is authorized to originate. By their design, ROAs can protect the inter-domain routing system against prefix and sub-prefix hijacks. However, it is hard for the state-of-the-art approach, the maxLength-based ROA encoding scheme, to guarantee security and scalability at the same time when facing various authorization scenarios. To this end, we propose a novel bitmap-based encoding scheme for ROAs to provide flexible and controllable compression. Furthermore, the hybrid ROA encoding scheme (h-ROA) is proposed, which encodes ROAs based on maxLength and bitmap jointly. This approach ensures strong security, provides flexibility and significantly improves system scalability, enabling it to effectively handle various authorization patterns. According to the performance evaluation with real-world data sets, h-ROA outperforms the state-of-the-art approach $1.99 \sim 3.28$ times in terms of the encoding speed, and it can reduce the cost of a router to synchronize all validated ROA payloads by $43.9\% \sim 56.6\%$.