The CURE to Vulnerabilities in RPKI Validation
Donika Mirdita
Network and Distributed System Security (NDSS) Symposium 2024 · Day 1 · Resource PKI
The Border Gateway Protocol (BGP), the foundational routing protocol of the Internet, faces a critical and persistent vulnerability: route hijacks. Due to BGP's inherent trust model, any router can announce reachability for any IP prefix, even those it doesn't legitimately own. This susceptibility leads to severe consequences such as traffic misdirection, blackholing, and widespread service disruption. To counter this, the Internet Engineering Task Force (IETF) standardized the **Resource Public Key Infrastructure (RPKI)**. RPKI enables Autonomous Systems (ASes) to cryptographically assert their ownership of IP prefixes by issuing digitally signed **Route Origin Authorizations (ROAs)**. These ROAs bind specific AS numbers to IP prefixes, allowing **Route Origin Validation (ROV)** to be performed by border routers, which then drop unauthorized BGP announcements, thereby mitigating hijacks.