Weitong Li (Virginia Tech), Tao Wan (CableLabs), Tijay Chung (Virginia Tech)
The Resource Public Key Infrastructure (RPKI) enhances Internet routing security by utilizing Route Origin Authorization (ROA) objects to link IP prefixes with their rightful origin ASNs. Despite the rapid deployment of RPKI---over 51.3% of Internet routes now covered by ROAs, there are still 6,802 RPKI-invalid prefixes as of today. This work provides the first comprehensive study to understand and classify the hidden causes of RPKI-invalid prefixes, revealing that ROA misconfigurations often occur during IP leasing and IP transit services. We identify scenarios explaining these misconfigurations and attribute 96.9% of the RPKI-invalid prefixes to such misconfigurations.
We further show their cascading impacts on the data plane, noting that while most prefixes exhibit negligible effects, 3.1% result in full connectivity loss and 7.1% degrade routing by adding latency and extra hop counts---and, in some cases, bypassing intended security mechanisms; additionally, we find that such misconfigurations have been triggering false alarms in hijack detection systems. To validate our findings, we build a ground-truth dataset of 294 misconfigured prefixes through direct engagement with 174 network operators. We also interviewed 16 large ISPs and major leasing brokers about their ROA management practices, and we propose suggestions to avert ROA misconfigurations.
Taken together, this study not only fills gaps left by previous research but also offers actionable recommendations to network operators for improving ROA management and minimizing the occurrence of RPKI-invalid announcements.