Securing Internet Routing: Measuring and Improving the Resource Public Key Infrastructure

Abstract

The Border Gateway Protocol (BGP) underpins global Internet routing among thousands of Autonomous Systems (ASes) but lacks built-in security. The Resource Public Key Infrastructure (RPKI) enhances BGP security by verifying route authenticity through Route Origin Validation (ROV). However, its effectiveness remains limited by partial adoption, misconfigurations, and collateral routing effects. This dissertation conducts a comprehensive study of RPKI deployment and proposes practical methods to strengthen ROV security. First, we present RoVista, a scalable measurement framework that leverages in-the-wild RPKI-invalid prefixes to assess real-world ROV enforcement across 28,000 ASes. Second, we identify and mitigate collateral damage, where ROV-enabled networks can still misroute traffic via vulnerable next hops. We design ImpROV, a lightweight mechanism that proactively avoids such paths, reducing hijack risks with minimal computational overhead. Finally, we uncover systematic causes of RPKI-invalid prefixes—chiefly misconfigurations in IP leasing and transit services—and quantify their impact on routing reliability and hijack detection. These contributions provide the foundation for the development of scalable RPKI measurement techniques, new strategies for mitigating collateral damage, and actionable recommendations for improving ROA management practices.