ROAchain: Securing Route Origin Authorization With Blockchain for Inter-Domain Routing

Abstract

The inter-domain routing with BGP is highly vulnerable to malicious attacks, due to the lack of a secure means of verifying authenticity and legitimacy of inter-domain routes. Resource Public Key Infrastructure (RPKI) is a new security infrastructure to prevent the most devastating prefix hijacks in BGP by maintaining a Route Origin Authorization (ROA) repository. However, RPKI is a centralized hierarchical architecture that may empower the centralized authorities to unilaterally revoke or compromise any IP prefixes under their control. To eliminate the risks of RPKI, we present ROAchain, a novel BGP security infrastructure based on blockchain. Different from RPKI, ROAchain is a decentralized architecture, in which each AS maintains a globally consistent and tamper-proof ROA repository, authenticating the legitimacy of route origin and preventing BGP prefix hijacks. To ensure the strong consistency, scalability, and security of ROAchain, a novel consensus algorithm is proposed, in which the credence value, collective signing, sharding, and a penalty mechanism are introduced. Moreover, a compatibility design is proposed without changing the current BGP protocol. Finally, ROAchain is implemented in Golang and validated on the Google Cloud.