The Hybrid ROA: A Flexible and Scalable Encoding Scheme for Route Origin Authorization

On top of the Resource Public Key Infrastructure (RPKI), the Route Origin Authorization (ROA) creates a cryptographically verifiable binding of an autonomous system to a set of IP prefixes it is authorized to originate. By their design, ROAs can protect the inter-domain routing system against prefix and sub-prefix hijacks. However, it is hard for the state-of-the-art approach, the maxLength-based ROA encoding scheme, to guarantee security and scalability at the same time when facing various authorization scenarios. To this end, we propose a novel bitmap-based encoding scheme for ROAs to provide flexible and controllable compression. Furthermore, the hybrid ROA encoding scheme (h-ROA) is proposed, which encodes ROAs based on maxLength and bitmap jointly. This approach ensures strong security, provides flexibility and significantly improves system scalability, enabling it to effectively handle various authorization patterns. According to the performance evaluation with real-world data sets, h-ROA outperforms the state-of-the-art approach $1.99 \sim 3.28$ times in terms of the encoding speed, and it can reduce the cost of a router to synchronize all validated ROA payloads by $43.9\% \sim 56.6\%$.