DISCO: Sidestepping RPKI's Deployment Barriers.

Tomas Hlavacek, Ítalo Cunha, Yossi Gilad, Amir Herzberg, Ethan Katz-Bassett, Michael Schapira, Haya Shulman

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review


BGP is a gaping security hole in today's Internet, as evidenced by numerous Internet outages and blackouts, repeated traffic hijacking, and surveillance incidents. Yet, despite Herculean efforts, ubiquitous deployment of the Resource Public Key Infrastructure (RPKI), designed to protect against prefix hijacking attacks, remains distant, due to RPKI's manual and error-prone certification process. We argue that deploying origin authentication at scale requires substituting the standard requirement of certifying legal ownership of IP address blocks with the goal of certifying de facto ownership. We show that settling for de facto ownership is sufficient for protecting against hazardous prefix hijacking and can be accomplished without requiring any changes to today's routing infrastructure. We present APKI, a readily deployable system that automatically certifies de facto ownership and generates the appropriate BGP-path-filtering rules at routers. We evaluate APKI's security and deployability via live experiments on the Internet using a prototype implementation of APKI and through simulations on empirically-derived datasets. To facilitate the reproducibility of our results, we open source our prototype, simulator, and measurement analysis code.
Original languageEnglish
Title of host publicationNDSS Symposium 2020
StatePublished - 2020
EventNetwork and Distributed Systems Security (NDSS) Symposium 2020 - Catamaran Resort Hotel & Spa, San Diego, United States
Duration: 23 Feb 202026 Feb 2020


ConferenceNetwork and Distributed Systems Security (NDSS) Symposium 2020
Country/TerritoryUnited States
CitySan Diego
Internet address


Dive into the research topics of 'DISCO: Sidestepping RPKI's Deployment Barriers.'. Together they form a unique fingerprint.

Cite this