Securing Route Origin Authorization with Blockchain for Inter-Domain Routing

The inter-domain routing with BGP is highly vulnerable to malicious attacks, due to the lack of a secure means of verifying authenticity and legitimacy of inter-domain routes. Resource Public Key Infrastructure (RPKI) is a new security infrastructure to verify that an IP address block holder has authorized an Autonomous System (AS) to originate routes by maintaining a Route Origin Authorization (ROA) repository, preventing the most devastating prefix hijacks in BGP. However, RPKI is a centralized hierarchical architecture that may empower the centralized authorities to unilaterally revoke or compromise any IP prefixes under their control. To eliminate the risks of RPKI, we present ROAchain, a novel BGP security infrastructure based on blockchain. Different from RPKI, ROAchain is a decentralized architecture, in which each AS maintains a globally consistent and tamper-proof ROA repository, authenticating the legitimacy of route origin and preventing BGP prefix hijacks. In ROAchain, a novel consensus algorithm is proposed to guarantee the strong consistency, scalability, and security of the system. Moreover, an incremental deployment scheme is designed without changing the current BGP protocol. Finally, ROAchain is implemented in Golang and validated on the Google Cloud.