Not All Conflicts Are Created Equal: Automated Error Resolution in RPKI Deployments

We explore one of the central obstacles hindering Internet-wide adoption of RPKI: erroneous ROAs. The errors cause the ROV-filtering networks to drop legitimate traffic while leaving them exposed to hijack attacks. The fear of disconnection demotivates enforcement of ROV obviating the security benefits of RPKI. In this work we devise metrics for differentiating errors from traffic hijack attacks and evaluate them experimentally. We develop an extended ROV based on our metrics and integrate it into the ROV implementation of RIPE NCC, we call our extended validator ROV++. We evaluate the effectiveness of ROV++ in classifying conflicting BGP announcements via Internet experiments and simulations on empirically derived datasets.