ROVER: Route Origin Verification Using DNS

Abstract

The Border Gateway Protocol (BGP) is a critical component of the global internet infrastructure. Unfortunately BGP routing was designed with limited regard for security. As a consequence there are many well-documented BGP vulnera- bilities and resulting security exploits. This paper focuses on the design of the Route Origin Verification System (ROVER); a practical solution for detecting and preventing origin and sub-prefix hijacks. ROVER is designed to work with existing systems whenever possible. In particular, ROVER exploits the reverse DNS for storing data and provides a fail-safe, best effort approach to authentication. The approach can be used with a variety of operational models including fully dynamic in-line BGP filtering, periodically updated authenticated route filters, and real-time notifications for network operators. The ROVER system is evaluated using both real operational systems and testbed deployments.