IP prefix hijacks allow adversaries to redirect and intercept traffic, posing a threat to the stability and security of the Internet. To prevent prefix hijacks, networks should deploy RPKI and filter bogus BGP announcements with invalid routes. In this work we evaluate the impact of RPKI deployments on the security and resilience of the Internet. We aim to understand which networks filter invalid routes and how effective that filtering is in blocking prefix hijacks. We extend previous data acquisition and analysis methodologies to obtain more accurate identification of networks that filter invalid routes with RPKI. We find that more than 27% of networks enforce RPKI filtering and show for the first time that deployments follow the business incentives of inter-domain routing: providers have an increased motivation to filter in order to avoid losing customers' traffic. Analyzing the effectiveness of RPKI, we find that the current trend to deploy RPKI on routeservers of Internet Exchange Points (IXPs) only provides a localized protection against hijacks but has negligible impact on preventing their spread globally. In contrast, we show that RPKI filtering in Tier-1 providers greatly benefits the security of the Internet as it limits the spread of hijacks to a localized scope. Based on our observations, we provide recommendations on the future roadmap of RPKI deployment. We make our datasets available for public use [https://sit4.me/rpki].

翻译：IP前缀劫持使攻击者能够重定向并拦截流量，对互联网的稳定性和安全性构成威胁。为防止前缀劫持，网络应部署RPKI并过滤包含无效路由的虚假BGP公告。本研究评估了RPKI部署对互联网安全性和韧性的影响，旨在厘清哪些网络过滤无效路由以及该过滤机制阻断前缀劫持的有效性。我们改进了数据采集与分析方法，以更准确地识别采用RPKI过滤无效路由的网络。研究发现超过27%的网络执行了RPKI过滤，并首次表明部署行为遵循域间路由的商业激励：提供商为规避客户流量损失而提升过滤动机。通过分析RPKI有效性，我们发现当前在互联网交换点（IXP）路由服务器上部署RPKI的趋势仅能提供本地化劫持防护，但对阻止劫持全球传播的效果微乎其微。相反，一级（Tier-1）提供商中的RPKI过滤显著增强互联网安全性，因其能将劫持范围限制在本地。基于观察，我们针对RPKI部署的未来路线图提出建议，并将数据集公开以供使用[https://sit4.me/rpki]。