The solution is to have routers verify that the IP address blocks announced by others routers actually belong to their networks. One method, Resource Public Key Infrastructure (RPKI), uses a system of cryptographic certificates that verify an IP address block indeed belongs to a certain network.
RPKI is complex, and deployment has been slow. Experts recently came up with an alternate system, nicknamed Rover for Route Origin Verification, that may be easier.
Rover stores the legitimate route information within the DNS, the enormous distributed database that translates a domain name into an IP address that can be called into a browser. That route information can be signed with DNSSEC, the security protocol that allows DNS records to be cryptographically signed, which is being widely adopted.
The advantages with Rover are that no changes need to be made to existing routers, and it can work alongside RPKI. "The whole infrastructure of securing the answer [of whether the route is legitimate] already exists," said Gersch, who has authored two specifications for how to name a route and the type of record that could be inserted into the DNS.
The specifications are currently in "internet daft" status before the Internet Engineering Task Force. The next step to becoming a standard is for a working group to adopt the documents, Gersch said.
Send news tips and comments to firstname.lastname@example.org.