RPKI, the foundational security framework for BGP, suffers from high validation overhead, metadata redundancy, and poor storage/processing efficiency due to its reliance on legacy PKI components—X.509 certificates, ASN.1/XML encoding, and XML-based repository protocols—hindering large-scale deployment. This paper presents the first systematic analysis of RPKI’s complexity sources and proposes iRPKI, a lightweight architecture that eliminates end-entity certificates and standalone ROA signatures, unifies security objects, and streamlines metadata design. It replaces ASN.1/XML with Protocol Buffers and redesigns compute-intensive validation logic and repository protocols. The solution preserves backward compatibility while eliminating multiple known vulnerabilities. Evaluated in Routinator, iRPKI achieves a 20× improvement in validation throughput, an 18× reduction in bandwidth consumption, an 8× decrease in cache memory usage, and resolves at least ten CVE-identified flaws.

Resource Public Key Infrastructure (RPKI) is a critical security mechanism for BGP, but the complexity of its architecture is a growing concern as its adoption scales. Current RPKI design heavily reuses legacy PKI components, such as X.509 EE-certificates, ASN.1 encoding, and XML-based repository protocols, all these introduce excessive cryptographic validation, redundant metadata, and inefficiencies in both storage and processing. We show that these design choices, although based on established standards, create significant performance bottlenecks, increase the vulnerability surface, and hinder scalability for wide-scale Internet deployment. In this paper, we perform the first systematic analysis of the root causes of complexity in RPKI's design and experimentally quantify their real-world impact. We show that over 70% of validation time in RPKI relying parties is spent on certificate parsing and signature verification, much of it unnecessary. Building on this insight, we introduce the improved RPKI (iRPKI), a backwards-compatible redesign that preserves all security guarantees while substantially reducing protocol overhead. iRPKI eliminates EE-certificates and ROA signatures, merges revocation and integrity objects, replaces verbose encodings with Protobuf, and restructures repository metadata for more efficient access. We experimentally demonstrate that our implementation of iRPKI in the Routinator validator achieves a 20x speed-up of processing time, 18x improvement of bandwidth requirements and 8x reduction in cache memory footprint, while also eliminating classes of vulnerabilities that have led to at least 10 vulnerabilities in RPKI software. iRPKI significantly increases the feasibility of deploying RPKI at scale in the Internet, and especially in constrained environments. Our design may be deployed incrementally without impacting existing operations.