a study of rpki deployment and discussion for improvement
play

A study of RPKI deployment and discussion for improvement RPKI is - PowerPoint PPT Presentation

Mar 22, 2024 •135 likes •583 views

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay) Chung (https://tijay.github.io) Assistant Professor Rochester Institute of Technology 1 Outlines RPKI deployment and invalid route origins

  1. A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay) Chung (https://tijay.github.io) Assistant Professor Rochester Institute of Technology 1

  2. Outlines • RPKI deployment and invalid route origins • RPKI is Coming of Age: A Longitudinal Study of RPKI Deployment and Invalid Route Origins [IMC’19] • Discussion (Follow-up works) 2

  3. RPKI is Coming of Age A Longitudinal Study of RPKI Deployment and Invalid Route Origins Taejoong (Tijay) Chung § , Emile Aben † , Tim Bruijnzeels ‡ , Balakrishnan Chandrasekaran △ , David Choffnes*, Dave Levin + , Bruce Maggs° ◆ , Alan Mislove*, Roland van Rijswijk-Deij ‡± , John Rula ◆ , Nick Sullivan ※ § Rochester Institute of Technology, † RIPE NCC, ‡ NLNetLabs, △ Max Planck Institute for Informatics, *Northeastern University, + University of Maryland, °Duke University, ± University of Twente, ◆ Akamai Technologies, ※ Cloudflare 3

  4. RPKI is Coming of Age A Longitudinal Study of RPKI Deployment and Invalid Route Origins 4

  5. Resource PKI (Public Key Infrastructure) • Public Key Infrastructure framework designed to secure Internet’s routing structure; specifically BGP (developed starting in 2008) (Cryptographically verifiable) Prefix-to-AS Mapping Database 185.34.56.0/22 AS3356 BGP announcement AS 4385 129.21.128.0/17 AS4385 129.21.0.0/16 … 129.21.0.0/16 1299 3356 4385 … Owner Router … Prefix AS-PATH 129.21.0.0/16 AS4385 193.56.235.0/24 AS3549 5

  6. RPKI: How it works? What does an resource owner needs to do to protect their IP prefixes? BGP announcement AS 4385 129.21.0.0/16 Owner Router How can a router verify it using RPKI? 6

  7. RPKI Structure { Certificate 129.21.0.0/16 AS 4385 129.21.0.0/20, AS 4385 Validated ROA Payload (VRP) 129.21.1.0/20, AS 4385 ROA Route Origin Authorization 129.21.240.0/20, AS 4385 129.21.0.0/16-20, AS 4385 MaxLength 7

  8. RPKI Structure Regional Internet Registries RIPE NCC AFRINIC ARIN APNIC LACNIC Sign { LIRs Certificate (e.g., ISP) Certificate 129.21.0.0/16 AS 4385 129.21.0.0/20, AS 4385 Validated ROA Payload (VRP) 129.21.1.0/20, AS 4385 ROA Route Origin Authorization 129.21.240.0/20, AS 4385 129.21.0.0/16-20, AS 4385 MaxLength 8

  9. RPKI: How it works? What does an resource owner needs to do to protect their IP prefixes? BGP announcement AS 4385 129.21.0.0/16 Owner Router How can a router verify BGP announcements using RPKI? 9

  10. RPKI: How it works? Validation process: Valid Prefix-to-AS Mapping Database BGP announcement 1.1.0.0/16 AS 111 1.1.0.0/16 AS 111 1.1.0.0/16 AS 111 Router 2.0.0.0/8-16 AS 222 3.3.0.0/16 AS 333 4.4.4.0/24 AS 444 10

  11. RPKI: How it works? Validation process: Valid (w/ MaxLength) Prefix-to-AS Mapping Database BGP announcement 2.24.0.0/16 AS 222 1.1.0.0/16 AS 111 Router 2.0.0.0/8-16 AS 222 2.0.0.0/8-16 AS 222 3.3.0.0/16 AS 333 4.4.4.0/24 AS 444 11

  12. RPKI: How it works? Validation process: Invalid (too-specific) Prefix-to-AS Mapping Database BGP announcement 3.3.3.0/24 AS 333 1.1.0.0/16 AS 111 Covered, but the announcement Router is too specific 2.0.0.0/8-16 AS 222 3.3.0.0/16 AS 333 3.3.0.0/16 AS 333 4.4.4.0/24 AS 444 12

  13. RPKI: How it works? Validation process: Invalid (wrong ASN) Prefix-to-AS Mapping Database BGP announcement 4.4.4.0/24 AS 555 1.1.0.0/16 AS 111 IP prefix is matched, Router but the ASN is di ff erent. 2.0.0.0/8-16 AS 222 3.3.0.0/16 AS 333 4.4.4.0/24 AS 444 4.4.4.0/24 AS 444 13

  14. RPKI: How it works? Validation process: Unknown (Uncovered) Prefix-to-AS Mapping Database BGP announcement 5.5.0.0/16 AS 555 ? 1.1.0.0/16 AS 111 Router Uncovered, thus unknown 2.0.0.0/8-16 AS 222 3.3.0.0/16 AS 333 4.4.4.0/24 AS 555 14

  15. RPKI: How it works? Validation Process ? There is a VRP that “covers” IP prefix The ASN of the VRP and the ASN in the BGP are identical? There is a VRP that matches IP prefix (using MaxLength, if exists)

  16. Datasets (1) RPKI Objects VRPs (from the latest snapshot) Measurement Period* Percent Number of ASes APNIC 2011-01 ~ 2019-02 14,025 8.14% LACNIC 2011-01 ~ 2019-02 4,510 9.33% RIPENCC 2011-01 ~ 2019-02 40,830 16.04% ARIN 2012-09 ~ 2019-02 4,575 1.47% AFRINIC 2011-01 ~ 2019-02 176 3.30% 16 *https://ftp.ripe.net/rpki

  17. Deployment: VRPs 40000 IP Prefixes (IPv4) APNIC LACNIC 30000 # of VRP RIPENCC ARIN 20000 AFRINIC 10000 A general increasing trend in adoption of RPKI! 0 20 authorized by VRP % of ASes 15 10 It varies significantly between RIRs: 5 1.38% (ARIN) ~ 15.11% (RIPENCC) of ASes and 2.7% (AFRINIC) ~ 30.6% (RIPENCC) of IPv4 0 40 authorized by VRP addressesare authorized by VRPs 30 % of IPv4s 20 10 0 2011 2012 2013 2014 2015 2016 2017 2018 2019 Date 17 * AS4775, AS10091, AS9299

  18. Datasets (2) BGP Announcements # of Measurement Period VPs Prefixes RIPE-RIS 2011-01 ~ 2018-12 24 905K RouteViews 2011-01 ~ 2018-12 23 958K Akamai 2017-01 ~ 2018-12 3,300 1.94M More than 46 Billion BGP announcements 18

  19. Deployment: BGP announcements w/ RPKI 30 Akamai % of VRP -covered announcements 25 RIPE-RIS RouteViews 20 15 10 5 0 2011 2012 2013 2014 2015 2016 2017 2018 2019 Date Deployment RPKI-enabled BGP announcements are consistently increasing 19

  20. RPKI validation over BGP announcements ? 43 B (91.9%) (unknown) 3.5 B (90.4%) BGP BGP ann. ann. 344 M (9.6%) 46.8 B 3.8 B (8.1%) Covered 20

  21. RPKI validation over BGP announcements During 2011, 48.92% covered announcements were invalid; 27.47% of invalid were due to announced IP prefixes being covered, but not matched with VRPs % of unique RPKI-invalid 100 ? 43 B (91.9%) advertisements 80 (Not covered) 3.5 B (90.4%) 60 BGP BGP 40 ann. ann. 344 M (9.6%) 20 46.8 B 3.8 B (8.1%) 0 2011 2012 2013 2014 2015 2016 2017 2018 2019 Date Only 2~4% 21 21

  22. Then, why are they invalid? ? There is a VRP that “covers” IP prefix The ASN of the VRP and the ASN in the BGP are identical? There is a VRP that matches IP prefix (using MaxLength, if exists)

  23. Then, why are they invalid? ? There is a VRP that “covers” IP prefix Potential Reasons: The ASN of the VRP and the ASN in the BGP • Malicious hijacking attacks? are identical? Wrong ASN Potential Reasons: • Misunderstanding of ROAs (VRPs) of There is a VRP that matches IP prefix network operators* (using MaxLength, if exists) • Stale ROAs • … Too-specific * Y. Gilad, O. Sagga, and S. Goldberg. MaxLength Considered Harmful to the RPKI. CoNEXT, 2017.

  24. Too specific vs. Wrong ASNs 6000 Akamai 4000 Number of Unique Invalid Advertisements 2000 Too Specific Wrong ASNs 0 6000 RIPE-RIS 4000 2000 0 12000 Routeviews 8000 4000 0 2011 2012 2013 2014 2015 2016 2017 2018 2019 Date 24

  25. Too specific vs. Wrong ASNs 6000 AS 5089 (Virgin Media Limited) Akamai 4000 Number of Unique Invalid Advertisements On April 16, 2018, 2000 3,200 IP prefixes are more specific than the Too Specific VRPs; none of them specified MaxLength Too Specific 0 6000 RIPE-RIS AS12322 (Free SAS) 4000 6 ROAs for 7,671 (96.0%) IP prefixes 8,800 IP prefixes went invalid failing to 2000 are more specific than the VRPs (w/o specify a proper value for MaxLength MaxLength) 0 12000 January 22, 2012 Routeviews 8000 January 21, 2012 October 23, 2018 4000 Added the MaxLength to include 0 more specific IP prefixes 2011 2012 2013 2014 2015 2016 2017 2018 2019 Date 25

  26. Wrong ASN 3000 Akamai 2500 2000 1500 Same ISP The number of BGP announcements 1000 P-C or C-P DDoS Protection 500 Other 0 having a wrong ASN 3000 Same ISP Two di ff erent ASNs are managed by the same operator RIPE-RIS 2500 2000 Provider—Customer An AS can sub-allocate part of its IP prefixes to its 1500 Relationship customer 1000 Origin ASes may outsource “scrubbing” of their tra ffi c by 500 DDoS Protection using tra ffi c diversion to a DDoS protection service (DPS) 0 3000 Routeviews 2500 Other We don’t know, but it could be malicious (e.g., hijacking) 2000 1500 1000 500 0 2011 2012 2013 2014 2015 2016 2017 2018 2019 Date 26

  27. Wrong ASN: Same ISP 3000 Akamai 2500 Same ISP Two di ff erent ASNs are managed by the same operator 2000 1500 Same ISP Provider—Customer An AS can sub-allocate part of its IP prefixes to its The number of BGP announcements 1000 Same ISP Relationship customer Same ISP 500 Same ISP Origin ASes may outsource “scrubbing” of their tra ffi c by 0 DDoS Protection having a wrong ASN 3000 using tra ffi c diversion to a DDoS protection service (DPS) RIPE-RIS 2500 2000 Other We don’t know, but it could be malicious (e.g., hijacking) 1500 1000 500 0 3000 Telmex Columbia S.A. manages two ASes (AS 10620, 14080) Routeviews 2500 AS 10620 announced 1,500 prefixes supposed to be from AS 14080 2000 for 9 months 1500 1000 500 0 2011 2012 2013 2014 2015 2016 2017 2018 2019 Date 27

Recommend

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study.

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study.

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study. IETF 89 LONDRES MARCH 2014 Fabin Meja Why and who? BGP origin validation based on RPKI is in early stages of deployment. It is necessary to

314 views • 13 slides
Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania

Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania

Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania December 10, 2019 Research supported by NSF EAGER Award #1748362 Global RPKI Deployment ASes Validating Routes 5%, 5 3%, 3 9%, 8 12%, 11 71%, 65

216 views • 8 slides
FEASIBILITY STUDY ON DEPLOYMENT OF FEASIBILITY STUDY ON DEPLOYMENT OF THE FIRST UNIT OF RUTA-

FEASIBILITY STUDY ON DEPLOYMENT OF FEASIBILITY STUDY ON DEPLOYMENT OF THE FIRST UNIT OF RUTA-

International Conference on Non-Electric Applications of Nuclear Power: Seawater Desalination, Hydrogen Production and other Industrial Applications 16 19 April 2007, Oarai, Japan FEASIBILITY STUDY ON DEPLOYMENT OF FEASIBILITY STUDY ON

431 views • 21 slides
Continuous Improvement Toolkit QFD (Quality Function Deployment) Continuous Improvement Toolkit .

Continuous Improvement Toolkit QFD (Quality Function Deployment) Continuous Improvement Toolkit .

Continuous Improvement Toolkit QFD (Quality Function Deployment) Continuous Improvement Toolkit . www.citoolkit.com The Continuous Improvement Map Managing Deciding & Selecting Planning & Project Management* Risk PDPC Decision

690 views • 11 slides
HISD SciPack Deployment Presentation on Outcomes from the Study of a SciPack Deployment in the

HISD SciPack Deployment Presentation on Outcomes from the Study of a SciPack Deployment in the

HISD SciPack Deployment Presentation on Outcomes from the Study of a SciPack Deployment in the Houston Independent School District during School Year 2009-2010 www.edvantia.org SciPack Study Design & Process Selection of SciPacks: After

137 views • 12 slides
Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing RPKI Statistics challenges IRR Status Do we have a Research solution? Opportunities Using ARINs RPKI components @

889 views • 51 slides
Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1

Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1

Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1 Thursday, August 1, 13 RPKI Tools The authors believe the information already contained in the RPKI has value in itself, even for operators not

305 views • 11 slides
Asset Manageme Ass et Management / nt / Corridor Corridor Improvement Study Improvement Study

Asset Manageme Ass et Management / nt / Corridor Corridor Improvement Study Improvement Study

State Route 8 Asset Manageme Ass et Management / nt / Corridor Corridor Improvement Study Improvement Study Irwin, Victory, and Sandycreek Townships Pub Public lic Mee Meeting ting Fr Fran anklin Hi klin High gh Scho School ol

478 views • 34 slides
AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot

AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot

SECURING THE INTERNET VALIDATING ROUTING WITH RPKI AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot 2020 RPKI Feb 20 ABOUT REANNZ New Zealands NREN Engineering team of 7

662 views • 54 slides
From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny Cooper Leonid Reyzin Sharon Goldberg Boston University Aug 2014 Overview Motivation: The RPKI* (2011 to present) secures interdomain routing,

660 views • 27 slides
RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing Security 2 Routing Registry route objects RPKI (Resource Public Key Infrastructure) ROAs (Route Origin Authorisation) RPKI and Routing

422 views • 31 slides
One Size Does Not Fit All: An Empirical Study of Containerized Continuous Deployment Workflows

One Size Does Not Fit All: An Empirical Study of Containerized Continuous Deployment Workflows

One Size Does Not Fit All: An Empirical Study of Containerized Continuous Deployment Workflows Yang Zhang, Bogdan Vasilescu, Huaimin Wang, Vladimir Filkov November 7, 2018 Continuous Delivery/Deployment It is the ability to release A software

513 views • 19 slides
RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI

RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI

RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI Overview Massimiliano Stucchi - RIPE NCC | 19th January 2016 | UKNOF33 2 Simply put 3 parts - Create certificates - Install/run validator -

562 views • 17 slides
Forests NSW Forests NSW Spotted Gum ( Corymbia spp.) Tree improvement and deployment strategy

Forests NSW Forests NSW Spotted Gum ( Corymbia spp.) Tree improvement and deployment strategy

Forests NSW Forests NSW Spotted Gum ( Corymbia spp.) Tree improvement and deployment strategy Michael Henson, Helen Smith, and Steve Boyton www.dpi.nsw.gov.au Corymbia Tree Improvement Forests NSW Corymbia Plantations Breeding

569 views • 21 slides
Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer

Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer

Applied Networking Research Workshop 2020 acm sigcomm Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer SIT Motivation - Resource Public Key Infrastructure (RPKI) secures the interdomain routing

586 views • 39 slides
Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0

Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0

Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0 Project: New RPKI system DNSSEC v2.0 Project: New DNSSEC signer IETF activities: Identity and join key WGs and RGs African Internet Resources

308 views • 13 slides
Telegraph Road corridor improvement plan MONROE, MI agenda 1. Purpose of the Study 2. Summary

Telegraph Road corridor improvement plan MONROE, MI agenda 1. Purpose of the Study 2. Summary

Telegraph Road corridor improvement plan MONROE, MI agenda 1. Purpose of the Study 2. Summary of Major Findings 3. Recommended Corridor Improvements 4. Catalytic Sites 5. Implementation 6. Questions and Discussion 2 purpose of the study

428 views • 21 slides
A Few Months In The Life Of An RPKI Introduction Validator Performance Graphs Object Counts

A Few Months In The Life Of An RPKI Introduction Validator Performance Graphs Object Counts

A Few Months In The Life Of An RPKI Validator http://rpki.net/ A Few Months In The Life Of An RPKI Introduction Validator Performance Graphs Object Counts Connection Counts Objects/Connection Seconds/Object Rob Austein

663 views • 32 slides
Deployment on BGP Security Alexandru tefnescu alex.stefa@gmail.com Benno Overeinder

Deployment on BGP Security Alexandru tefnescu alex.stefa@gmail.com Benno Overeinder

Effects of RPKI Deployment on BGP Security Alexandru tefnescu alex.stefa@gmail.com Benno Overeinder Guillaume Pierre NLnetLabs VU Amsterdam benno@nlnetlabs.nl gpierre@cs.vu.nl VU Amsterdam 12 July 2011 Outline BGP Routing

402 views • 26 slides
Presented by: Doretta Richardson Pre-Deployment Brief Got Deployment? 2 Pre-Deployment Workshop

Presented by: Doretta Richardson Pre-Deployment Brief Got Deployment? 2 Pre-Deployment Workshop

Presented by: Doretta Richardson Pre-Deployment Brief Got Deployment? 2 Pre-Deployment Workshop R U Ready? This is my vest this is my CORE. These are all of the things I need as a Marine to be successful during this deployment: Who

426 views • 25 slides
Presented by: Doretta Richardson Pre-Deployment Brief Got Deployment? 2 Pre-Deployment Workshop

Presented by: Doretta Richardson Pre-Deployment Brief Got Deployment? 2 Pre-Deployment Workshop

Presented by: Doretta Richardson Pre-Deployment Brief Got Deployment? 2 Pre-Deployment Workshop R U Ready? This is my vest this is my CORE. These are all of the things I need as a Marine to be successful during this deployment: Who

453 views • 34 slides
How t o S ust ain a Cult ure of Cont inuous Improvement : An Execut ive Discussion June 11,

How t o S ust ain a Cult ure of Cont inuous Improvement : An Execut ive Discussion June 11,

How t o S ust ain a Cult ure of Cont inuous Improvement : An Execut ive Discussion June 11, 2019 Phil McIntyre, Managing Director Discussion Topics Intro to Milliken & Co. and why we began our Journey Key Elements to Creating a

525 views • 35 slides
I- -66 Spot Improvement Design Study 66 Spot Improvement Design Study I 1 Spot Improvement

I- -66 Spot Improvement Design Study 66 Spot Improvement Design Study I 1 Spot Improvement

I- -66 Spot Improvement Design Study 66 Spot Improvement Design Study I 1 Spot Improvement Results Feasibility Study Results Agenda Agenda Next Steps Overview I - -66 I nside the Beltway 66 I nside the Beltway I

399 views • 23 slides
Case Study - Continuous Deployment at Outbrain Itai Hochman VP Engineering at Outbrain

Case Study - Continuous Deployment at Outbrain Itai Hochman VP Engineering at Outbrain

Case Study - Continuous Deployment at Outbrain Itai Hochman VP Engineering at Outbrain Continuous Deployment Outbrain Few Facts From Releases to CD Culture Architecture Tools Outbrain enables readers to discover

549 views • 35 slides

More recommend