measuring the adoption of route origin validation and
play

Measuring the Adoption of Route Origin Validation and Filtering - PowerPoint PPT Presentation

Measuring the Adoption of Route Origin Validation and Filtering Andreas Reuter (andreas.reuter@fu-berlin.de) Joint work with Randy Bush, Ethan Katz-Bassett, Italo Cunha, Thomas C. Schmidt, and Matthias Whlisch PEERING The BGP Testbed The BGP


  1. Measuring the Adoption of Route Origin Validation and Filtering Andreas Reuter (andreas.reuter@fu-berlin.de) Joint work with Randy Bush, Ethan Katz-Bassett, Italo Cunha, Thomas C. Schmidt, and Matthias Wählisch PEERING The BGP Testbed

  2. The BGP Problem … AS B P AS D P P AS A AS C 2

  3. The BGP Problem … AS B P AS D P P AS A AS C Legitimate Attacker Origin 3

  4. …and the (partial) solution: RPKI AS B P AS D P P AS A AS C 4

  5. …and the (partial) solution: RPKI AS B P AS D P P Prefix: P AS A AS C Legitimate Origin: AS A Owner of P 5

  6. …and the (partial) solution: RPKI AS B P AS D P P Prefix: P AS A AS C Legitimate Origin: AS A Owner of P 6

  7. …and the (partial) solution: RPKI AS B P AS D P P Prefix: P AS A AS C Legitimate Origin: AS A Owner of P 7

  8. ROA and ROV Route Orig igin Prefix owner authorizes AS to Authoriz ization (ROA) legitimately announce the prefix 8

  9. ROA and ROV Route Orig igin Prefix owner authorizes AS to Authoriz ization (ROA) legitimately announce the prefix Route Orig igin BGP router validates received Vali lidation (ROV) routes using ROA information 9

  10. Research Problem Goal: Are any ASes using ROV-based filtering policies? 10

  11. Research Problem Goal: Are any ASes using ROV-based filtering policies? Assess current state of deployment Track deployment over time Create an incentive to deploy 11

  12. Research Problem Goal: Are any ASes using ROV-based filtering policies? Assess current state of deployment Track deployment over time Create an incentive to deploy Challenge: Private router configurations must be inferred. 12

  13. Route Collectors & Vantage Points Vantage Point (VP) BGP Router that exports BGP Updates to a Route Collector AS A AS B P P Route Collector (RC) BGP Router that dumps received BGP Updates Route Collector 13

  14. Measuring ROV: Approaches Description Property 14

  15. Measuring ROV: Approaches Uncontrolled Analyzing existing BGP Description data and ROAs, trying to infer who is filtering Needs Existing Data Property Fast 15

  16. Measuring ROV: Approaches Uncontrolled Controlled Actively inject routes and Analyzing existing BGP dynamically create ROAs Description data and ROAs, trying Analyze resulting data to to infer who is filtering infer who is filtering Needs Existing Data Needs own AS & Prefixes Property Slow Fast 16

  17. Controlled Experiments Goal: Find AS that filter invalid routes 17

  18. Controlled Experiments Goal: Find AS that filter invalid routes BGP Announce prefixes P A (Anchor) and P E (Experiment)  Same RIR DB route object  Same prefix length  Announced at the same time  Announced to same peers  Announced from same origin AS 18

  19. Controlled Experiments Goal: Find AS that filter invalid routes BGP RPKI Announce prefixes P A (Anchor) and Issue ROAs for P E (Experiment) both prefixes  Same RIR DB route object P A announcement is always val alid id .  Same prefix length Periodically change ROA for P E :  Announced at the same time  Flips announcement from  Announced to same peers val alid id to in inva valid lid to val alid id daily.  Announced from same origin AS 19

  20. Controlled Experiments Initial Situation: Origin AS and vantage point AS peer directly P A AS47065 AS A P E PEERING* Vantage Point *https://peering.usc.edu/ 20

  21. Controlled Experiments Initial Situation: Origin AS and vantage point AS peer directly P A AS47065 AS A P E PEERING* Vantage Point *https://peering.usc.edu/ 21

  22. Controlled Experiments Observation 1: Vantage point exports no route for P E P A AS47065 AS A PEERING* Vantage Point *https://peering.usc.edu/ 22

  23. Controlled Experiments Observation 1: Vantage point exports no route for P E P A AS47065 AS A PEERING* Vantage Point Conclusion: Vantage point is using ROV-based filtering *https://peering.usc.edu/ 23

  24. Controlled Experiments Observation 2: Vantage point exports alternate route for P E P A AS47065 AS A PEERING* P E P E AS X Vantage Point *https://peering.usc.edu/ 24

  25. Controlled Experiments Observation 2: Vantage point exports alternate route for P E P A AS47065 AS A PEERING* P E P E AS X Vantage Point Conclusion: Vantage point is using ROV-based filtering selectively . *https://peering.usc.edu/ 25

  26. Controlled Experiments Situation: Origin AS and vantage point AS do not peer directly P A P A AS X AS47065 AS A PEERING* P E P E Vantage Point *https://peering.usc.edu/ 26

  27. Controlled Experiments Situation: Origin AS and vantage point AS do not peer directly P A P A AS X AS47065 AS A PEERING* P E P E Vantage Point *https://peering.usc.edu/ 27

  28. Controlled Experiments Observation 1: Vantage point exports no route for P E P A P A AS X AS47065 AS A PEERING* Vantage Point *https://peering.usc.edu/ 28

  29. Controlled Experiments Observation 2: Vantage point exports different route for P E P A P A AS X AS47065 AS A PEERING* P E P E Vantage Point AS Y *https://peering.usc.edu/ 29

  30. Controlled Experiments Problem Measuring vantage point AS that is not direct peer introduces ambiguity: Is the vantage point AS filtering or an intermediate AS? 30

  31. Controlled Experiments Problem Solution Establishing direct peering Measuring vantage point AS with vantage point AS that is not direct peer introduces ambiguity: or Is the vantage point AS Check if intermediate filtering or an intermediate AS? ASes have vantage points 31

  32. Controlled Experiments Results Before October 20 th 2017: - Three AS drop invalid routes October 20 th 2017: - AMS-IX Route Server changes ROV based filtering to ‘ opt- out’ - 50+ ASes “drop” invalid routes Caveat: Technically, using Route Server filtering isn’t “deploying ROV”! 32

  33. ROV Deployment Monitor Idea Give the networking community means to assess state of deployment Launched rov.rpki.net 33

  34. ROV Deployment Monitor https://rov.rpki.net Implements our measurement methodology. Table with AS that have deployed ROV. Updated daily. 34

  35. ROV Deployment Monitor https://rov.rpki.net Details show vantage points of AS 35

  36. Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E 36

  37. Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E Successful traceroute to P A + Unsuccessful traceroute to P E when routes are invalid 37

  38. Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E Successful traceroute to P A + Unsuccessful traceroute to P E when routes are invalid = Some AS on path is using ROV! 38

  39. Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E Successful traceroute to P A + Unsuccessful traceroute to P E when routes are invalid = Some AS on path is using ROV! Note: Fals lse negativ ives are possib ible le because of f default lt routes! 39

  40. Conclusion 40

  41. Conclusion • Controlled experiments are crucial to measuring adoption of ROV- based filtering policies 41

  42. Conclusion • Controlled experiments are crucial to measuring adoption of ROV- based filtering policies • There are ASes that do ROV-based filtering. Before Oct. 2017: At least 3 AS drop invalids After Oct. 2017: 50+ AS drop invalids via Route Server@AMSIX 42

  43. Conclusion • Controlled experiments are crucial to measuring adoption of ROV- based filtering policies • There are ASes that do ROV-based filtering. Before Oct. 2017: At least 3 AS drop invalids After Oct. 2017: 50+ AS drop invalids via Route Server@AMSIX • IXP offering ROV at Route Servers can boost deployment 43

  44. Conclusion Please peer with PEERING* and Route Collectors! Questions? *https://peering.usc.edu/ ROV Deployment Monitor: rov.rpki.net More details about methodology: ACM CCR 48(1) 44

  45. Reference Andreas Reuter, Randy Bush, Italo Cunha, Ethan Katz-Bassett, Thomas C. Schmidt, Matthias Wählisch, Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and Filtering , ACM SIGCOMM Computer Communication Review, Vol. 48 , No. 1, pp. 19-27, Jan. 2018. 45

  46. Backup 46

  47. Uncontrolled Experiments Don’t know origin AS policy Limited Control Can’t distinguish between ROV- filtering and other filtering Incomplete data can lead to Limited Visibility misclassification Reproducibility No 47

  48. Controlled: Advantages Control origin AS policy, can announce own routes Limited Control Can distinguish ROV-filtering by changing route RPKI state Less of an issue: Limited Visibility Only care about our routes Reproducibility Yes 48

  49. Uncontrolled Experiments AS B P 2 P 2 AS E AS A P 1 P 1 AS C Vantage Point 49

  50. Uncontrolled Experiments Does AS C filter P 2 because it’s AS B announcement is invalid ? P 2 P 2 AS E AS A P 1 P 1 AS C Vantage Point E 50

  51. Uncontrolled Experiments Vantage Point D AS B AS D P 2 P 1 P 2 AS A P 1 Probably not! AS C 51

Recommend


More recommend