Measuring the Adoption of Route Origin Validation and Filtering Andreas Reuter (andreas.reuter@fu-berlin.de) Joint work with Randy Bush, Ethan Katz-Bassett, Italo Cunha, Thomas C. Schmidt, and Matthias Wählisch PEERING The BGP Testbed
The BGP Problem … AS B P AS D P P AS A AS C 2
The BGP Problem … AS B P AS D P P AS A AS C Legitimate Attacker Origin 3
…and the (partial) solution: RPKI AS B P AS D P P AS A AS C 4
…and the (partial) solution: RPKI AS B P AS D P P Prefix: P AS A AS C Legitimate Origin: AS A Owner of P 5
…and the (partial) solution: RPKI AS B P AS D P P Prefix: P AS A AS C Legitimate Origin: AS A Owner of P 6
…and the (partial) solution: RPKI AS B P AS D P P Prefix: P AS A AS C Legitimate Origin: AS A Owner of P 7
ROA and ROV Route Orig igin Prefix owner authorizes AS to Authoriz ization (ROA) legitimately announce the prefix 8
ROA and ROV Route Orig igin Prefix owner authorizes AS to Authoriz ization (ROA) legitimately announce the prefix Route Orig igin BGP router validates received Vali lidation (ROV) routes using ROA information 9
Research Problem Goal: Are any ASes using ROV-based filtering policies? 10
Research Problem Goal: Are any ASes using ROV-based filtering policies? Assess current state of deployment Track deployment over time Create an incentive to deploy 11
Research Problem Goal: Are any ASes using ROV-based filtering policies? Assess current state of deployment Track deployment over time Create an incentive to deploy Challenge: Private router configurations must be inferred. 12
Route Collectors & Vantage Points Vantage Point (VP) BGP Router that exports BGP Updates to a Route Collector AS A AS B P P Route Collector (RC) BGP Router that dumps received BGP Updates Route Collector 13
Measuring ROV: Approaches Description Property 14
Measuring ROV: Approaches Uncontrolled Analyzing existing BGP Description data and ROAs, trying to infer who is filtering Needs Existing Data Property Fast 15
Measuring ROV: Approaches Uncontrolled Controlled Actively inject routes and Analyzing existing BGP dynamically create ROAs Description data and ROAs, trying Analyze resulting data to to infer who is filtering infer who is filtering Needs Existing Data Needs own AS & Prefixes Property Slow Fast 16
Controlled Experiments Goal: Find AS that filter invalid routes 17
Controlled Experiments Goal: Find AS that filter invalid routes BGP Announce prefixes P A (Anchor) and P E (Experiment) Same RIR DB route object Same prefix length Announced at the same time Announced to same peers Announced from same origin AS 18
Controlled Experiments Goal: Find AS that filter invalid routes BGP RPKI Announce prefixes P A (Anchor) and Issue ROAs for P E (Experiment) both prefixes Same RIR DB route object P A announcement is always val alid id . Same prefix length Periodically change ROA for P E : Announced at the same time Flips announcement from Announced to same peers val alid id to in inva valid lid to val alid id daily. Announced from same origin AS 19
Controlled Experiments Initial Situation: Origin AS and vantage point AS peer directly P A AS47065 AS A P E PEERING* Vantage Point *https://peering.usc.edu/ 20
Controlled Experiments Initial Situation: Origin AS and vantage point AS peer directly P A AS47065 AS A P E PEERING* Vantage Point *https://peering.usc.edu/ 21
Controlled Experiments Observation 1: Vantage point exports no route for P E P A AS47065 AS A PEERING* Vantage Point *https://peering.usc.edu/ 22
Controlled Experiments Observation 1: Vantage point exports no route for P E P A AS47065 AS A PEERING* Vantage Point Conclusion: Vantage point is using ROV-based filtering *https://peering.usc.edu/ 23
Controlled Experiments Observation 2: Vantage point exports alternate route for P E P A AS47065 AS A PEERING* P E P E AS X Vantage Point *https://peering.usc.edu/ 24
Controlled Experiments Observation 2: Vantage point exports alternate route for P E P A AS47065 AS A PEERING* P E P E AS X Vantage Point Conclusion: Vantage point is using ROV-based filtering selectively . *https://peering.usc.edu/ 25
Controlled Experiments Situation: Origin AS and vantage point AS do not peer directly P A P A AS X AS47065 AS A PEERING* P E P E Vantage Point *https://peering.usc.edu/ 26
Controlled Experiments Situation: Origin AS and vantage point AS do not peer directly P A P A AS X AS47065 AS A PEERING* P E P E Vantage Point *https://peering.usc.edu/ 27
Controlled Experiments Observation 1: Vantage point exports no route for P E P A P A AS X AS47065 AS A PEERING* Vantage Point *https://peering.usc.edu/ 28
Controlled Experiments Observation 2: Vantage point exports different route for P E P A P A AS X AS47065 AS A PEERING* P E P E Vantage Point AS Y *https://peering.usc.edu/ 29
Controlled Experiments Problem Measuring vantage point AS that is not direct peer introduces ambiguity: Is the vantage point AS filtering or an intermediate AS? 30
Controlled Experiments Problem Solution Establishing direct peering Measuring vantage point AS with vantage point AS that is not direct peer introduces ambiguity: or Is the vantage point AS Check if intermediate filtering or an intermediate AS? ASes have vantage points 31
Controlled Experiments Results Before October 20 th 2017: - Three AS drop invalid routes October 20 th 2017: - AMS-IX Route Server changes ROV based filtering to ‘ opt- out’ - 50+ ASes “drop” invalid routes Caveat: Technically, using Route Server filtering isn’t “deploying ROV”! 32
ROV Deployment Monitor Idea Give the networking community means to assess state of deployment Launched rov.rpki.net 33
ROV Deployment Monitor https://rov.rpki.net Implements our measurement methodology. Table with AS that have deployed ROV. Updated daily. 34
ROV Deployment Monitor https://rov.rpki.net Details show vantage points of AS 35
Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E 36
Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E Successful traceroute to P A + Unsuccessful traceroute to P E when routes are invalid 37
Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E Successful traceroute to P A + Unsuccessful traceroute to P E when routes are invalid = Some AS on path is using ROV! 38
Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E Successful traceroute to P A + Unsuccessful traceroute to P E when routes are invalid = Some AS on path is using ROV! Note: Fals lse negativ ives are possib ible le because of f default lt routes! 39
Conclusion 40
Conclusion • Controlled experiments are crucial to measuring adoption of ROV- based filtering policies 41
Conclusion • Controlled experiments are crucial to measuring adoption of ROV- based filtering policies • There are ASes that do ROV-based filtering. Before Oct. 2017: At least 3 AS drop invalids After Oct. 2017: 50+ AS drop invalids via Route Server@AMSIX 42
Conclusion • Controlled experiments are crucial to measuring adoption of ROV- based filtering policies • There are ASes that do ROV-based filtering. Before Oct. 2017: At least 3 AS drop invalids After Oct. 2017: 50+ AS drop invalids via Route Server@AMSIX • IXP offering ROV at Route Servers can boost deployment 43
Conclusion Please peer with PEERING* and Route Collectors! Questions? *https://peering.usc.edu/ ROV Deployment Monitor: rov.rpki.net More details about methodology: ACM CCR 48(1) 44
Reference Andreas Reuter, Randy Bush, Italo Cunha, Ethan Katz-Bassett, Thomas C. Schmidt, Matthias Wählisch, Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and Filtering , ACM SIGCOMM Computer Communication Review, Vol. 48 , No. 1, pp. 19-27, Jan. 2018. 45
Backup 46
Uncontrolled Experiments Don’t know origin AS policy Limited Control Can’t distinguish between ROV- filtering and other filtering Incomplete data can lead to Limited Visibility misclassification Reproducibility No 47
Controlled: Advantages Control origin AS policy, can announce own routes Limited Control Can distinguish ROV-filtering by changing route RPKI state Less of an issue: Limited Visibility Only care about our routes Reproducibility Yes 48
Uncontrolled Experiments AS B P 2 P 2 AS E AS A P 1 P 1 AS C Vantage Point 49
Uncontrolled Experiments Does AS C filter P 2 because it’s AS B announcement is invalid ? P 2 P 2 AS E AS A P 1 P 1 AS C Vantage Point E 50
Uncontrolled Experiments Vantage Point D AS B AS D P 2 P 1 P 2 AS A P 1 Probably not! AS C 51
Recommend
More recommend