measuring the adoption of route origin validation and
play

Measuring the Adoption of Route Origin Validation and Filtering - PowerPoint PPT Presentation

Oct 17, 2022 •1.02k likes •1.56k views

Measuring the Adoption of Route Origin Validation and Filtering Andreas Reuter (andreas.reuter@fu-berlin.de) Joint work with Randy Bush, Ethan Katz-Bassett, Italo Cunha, Thomas C. Schmidt, and Matthias Whlisch PEERING The BGP Testbed The BGP

  1. Measuring the Adoption of Route Origin Validation and Filtering Andreas Reuter (andreas.reuter@fu-berlin.de) Joint work with Randy Bush, Ethan Katz-Bassett, Italo Cunha, Thomas C. Schmidt, and Matthias Wählisch PEERING The BGP Testbed

  2. The BGP Problem … AS B P AS D P P AS A AS C 2

  3. The BGP Problem … AS B P AS D P P AS A AS C Legitimate Attacker Origin 3

  4. …and the (partial) solution: RPKI AS B P AS D P P AS A AS C 4

  5. …and the (partial) solution: RPKI AS B P AS D P P Prefix: P AS A AS C Legitimate Origin: AS A Owner of P 5

  6. …and the (partial) solution: RPKI AS B P AS D P P Prefix: P AS A AS C Legitimate Origin: AS A Owner of P 6

  7. …and the (partial) solution: RPKI AS B P AS D P P Prefix: P AS A AS C Legitimate Origin: AS A Owner of P 7

  8. ROA and ROV Route Orig igin Prefix owner authorizes AS to Authoriz ization (ROA) legitimately announce the prefix 8

  9. ROA and ROV Route Orig igin Prefix owner authorizes AS to Authoriz ization (ROA) legitimately announce the prefix Route Orig igin BGP router validates received Vali lidation (ROV) routes using ROA information 9

  10. Research Problem Goal: Are any ASes using ROV-based filtering policies? 10

  11. Research Problem Goal: Are any ASes using ROV-based filtering policies? Assess current state of deployment Track deployment over time Create an incentive to deploy 11

  12. Research Problem Goal: Are any ASes using ROV-based filtering policies? Assess current state of deployment Track deployment over time Create an incentive to deploy Challenge: Private router configurations must be inferred. 12

  13. Route Collectors & Vantage Points Vantage Point (VP) BGP Router that exports BGP Updates to a Route Collector AS A AS B P P Route Collector (RC) BGP Router that dumps received BGP Updates Route Collector 13

  14. Measuring ROV: Approaches Description Property 14

  15. Measuring ROV: Approaches Uncontrolled Analyzing existing BGP Description data and ROAs, trying to infer who is filtering Needs Existing Data Property Fast 15

  16. Measuring ROV: Approaches Uncontrolled Controlled Actively inject routes and Analyzing existing BGP dynamically create ROAs Description data and ROAs, trying Analyze resulting data to to infer who is filtering infer who is filtering Needs Existing Data Needs own AS & Prefixes Property Slow Fast 16

  17. Controlled Experiments Goal: Find AS that filter invalid routes 17

  18. Controlled Experiments Goal: Find AS that filter invalid routes BGP Announce prefixes P A (Anchor) and P E (Experiment)  Same RIR DB route object  Same prefix length  Announced at the same time  Announced to same peers  Announced from same origin AS 18

  19. Controlled Experiments Goal: Find AS that filter invalid routes BGP RPKI Announce prefixes P A (Anchor) and Issue ROAs for P E (Experiment) both prefixes  Same RIR DB route object P A announcement is always val alid id .  Same prefix length Periodically change ROA for P E :  Announced at the same time  Flips announcement from  Announced to same peers val alid id to in inva valid lid to val alid id daily.  Announced from same origin AS 19

  20. Controlled Experiments Initial Situation: Origin AS and vantage point AS peer directly P A AS47065 AS A P E PEERING* Vantage Point *https://peering.usc.edu/ 20

  21. Controlled Experiments Initial Situation: Origin AS and vantage point AS peer directly P A AS47065 AS A P E PEERING* Vantage Point *https://peering.usc.edu/ 21

  22. Controlled Experiments Observation 1: Vantage point exports no route for P E P A AS47065 AS A PEERING* Vantage Point *https://peering.usc.edu/ 22

  23. Controlled Experiments Observation 1: Vantage point exports no route for P E P A AS47065 AS A PEERING* Vantage Point Conclusion: Vantage point is using ROV-based filtering *https://peering.usc.edu/ 23

  24. Controlled Experiments Observation 2: Vantage point exports alternate route for P E P A AS47065 AS A PEERING* P E P E AS X Vantage Point *https://peering.usc.edu/ 24

  25. Controlled Experiments Observation 2: Vantage point exports alternate route for P E P A AS47065 AS A PEERING* P E P E AS X Vantage Point Conclusion: Vantage point is using ROV-based filtering selectively . *https://peering.usc.edu/ 25

  26. Controlled Experiments Situation: Origin AS and vantage point AS do not peer directly P A P A AS X AS47065 AS A PEERING* P E P E Vantage Point *https://peering.usc.edu/ 26

  27. Controlled Experiments Situation: Origin AS and vantage point AS do not peer directly P A P A AS X AS47065 AS A PEERING* P E P E Vantage Point *https://peering.usc.edu/ 27

  28. Controlled Experiments Observation 1: Vantage point exports no route for P E P A P A AS X AS47065 AS A PEERING* Vantage Point *https://peering.usc.edu/ 28

  29. Controlled Experiments Observation 2: Vantage point exports different route for P E P A P A AS X AS47065 AS A PEERING* P E P E Vantage Point AS Y *https://peering.usc.edu/ 29

  30. Controlled Experiments Problem Measuring vantage point AS that is not direct peer introduces ambiguity: Is the vantage point AS filtering or an intermediate AS? 30

  31. Controlled Experiments Problem Solution Establishing direct peering Measuring vantage point AS with vantage point AS that is not direct peer introduces ambiguity: or Is the vantage point AS Check if intermediate filtering or an intermediate AS? ASes have vantage points 31

  32. Controlled Experiments Results Before October 20 th 2017: - Three AS drop invalid routes October 20 th 2017: - AMS-IX Route Server changes ROV based filtering to ‘ opt- out’ - 50+ ASes “drop” invalid routes Caveat: Technically, using Route Server filtering isn’t “deploying ROV”! 32

  33. ROV Deployment Monitor Idea Give the networking community means to assess state of deployment Launched rov.rpki.net 33

  34. ROV Deployment Monitor https://rov.rpki.net Implements our measurement methodology. Table with AS that have deployed ROV. Updated daily. 34

  35. ROV Deployment Monitor https://rov.rpki.net Details show vantage points of AS 35

  36. Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E 36

  37. Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E Successful traceroute to P A + Unsuccessful traceroute to P E when routes are invalid 37

  38. Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E Successful traceroute to P A + Unsuccessful traceroute to P E when routes are invalid = Some AS on path is using ROV! 38

  39. Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E Successful traceroute to P A + Unsuccessful traceroute to P E when routes are invalid = Some AS on path is using ROV! Note: Fals lse negativ ives are possib ible le because of f default lt routes! 39

  40. Conclusion 40

  41. Conclusion • Controlled experiments are crucial to measuring adoption of ROV- based filtering policies 41

  42. Conclusion • Controlled experiments are crucial to measuring adoption of ROV- based filtering policies • There are ASes that do ROV-based filtering. Before Oct. 2017: At least 3 AS drop invalids After Oct. 2017: 50+ AS drop invalids via Route Server@AMSIX 42

  43. Conclusion • Controlled experiments are crucial to measuring adoption of ROV- based filtering policies • There are ASes that do ROV-based filtering. Before Oct. 2017: At least 3 AS drop invalids After Oct. 2017: 50+ AS drop invalids via Route Server@AMSIX • IXP offering ROV at Route Servers can boost deployment 43

  44. Conclusion Please peer with PEERING* and Route Collectors! Questions? *https://peering.usc.edu/ ROV Deployment Monitor: rov.rpki.net More details about methodology: ACM CCR 48(1) 44

  45. Reference Andreas Reuter, Randy Bush, Italo Cunha, Ethan Katz-Bassett, Thomas C. Schmidt, Matthias Wählisch, Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and Filtering , ACM SIGCOMM Computer Communication Review, Vol. 48 , No. 1, pp. 19-27, Jan. 2018. 45

  46. Backup 46

  47. Uncontrolled Experiments Don’t know origin AS policy Limited Control Can’t distinguish between ROV- filtering and other filtering Incomplete data can lead to Limited Visibility misclassification Reproducibility No 47

  48. Controlled: Advantages Control origin AS policy, can announce own routes Limited Control Can distinguish ROV-filtering by changing route RPKI state Less of an issue: Limited Visibility Only care about our routes Reproducibility Yes 48

  49. Uncontrolled Experiments AS B P 2 P 2 AS E AS A P 1 P 1 AS C Vantage Point 49

  50. Uncontrolled Experiments Does AS C filter P 2 because it’s AS B announcement is invalid ? P 2 P 2 AS E AS A P 1 P 1 AS C Vantage Point E 50

  51. Uncontrolled Experiments Vantage Point D AS B AS D P 2 P 1 P 2 AS A P 1 Probably not! AS C 51

Recommend

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study.

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study.

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study. IETF 89 LONDRES MARCH 2014 Fabin Meja Why and who? BGP origin validation based on RPKI is in early stages of deployment. It is necessary to

314 views • 13 slides
IXP Route Server Prefix Validation at LINX Progress & Challenges Mo Shivji, LINX

IXP Route Server Prefix Validation at LINX Progress & Challenges Mo Shivji, LINX

IXP Route Server Prefix Validation at LINX Progress & Challenges Mo Shivji, LINX Contents LINX Route-Server History Prefix Validation & Criteria Challenges Collecting the data Prefix Validation Test Results

734 views • 21 slides
Executive Training on Negotiating and Drafting Rules of Origin Measuring restrictiveness of RoO

Executive Training on Negotiating and Drafting Rules of Origin Measuring restrictiveness of RoO

United Nations Conference on Trade and Development Division for Africa, Least Developed Countries and Special Programmes ( ALDC ) Executive Training on Negotiating and Drafting Rules of Origin Measuring restrictiveness of RoO (2) -

207 views • 17 slides
Route-Aware Edge Bundling for Visualizing Origin-Destination Trails in Urban Traffic Wei Zeng 1 ,

Route-Aware Edge Bundling for Visualizing Origin-Destination Trails in Urban Traffic Wei Zeng 1 ,

Route-Aware Edge Bundling for Visualizing Origin-Destination Trails in Urban Traffic Wei Zeng 1 , Qiaomu Shen 2 , Yuzhe Jiang 2 , Alex Telea 3 1. Shenzhen Institutes of Advanced Technology, Chinese Academy of Sciences 2. The Hong Kong

432 views • 24 slides
ROUTE CHOICE Dr. Randa Oqab Mujalli Route choice User Equilibrium The rule of choice

ROUTE CHOICE Dr. Randa Oqab Mujalli Route choice User Equilibrium The rule of choice

ROUTE CHOICE Dr. Randa Oqab Mujalli Route choice User Equilibrium The rule of choice underlying user equilibrium is that travelers will select a route so as to minimize their personal travel time between the origin and destination. User

274 views • 14 slides
Measuring Hope An Empirical Approach with Validation from Rural Myanmar Jeffrey R. Bloem

Measuring Hope An Empirical Approach with Validation from Rural Myanmar Jeffrey R. Bloem

Introduction Literature Review Survey Design Validity Tests Discussion Appendix Measuring Hope An Empirical Approach with Validation from Rural Myanmar Jeffrey R. Bloem Department of Agricultural, Food, and Resource Economics Michigan

682 views • 55 slides
Route 147 and Route 11 Roadway Reconstruction Project PA Route 147 Section 110 US Route 11

Route 147 and Route 11 Roadway Reconstruction Project PA Route 147 Section 110 US Route 11

Route 147 and Route 11 Roadway Reconstruction Project PA Route 147 Section 110 US Route 11 Section 113 Northumberland County LARSON DESIGN GROUP, INC. DEPARTMENT OF TRANSPORTATION 715 JORDAN AVENUE 1000 COMMERCE PARK DRIVE, SUITE 201

661 views • 16 slides
Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Session 15: Crime and Protection Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla, Esther Han Beol Jang Richard Anderson, Tadayoshi Kohno, Kurtis Heimerl University of Washington

525 views • 18 slides
Measuring Adoption of Security Additions to the HTTPS Ecosystem Quirin Scheitle July 16, 2018

Measuring Adoption of Security Additions to the HTTPS Ecosystem Quirin Scheitle July 16, 2018

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Measuring Adoption of Security Additions to the HTTPS Ecosystem Quirin Scheitle July 16, 2018 Applied Networking Research Workshop (ANRW)

303 views • 11 slides
Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Session 15: Crime and Protection Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla, Esther Han Beol Jang Richard Anderson, Tadayoshi Kohno, Kurtis Heimerl University of Washington Presented

504 views • 29 slides
Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate Emily Stark , Ryan

Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate Emily Stark , Ryan

Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate Emily Stark , Ryan Sleevi, Rijad Muminovic, Devon OBrien, Eran Messeri, Adrienne Porter Felt, Brendan McMillion, Parisa Tabriz estark@chromium.org How

484 views • 31 slides
Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Qualifying Evaluation Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla University of Washington Understanding Web Communication Browse to www.cutepuppies.ext (

806 views • 42 slides
Measurement Data on AS_SET and AGGREGATOR: Implications for {Prefix, Origin} Validation

Measurement Data on AS_SET and AGGREGATOR: Implications for {Prefix, Origin} Validation

Measurement Data on AS_SET and AGGREGATOR: Implications for {Prefix, Origin} Validation Algorithms NIST BGP Security Team July 2010 National Institute of Standards and Technology National Institute of Standards and Technology Contact:

103 views • 7 slides
ANALYSTS MEETING 1/2017 ORIGIN PROPERTY PCL. B usiness Group Structure Origin Condominium Origin

ANALYSTS MEETING 1/2017 ORIGIN PROPERTY PCL. B usiness Group Structure Origin Condominium Origin

ANALYSTS MEETING 1/2017 ORIGIN PROPERTY PCL. B usiness Group Structure Origin Condominium Origin Vertical Origin Vertical 2 Condominium Origin Prime Origin Sathorn House Origin House Origin Sphere Freehold Primo Realtor Leasehold

723 views • 35 slides
Measuring Social Networks Eects on Agricultural Technology Adoption Annemie Maertens and

Measuring Social Networks Eects on Agricultural Technology Adoption Annemie Maertens and

Measuring Social Networks Eects on Agricultural Technology Adoption Annemie Maertens and Christopher B. Barrett University of Pittsburgh and Cornell University 7 January 2012 Annemie Maertens and Christopher B. Barrett University of

518 views • 17 slides
Form Validation 1 CS380 What is form validation? 2 validation: ensuring that form's values

Form Validation 1 CS380 What is form validation? 2 validation: ensuring that form's values

Form Validation 1 CS380 What is form validation? 2 validation: ensuring that form's values are correct some types of validation: preventing blank values (email address) ensuring the type of values integer, real number,

284 views • 24 slides
Data Mining II Model Validation Heiko Paulheim Why Model Validation? We have seen so far

Data Mining II Model Validation Heiko Paulheim Why Model Validation? We have seen so far

Data Mining II Model Validation Heiko Paulheim Why Model Validation? We have seen so far Various metrics (e.g., accuracy, F-measure, RMSE, ) Evaluation protocol setups Split Validation Cross Validation Special

1.04k views • 55 slides
ROUTE 29 / NEW BALTIMORE ADVISORY PANEL MEETING #15 January 23, 2020 Virginia Department of

ROUTE 29 / NEW BALTIMORE ADVISORY PANEL MEETING #15 January 23, 2020 Virginia Department of

ROUTE 29 / NEW BALTIMORE ADVISORY PANEL MEETING #15 January 23, 2020 Virginia Department of Transportation Origin-Destination Study Northbound 29 at PW CL The map show the external Rte 17 SB 17/245 Int. Rte 29 NB PW CL 0% - 32 VPD

317 views • 14 slides
Chapter 5 Analysis: Four Level for Validation Vis/Visual Analytics, Chap 5 Validation 1 CGGM

Chapter 5 Analysis: Four Level for Validation Vis/Visual Analytics, Chap 5 Validation 1 CGGM

Chapter 5 Analysis: Four Level for Validation Vis/Visual Analytics, Chap 5 Validation 1 CGGM Lab., CS Dept., NCTU Jung Hong Chuang Contents Why Validate? Validation Approaches Domain Why is Validation Abstraction

724 views • 47 slides
Mitigation of BGP Route Leaks ietf-idr-route-leak-detection-mitigation-06 (Route leak definition:

Mitigation of BGP Route Leaks ietf-idr-route-leak-detection-mitigation-06 (Route leak definition:

Methods for Prevention, Detection and Mitigation of BGP Route Leaks ietf-idr-route-leak-detection-mitigation-06 (Route leak definition: RFC 7908) K. Sriram, D. Montgomery, B. Dickson, K. Patel, and A. Robachevsky IDR Working Group Meeting,

244 views • 9 slides
U.S. Bike Route 1 City of Savannah / Sustainability Office/ U.S. Bike Route 1/ March 28, 2019

U.S. Bike Route 1 City of Savannah / Sustainability Office/ U.S. Bike Route 1/ March 28, 2019

U.S. Bike Route 1 City of Savannah / Sustainability Office/ U.S. Bike Route 1/ March 28, 2019 U.S. Bike Route 1 Background U.S. Bicycle Route System is a national network of public bike travel routes Over 13,000 miles are rideable

519 views • 8 slides
TRI ORIGIN EXPLORATION LTD CORPORATE PRESENTATION MAY 1, 2019 www.triorigin.com TRI ORIGIN

TRI ORIGIN EXPLORATION LTD CORPORATE PRESENTATION MAY 1, 2019 www.triorigin.com TRI ORIGIN

TRI ORIGIN EXPLORATION LTD CORPORATE PRESENTATION MAY 1, 2019 www.triorigin.com TRI ORIGIN EXPLORATION LTD TOE: TSX-V TOE: TSX-V Tri Origin is an experienced, well-recognized explorer with a successful track record. It has demonstrated

428 views • 23 slides
Capital Quality Validation Webinar Sept. 17, 2020 Agenda Validation Overview

Capital Quality Validation Webinar Sept. 17, 2020 Agenda Validation Overview

Capital Quality Validation Webinar Sept. 17, 2020 Agenda Validation Overview Validation Timeline Authorized Representative Validation Process How to Log In to QuickBase How to Reset Your Password How to

451 views • 43 slides
Updating dynamic origin- destination matrices using observed link travel speed by probe vehicles

Updating dynamic origin- destination matrices using observed link travel speed by probe vehicles

Updating dynamic origin- destination matrices using observed link travel speed by probe vehicles Toshiyuki Yamamoto, Tomio Miwa, Tomonori Takeshita and Takayuki Morikawa Nagoya Univ. Background P-DRGS (Probe-based dynamic route guidance

501 views • 16 slides

More recommend