Measuring the Adoption of Route Origin Validation and Filtering

Size: px

Start display at page:

Download "Measuring the Adoption of Route Origin Validation and Filtering"

Geoffrey Mitchell
5 years ago
Views:

1 Measuring the Adoption of Route Origin Validation and Filtering Andreas Reuter Joint work with Randy Bush, Ethan Katz-Bassett, Italo Cunha, Thomas C. Schmidt, and Matthias Wählisch PEERING The BGP Testbed

2 The BGP Problem AS D P AS B P P AS C AS A 2

3 The BGP Problem AS D P AS B P P AS C Attacker Legitimate Origin AS A 3

4 and the (partial) solution: RPKI AS D P AS B P P AS C AS A 4

5 and the (partial) solution: RPKI AS D P AS B P P AS C Prefix: P Legitimate Origin: AS A Owner of P AS A 5

6 and the (partial) solution: RPKI AS D P AS B P P AS C Prefix: P Legitimate Origin: AS A Owner of P AS A 6

7 and the (partial) solution: RPKI AS D P AS B P P AS C Prefix: P Legitimate Origin: AS A Owner of P AS A 7

8 ROA and ROV Route Origin Authorization (ROA) Prefix owner authorizes AS to legitimately announce the prefix 8

9 ROA and ROV Route Origin Authorization (ROA) Prefix owner authorizes AS to legitimately announce the prefix Route Origin Validation (ROV) BGP router validates received routes using ROA information 9

10 Research Problem Goal: Are any ASes using ROV-based filtering policies? 10

11 Research Problem Goal: Are any ASes using ROV-based filtering policies? Assess current state of deployment Track deployment over time Create an incentive to deploy 11

12 Research Problem Goal: Are any ASes using ROV-based filtering policies? Assess current state of deployment Track deployment over time Create an incentive to deploy Challenge: Private router configurations must be inferred. 12

13 Route Collectors & Vantage Points Vantage Point (VP) BGP Router that exports BGP Updates to a Route Collector AS B P P Route Collector (RC) AS A Route Collector BGP Router that dumps received BGP Updates 13

14 Measuring ROV: Approaches Description Property 14

15 Measuring ROV: Approaches Uncontrolled Description Analyzing existing BGP data and ROAs, trying to infer who is filtering Property Needs Existing Data Fast 15

16 Measuring ROV: Approaches Description Uncontrolled Analyzing existing BGP data and ROAs, trying to infer who is filtering Controlled Actively inject routes and dynamically create ROAs Analyze resulting data to infer who is filtering Property Needs Existing Data Fast Needs own AS & Prefixes Slow 16

17 Controlled Experiments Goal: Find AS that filter invalid routes 17

18 Controlled Experiments Goal: Find AS that filter invalid routes BGP Announce prefixes P A (Anchor) and P E (Experiment) Same RIR DB route object Same prefix length Announced at the same time Announced to same peers Announced from same origin AS 18

19 Controlled Experiments Goal: Find AS that filter invalid routes BGP Announce prefixes P A (Anchor) and P E (Experiment) RPKI Issue ROAs for both prefixes Same RIR DB route object Same prefix length Announced at the same time Announced to same peers Announced from same origin AS P A announcement is always valid. Periodically change ROA for P E : Flips announcement from valid to invalid to valid daily. 19

20 Controlled Experiments Initial Situation: Origin AS and vantage point AS peer directly AS A P A P E AS47065 PEERING* Vantage Point * 20

21 Controlled Experiments Initial Situation: Origin AS and vantage point AS peer directly AS A P A P E AS47065 PEERING* Vantage Point * 21

22 Controlled Experiments Observation 1: Vantage point exports no route for P E AS A P A AS47065 PEERING* Vantage Point * 22

23 Controlled Experiments Observation 1: Vantage point exports no route for P E AS A P A AS47065 PEERING* Vantage Point Conclusion: Vantage point is using ROV-based filtering * 23

24 Controlled Experiments Observation 2: Vantage point exports alternate route for P E AS A P A AS47065 PEERING* Vantage Point P E AS X P E * 24

AS X P E Conclusion: Vantage point is using ROV-based

25 Controlled Experiments Observation 2: Vantage point exports alternate route for P E AS A Vantage Point P E P A AS X P E Conclusion: Vantage point is using ROV-based filtering selectively. AS47065 PEERING* * 25

26 Controlled Experiments Situation: Origin AS and vantage point AS do not peer directly AS A P A P E AS X P A P E AS47065 PEERING* Vantage Point * 26

27 Controlled Experiments Situation: Origin AS and vantage point AS do not peer directly AS A P A P E AS X P A P E AS47065 PEERING* Vantage Point * 27

28 Controlled Experiments Observation 1: Vantage point exports no route for P E AS A P A AS X P A AS47065 PEERING* Vantage Point * 28

29 Controlled Experiments Observation 2: Vantage point exports different route for P E AS A P A AS X P A AS47065 PEERING* Vantage Point P E AS Y P E * 29

30 Controlled Experiments Problem Measuring vantage point AS that is not direct peer introduces ambiguity: Is the vantage point AS filtering or an intermediate AS? 30

31 Controlled Experiments Problem Solution Measuring vantage point AS that is not direct peer introduces ambiguity: Is the vantage point AS filtering or an intermediate AS? Establishing direct peering with vantage point AS or Check if intermediate ASes have vantage points 31

32 Controlled Experiments Results Before October 20 th 2017: - Three AS drop invalid routes October 20 th 2017: - AMS-IX Route Server changes ROV based filtering to opt-out ASes drop invalid routes Caveat: Technically, using Route Server filtering isn t deploying ROV! 32

33 ROV Deployment Monitor Idea Give the networking community means to assess state of deployment Launched rov.rpki.net 33

34 ROV Deployment Monitor Implements our measurement methodology. Table with AS that have deployed ROV. Updated daily. 34

35 ROV Deployment Monitor Details show vantage points of AS 35

36 Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E 36

37 Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E Successful traceroute to P A + Unsuccessful traceroute to P E when routes are invalid 37

38 Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E Successful traceroute to P A + Unsuccessful traceroute to P E when routes are invalid = Some AS on path is using ROV! 38

39 Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E Successful traceroute to P A + Unsuccessful traceroute to P E when routes are invalid = Some AS on path is using ROV! Note: False negatives are possible because of default routes! 39

40 Conclusion 40

41 Conclusion Controlled experiments are crucial to measuring adoption of ROVbased filtering policies 41

42 Conclusion Controlled experiments are crucial to measuring adoption of ROVbased filtering policies There are ASes that do ROV-based filtering. Before Oct. 2017: At least 3 AS drop invalids After Oct. 2017: 50+ AS drop invalids via Route Server@AMSIX 42

43 Conclusion Controlled experiments are crucial to measuring adoption of ROVbased filtering policies There are ASes that do ROV-based filtering. Before Oct. 2017: At least 3 AS drop invalids After Oct. 2017: 50+ AS drop invalids via Route Server@AMSIX IXP offering ROV at Route Servers can boost deployment 43

44 Conclusion Please peer with PEERING* and Route Collectors! Questions? * ROV Deployment Monitor: rov.rpki.net More details about methodology: ACM CCR 48(1) 44

45 Reference Andreas Reuter, Randy Bush, Italo Cunha, Ethan Katz-Bassett, Thomas C. Schmidt, Matthias Wählisch, Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and Filtering, ACM SIGCOMM Computer Communication Review, Vol. 48, No. 1, pp , Jan

46 Backup 46

47 Uncontrolled Experiments Limited Control Limited Visibility Reproducibility Don t know origin AS policy Can t distinguish between ROVfiltering and other filtering Incomplete data can lead to misclassification No 47

48 Controlled: Advantages Limited Control Limited Visibility Reproducibility Control origin AS policy, can announce own routes Can distinguish ROV-filtering by changing route RPKI state Less of an issue: Only care about our routes Yes 48

49 Uncontrolled Experiments AS B P 2 P 2 AS E Vantage Point P 1 AS C P 1 AS A 49

50 Uncontrolled Experiments Does AS C filter P 2 because it s announcement is invalid? AS B P 2 P 2 AS E Vantage Point E P 1 AS C P 1 AS A 50

51 Uncontrolled Experiments AS D Vantage Point D AS B P 1 P 2 P 2 Probably not! AS C P 1 AS A 51

52 Research Problem Goal: Measure the adoption of ROV-based filtering policies ROA ROV Local Policy Which AS is allowed to announce an IP prefix Router operation to validate BGP Updates based on ROA data Decide handling of invalid BGP routes (Drop?) (De-preference?) Public Repository Private Configuration Challenge: Private policies must be inferred from measurements 52

Measuring Adoption of RPKI Route Origin Validation and Filtering

PEERING The BGP Testbed Measuring Adoption of RPKI Route Origin Validation and Filtering Andreas Reuter (andreas.reuter@fu-berlin.de) Joint work with Randy Bush, Ethan Katz-Bassett, Italo Cunha, Thomas