RIB Size Estimation for BGPSEC

Similar documents
Internet-Draft Intended status: Standards Track July 4, 2014 Expires: January 5, 2015

Enhanced Feasible-Path Unicast Reverse Path Filtering draft-sriram-opsec-urpf-improvements-01

Methods for Detection and Mitigation of BGP Route Leaks

Request for Comments: 8374 Category: Informational April 2018 ISSN: BGPsec Design Choices and Summary of Supporting Discussions

Investigating occurrence of duplicate updates in BGP announcements

internet technologies and standards

Idealized BGPsec: Formally Verifiable BGP

Internet Engineering Task Force (IETF) Category: Informational ISSN: February 2012

EULER Project Path-Vector Routing Stability Analysis

Implications of Global IPv4/v6 Routing Table Growth

Improving performance through BGP Graceful Shutdown draft-ietf-grow-bgp-gshut

Solution for Route Leaks Using BGP Communities

Routing Basics ISP/IXP Workshops

Advanced Computer Networks

Module 10 An IPv6 Internet Exchange Point

Shim6: Network Operator Concerns. Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI

Routing Basics. Routing Concepts. IPv4. IPv4 address format. A day in a life of a router. What does a router do? IPv4 Routing

Taming BGP. An incremental approach to improving the dynamic properties of BGP. Geoff Huston. CAIA Seminar 18 August

Introducción al RPKI (Resource Public Key Infrastructure)

Security in inter-domain routing

Routing Basics. SANOG July, 2017 Gurgaon, INDIA

9/6/2015. COMP 535 Lecture 6: Routing Security. Agenda. In the News. September 3, 2015 Andrew Chi

Routing Concepts. IPv4 Routing Forwarding Some definitions Policy options Routing Protocols

Scaling issues with routing+multihoming Vince Fuller, Cisco Systems

APNIC elearning: BGP Basics. 30 September :00 PM AEST Brisbane (UTC+10) Revision: 2.0


BGP Attributes and Policy Control

Evaluating the Benefits of the Locator/Identifier Separation

Scalable Multipath Routing (towards)

An Analysis of ARIN NetHandles with OriginAS i Data and Analysis of RIR/IRR Registry Data

Introduction. Keith Barker, CCIE #6783. YouTube - Keith6783.

Back to basics J. Addressing is the key! Application (HTTP, DNS, FTP) Application (HTTP, DNS, FTP) Transport. Transport (TCP/UDP) Internet (IPv4/IPv6)

BGP mvpn BGP safi IPv4

APT Incremental Deployment

A configuration-only approach to shrinking FIBs. Prof Paul Francis (Cornell)

Inter-Domain Routing: BGP

Service Provider Multihoming

High Performance BGP Security: Algorithms and Architectures

Scaling the Inter-Domain Routing System

CSCI-1680 Network Layer: Inter-domain Routing Rodrigo Fonseca

A Configuration-only Approach to FIB Reduction. Paul Francis Hitesh Ballani, Tuan Cao Cornell

Internet Routing Protocols Lecture 03 Inter-domain Routing

Border Gateway Protocol - BGP

Problem Statement and Considerations for ROA Mergence. 96 SIDR meeting

Preventing the unnecessary propagation of BGP withdraws

Idealized BGPsec: Formally Verifiable BGP

Routing Basics. ISP Workshops

Measuring IPv6 Deployment

Route Security for Inter-domain Routing

Some Thoughts on Integrity in Routing

Routing Basics. ISP Workshops. Last updated 10 th December 2015

BGP Tutorial. APRICOT 2004, Kuala Lumpur February Philip Smith APRICOT , Cisco Systems, Inc. All rights reserved.

bgpand - Architecting a modular BGP4 Attack & Anomalies Detection Platform

BGP Route- Leak Protec0on Community

Module 14 Transit. Objective: To investigate methods for providing transit services. Prerequisites: Modules 12 and 13, and the Transit Presentation

Internet Engineering Task Force (IETF) Category: Informational. D. Ward Cisco Systems August 2014

IOS Implementation of the ibgp PE CE Feature

TDC 375 Network Protocols TDC 563 P&T for Data Networks

Securing BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC

Vendor: Alcatel-Lucent. Exam Code: 4A Exam Name: Alcatel-Lucent Border Gateway Protocol. Version: Demo

David Mandelberg Thanks to Steve Kent, Andrew Chi (BBN), and Kotikalapudi Sriram (NIST) for valuable input.

Robust Inter-Domain Routing

BGP Configuration for a Transit ISP

IPv6 HD Ratio. ARIN Public Policy Meeting April Geoff Huston APNIC

ISP Border Definition. Alexander Azimov

Measuring BGP. Geoff Huston. CAIA SEMINAR 31 May

RPKI and Internet Routing Security ~ The regional ISP operator view ~

2015/07/23 23:32 1/8 More ibgp and Basic ebgp

Internet Routing Protocols Lecture 01 & 02

Introduction to IP Routing. Geoff Huston

Internet Engineering Task Force (IETF) Request for Comments: T. Bruijnzeels NLnet Labs August 2018

Examination. ANSWERS IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491

Internet Addressing and the RIR system (part 2)

Improving performance through BGP Graceful Shutdown draft-ietf-grow-bgp-gshut

Lab Guide 2 - BGP Configuration

BGP. Autonomous system (AS) BGP version 4

BGP Protocol & Configuration. Scalable Infrastructure Workshop AfNOG2008

BGP Convergence in much less than a second

BGP. Autonomous system (AS) BGP version 4

How the Internet works? The Border Gateway Protocol (BGP)

Measuring IPv6 Deployment

Reinforcing the Kitchen Sink.

BGP Routing and BGP Policy. BGP Routing. Agenda. BGP Routing Information Base. L47 - BGP Routing. L47 - BGP Routing

Securing BGP. Geoff Huston November 2007

BGP. Autonomous system (AS) BGP version 4

BGP Diverse Path Using a Diverse-Path Route Reflector

BGP route filtering and advanced features

IBGP internals. BGP Advanced Topics. Agenda. BGP Continuity 1. L49 - BGP Advanced Topics. L49 - BGP Advanced Topics

Internet Routing Basics

IETF81 Secure IDR Rollup TREX Workshop David Freedman, Claranet

Modeling the Routing of an ISP with C-BGP

IPv6 Routing Table Anomalies

Exam Questions

Network Layer (Routing)

Peering observations on security and resiliency at IXPs Greg Hankins, AS NANOG 67

BGP. Autonomous system (AS) BGP version 4. Definition (AS Autonomous System)

BGP Route Security Cycling to the Future! Alexander Azimov Qrator Labs

2011, Sushile Tejwani

Network Configuration Example

Routing in Geoff Huston Chief Scientist, APNIC

Transcription:

RIB Size Estimation for BGPSEC Trustworthy Networking Program K. Sriram (with O. Borchert, O. Kim, D. Cooper, and D. Montgomery) IETF-81 SIDR WG Meeting July 28, 2011 Contacts: ksriram@nist.gov, dougm@nist.gov Acknowledgements: Many thanks are due to the BGPSEC Design Team for comments and suggestions. Thanks are also due to people in the SIDR WG who have shared measurement data, made suggestions, or critiqued the work. This research was supported by the Department of Homeland Security under the Secure Protocols for the Routing Infrastructure (SPRI) program and the NIST Information Technology Laboratory Cyber and Network Security Program. 1

Measurement of Prefixes and Paths in ISP s Route Reflectors and PE Routers Measurement data from a Large, Tier 1 ISP Provider Edge (PE) routers Route Reflectors (RR) # Unique Prefixes Observed 377,000 377,000 Total number of Prefix Paths Observed (Low) 750,000 3,100,000 Total number of Prefix Paths Observed (High) 1,100,000 3,600,000 Ratio of Total # Prefix Paths / # Unique Prefixes (High) 2.92 9.55 2

Update Format and Signature Overheads Reference: draft-sidrbgpsec-protocol Octets (RSA- Update Element 2048 Alg.) NLRI Length 1 NLRI 4 AS-n 4 AS-(n-1) 4 4 AS2 4 AS1 (Originating AS) 4 AS-(n+1) (ASN of Subsequent AS) 4 Expire Time 8 Algorithm Suite Itentifier 1 Signature-List Block Length 2 SKI Length-n 1 SKI-n 20 Signature-n 256 SKI Length-(n-1) 1 SKI-(n-1) 20 Signature-(n-1) 256 SKI Length-2 1 SKI-2 20 Signature-2 256 SKI Length-1 1 SKI-1 20 Signature-1 256 Other BGP Attributes (besides NLRI & AS_PATH; measured/estimated) 40 Estimated Signed Update Size (average) 1188 Measured Unsigned BGP Update Size (average including all BGP attributes) 78 Signature overheads 4 ASes per AS path 15x increase in update size (with RSA-2048) 3

Estimation of BGPSEC Update Sizes BGPSEC Signed Update Size: For RSA-2048 Signatuer Alg For ECDSA-256 Signatuer Alg Unsigned Update RIB memory storage ovehead IPv4 (octets) IPv6 (octets) 1188 1200 420 432 78 90 5.0% 5.0% It should also be noted that ebgp updates in BGP-4 average 3.83 prefixes per update whereas the same in BGPSEC have only a single prefix per update (un-optimized). Unsigned update size was measured from Routeviews data. Signed update sizes are estimated (see the excel spread sheet for details: http://www.antd.nist.gov/~ksriram/bgpsec_rib.xls ). 4

Probability Distribution of Adoption Rate 25% 20% BGPSEC Adoption Rate (1) Probability Distribution of Adoption (Truncated Normal Distribution) Normal Distribution, Std Dev = 3 Normal Distribution, Std Dev = 2 15% 10% Start of Adoption 5% 0% 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 In the RIB estimates that follow, we will apply truncated Normal distribution of adoption with Std. Deviation = 2 (Green plot). 5

Cumulative Distribution of Adoption Rate 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% BGPSEC Adoption Rate (2) Cumulative Distribution of Adoption (Truncated Normal Distribution) Normal Distribution, Std Dev = 3 Normal Distribution, Std Dev = 2 Start of Adoption 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 In the RIB estimates that follow, we will apply truncated Normal distribution of adoption with Std. Deviation = 2 (Green plot). 6

Year PE Router RIB Size Estimation for BGPSEC IPv4 Growth Rate # Unique IPv4 ebgp Prefixes (FIB) PE Router Total # Signed IPv4 ebgp Prefix- Paths in RIB IPv6 Growth Rate # Unique IPv6 ebgp Prefixes (FIB) PE Router Total # Signed IPv6 ebgp Prefix- Paths in RIB BGPSEC Adoption (% Prefix- Paths Signed) Contribution to RIB Memory Due to IPv4 and IPv6 ebgp Updates in PE Router For RSA-2048 Signature Alg. (GB) For ECDSA- 256 Signature Alg. (GB) 2011 12% 377000 1100840 100% 4000 11680 0% 0.09 0.09 2012 12% 422240 1232941 90% 8000 23360 0% 0.10 0.10 2013 12% 472909 1380894 80% 15200 44384 0% 0.12 0.12 2014 12% 529658 1546601 70% 27360 79891 0% 0.13 0.13 2015 12% 593217 1732193 60% 46512 135815 0% 0.15 0.15 2016 12% 664403 1940056 50% 74419 217304 2% 0.22 0.19 2017 12% 744131 2172863 40% 111629 325956 6% 0.38 0.26 2018 12% 833427 2433607 30% 156280 456339 15% 0.75 0.40 2019 12% 933438 2725639 30% 203164 593240 30% 1.46 0.64 2020 12% 1045451 3052716 30% 264114 771212 50% 2.55 1.01 2021 12% 1170905 3419042 30% 343348 1002576 70% 3.96 1.48 2022 12% 1311413 3829327 30% 446352 1303348 85% 5.51 2.00 2023 12% 1468783 4288846 30% 580258 1694353 94% 7.07 2.53 2024 12% 1645037 4803508 30% 754335 2202659 98% 8.64 3.08 2025 12% 1842441 5379929 30% 980636 2863457 100% 10.32 3.67 Geoff Huston s IPv4 data shows a steady 12% (approximately) yearly growth rate for ebgp IPv4 prefixes over the past few years (2008-2011). http://bgp.potaroo.net/index-bgp.html His data also shows 4000 announced IPv6 at start of 2011 with about 100% growth rate so far in 2011. 7

Route Reflector RIB Size Estimation for BGPSEC Year IPv4 Growth Rate # Unique IPv4 ebgp Prefixes (FIB) Route Reflector Total # Signed IPv4 ebgp Prefix- Paths in RIB IPv6 Growth Rate # Unique IPv6 ebgp Prefixes (FIB) Route Reflector Total # Signed IPv6 ebgp Prefix- Paths in RIB BGPSEC Adoption (% Prefix- Paths Signed) Contribution to RIB Memory Due to IPv4 and IPv6 ebgp Updates in Route Reflector For RSA-2048 Signature Alg. (GB) For ECDSA- 256 Signature Alg. (GB) 2011 12% 377000 3600350 100% 4000 38200 0.00% 0.30 0.30 2012 12% 422240 4032392 90% 8000 76400 0.00% 0.34 0.34 2013 12% 472909 4516279 80% 15200 145160 0.00% 0.38 0.38 2014 12% 529658 5058233 70% 27360 261288 0.00% 0.44 0.44 2015 12% 593217 5665220 60% 46512 444190 0.00% 0.51 0.51 2016 12% 664403 6345047 50% 74419 710703 1.61% 0.72 0.63 2017 12% 744131 7106453 40% 111629 1066055 5.97% 1.25 0.86 2018 12% 833427 7959227 30% 156280 1492477 15.21% 2.47 1.31 2019 12% 933438 8914334 30% 203164 1940220 30.44% 4.76 2.10 2020 12% 1045451 9984054 30% 264114 2522286 50.00% 8.34 3.30 2021 12% 1170905 11182141 30% 343348 3278972 69.56% 12.95 4.84 2022 12% 1311413 12523997 30% 446352 4262664 84.79% 18.02 6.54 2023 12% 1468783 14026877 30% 580258 5541463 94.03% 23.12 8.28 2024 12% 1645037 15710102 30% 754335 7203902 98.39% 28.24 10.06 2025 12% 1842441 17595315 30% 980636 9365072 100.00% 33.75 12.01 Please see notes on previous slides. 8

RIB MEMORY (GB) Comparison: RSA-2048 vs. ECDSA-256 32 28 24 RR with RSA-2048 RR with ECDSA-256 PE with RSA-2048 PE with ECDSA-256 20 16 12 8 4 0 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 Includes IPv4 and IPv6 prefixes. See slides 7, 8 for details. YEAR 9

RIB MEMORY (GB) BGPSEC Signature Algorithm Transition (Example) Dual signature-list blocks are used during algorithm transition (see draft-sidrbgpsec-protocol) 40 35 30 Dual Sig-List Blocks (RSA-2048 & ECDSA-256) RSA-2048 ECDSA-256 Transition from RSA-2048 to ECDS-256 25 20 Algorithm Transition 15 10 5 Start of Adoption 0 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 YEAR 10

RIB MEMORY (GB) BGPSEC Signature Algorithm Transition Followed by Protocol Transition (Example) Dual signature-list blocks are used during protocol/algorithm transition (see draft-sidr-bgpsec-protocol) 40 35 30 25 Dual Sig-List Blocks (RSA-2048 & ECDSA-256) RSA-2048 Dual Sig-List Blocks (two ECDSA-256 blocks) ECDSA-256 Algorithm Transition followed by Protocol Transition 20 Algorithm Transition 15 10 5 Start of Adoption Protocol Transition 0 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 YEAR 11

Summary & Conclusions RIB sizes have been estimated for realistic RR and PE scenarios (with input from a large, Tier 1 ISP and also from Geoff Huston s latest measurement data for ebgp IPv6 and IPv4 prefixes http://bgp.potaroo.net/index-bgp.html ) Signature algorithms considered: RSA-2048 and ECDSA-256 RIB memory needs to be engineered so it is adequate for algorithm/protocol transition down the road Please also see previously shared slides http://www.antd.nist.gov/~ksriram/bgpsec_rib_estimation.pdf for other related details and discussion regarding the modeling The excel spread sheet is made available so anyone can play with assumptions in accordance with their view. Several details of the modeling can be gleaned from the excel spread sheet as well: http://www.antd.nist.gov/~ksriram/bgpsec_rib.xls Thanks for the discussion and comments on the SIDR list so far. Further comments/suggestions are very welcome 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback