measuring the adoption of route origin validation and
play

Measuring the Adoption of Route Origin Validation and Filtering - PowerPoint PPT Presentation

Oct 17, 2022 •1.02k likes •1.56k views

Measuring the Adoption of Route Origin Validation and Filtering Andreas Reuter (andreas.reuter@fu-berlin.de) Joint work with Randy Bush, Ethan Katz-Bassett, Italo Cunha, Thomas C. Schmidt, and Matthias Whlisch PEERING The BGP Testbed The BGP

  1. Measuring the Adoption of Route Origin Validation and Filtering Andreas Reuter (andreas.reuter@fu-berlin.de) Joint work with Randy Bush, Ethan Katz-Bassett, Italo Cunha, Thomas C. Schmidt, and Matthias Wählisch PEERING The BGP Testbed

  2. The BGP Problem … AS B P AS D P P AS A AS C 2

  3. The BGP Problem … AS B P AS D P P AS A AS C Legitimate Attacker Origin 3

  4. …and the (partial) solution: RPKI AS B P AS D P P AS A AS C 4

  5. …and the (partial) solution: RPKI AS B P AS D P P Prefix: P AS A AS C Legitimate Origin: AS A Owner of P 5

  6. …and the (partial) solution: RPKI AS B P AS D P P Prefix: P AS A AS C Legitimate Origin: AS A Owner of P 6

  7. …and the (partial) solution: RPKI AS B P AS D P P Prefix: P AS A AS C Legitimate Origin: AS A Owner of P 7

  8. ROA and ROV Route Orig igin Prefix owner authorizes AS to Authoriz ization (ROA) legitimately announce the prefix 8

  9. ROA and ROV Route Orig igin Prefix owner authorizes AS to Authoriz ization (ROA) legitimately announce the prefix Route Orig igin BGP router validates received Vali lidation (ROV) routes using ROA information 9

  10. Research Problem Goal: Are any ASes using ROV-based filtering policies? 10

  11. Research Problem Goal: Are any ASes using ROV-based filtering policies? Assess current state of deployment Track deployment over time Create an incentive to deploy 11

  12. Research Problem Goal: Are any ASes using ROV-based filtering policies? Assess current state of deployment Track deployment over time Create an incentive to deploy Challenge: Private router configurations must be inferred. 12

  13. Route Collectors & Vantage Points Vantage Point (VP) BGP Router that exports BGP Updates to a Route Collector AS A AS B P P Route Collector (RC) BGP Router that dumps received BGP Updates Route Collector 13

  14. Measuring ROV: Approaches Description Property 14

  15. Measuring ROV: Approaches Uncontrolled Analyzing existing BGP Description data and ROAs, trying to infer who is filtering Needs Existing Data Property Fast 15

  16. Measuring ROV: Approaches Uncontrolled Controlled Actively inject routes and Analyzing existing BGP dynamically create ROAs Description data and ROAs, trying Analyze resulting data to to infer who is filtering infer who is filtering Needs Existing Data Needs own AS & Prefixes Property Slow Fast 16

  17. Controlled Experiments Goal: Find AS that filter invalid routes 17

  18. Controlled Experiments Goal: Find AS that filter invalid routes BGP Announce prefixes P A (Anchor) and P E (Experiment)  Same RIR DB route object  Same prefix length  Announced at the same time  Announced to same peers  Announced from same origin AS 18

  19. Controlled Experiments Goal: Find AS that filter invalid routes BGP RPKI Announce prefixes P A (Anchor) and Issue ROAs for P E (Experiment) both prefixes  Same RIR DB route object P A announcement is always val alid id .  Same prefix length Periodically change ROA for P E :  Announced at the same time  Flips announcement from  Announced to same peers val alid id to in inva valid lid to val alid id daily.  Announced from same origin AS 19

  20. Controlled Experiments Initial Situation: Origin AS and vantage point AS peer directly P A AS47065 AS A P E PEERING* Vantage Point *https://peering.usc.edu/ 20

  21. Controlled Experiments Initial Situation: Origin AS and vantage point AS peer directly P A AS47065 AS A P E PEERING* Vantage Point *https://peering.usc.edu/ 21

  22. Controlled Experiments Observation 1: Vantage point exports no route for P E P A AS47065 AS A PEERING* Vantage Point *https://peering.usc.edu/ 22

  23. Controlled Experiments Observation 1: Vantage point exports no route for P E P A AS47065 AS A PEERING* Vantage Point Conclusion: Vantage point is using ROV-based filtering *https://peering.usc.edu/ 23

  24. Controlled Experiments Observation 2: Vantage point exports alternate route for P E P A AS47065 AS A PEERING* P E P E AS X Vantage Point *https://peering.usc.edu/ 24

  25. Controlled Experiments Observation 2: Vantage point exports alternate route for P E P A AS47065 AS A PEERING* P E P E AS X Vantage Point Conclusion: Vantage point is using ROV-based filtering selectively . *https://peering.usc.edu/ 25

  26. Controlled Experiments Situation: Origin AS and vantage point AS do not peer directly P A P A AS X AS47065 AS A PEERING* P E P E Vantage Point *https://peering.usc.edu/ 26

  27. Controlled Experiments Situation: Origin AS and vantage point AS do not peer directly P A P A AS X AS47065 AS A PEERING* P E P E Vantage Point *https://peering.usc.edu/ 27

  28. Controlled Experiments Observation 1: Vantage point exports no route for P E P A P A AS X AS47065 AS A PEERING* Vantage Point *https://peering.usc.edu/ 28

  29. Controlled Experiments Observation 2: Vantage point exports different route for P E P A P A AS X AS47065 AS A PEERING* P E P E Vantage Point AS Y *https://peering.usc.edu/ 29

  30. Controlled Experiments Problem Measuring vantage point AS that is not direct peer introduces ambiguity: Is the vantage point AS filtering or an intermediate AS? 30

  31. Controlled Experiments Problem Solution Establishing direct peering Measuring vantage point AS with vantage point AS that is not direct peer introduces ambiguity: or Is the vantage point AS Check if intermediate filtering or an intermediate AS? ASes have vantage points 31

  32. Controlled Experiments Results Before October 20 th 2017: - Three AS drop invalid routes October 20 th 2017: - AMS-IX Route Server changes ROV based filtering to ‘ opt- out’ - 50+ ASes “drop” invalid routes Caveat: Technically, using Route Server filtering isn’t “deploying ROV”! 32

  33. ROV Deployment Monitor Idea Give the networking community means to assess state of deployment Launched rov.rpki.net 33

  34. ROV Deployment Monitor https://rov.rpki.net Implements our measurement methodology. Table with AS that have deployed ROV. Updated daily. 34

  35. ROV Deployment Monitor https://rov.rpki.net Details show vantage points of AS 35

  36. Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E 36

  37. Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E Successful traceroute to P A + Unsuccessful traceroute to P E when routes are invalid 37

  38. Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E Successful traceroute to P A + Unsuccessful traceroute to P E when routes are invalid = Some AS on path is using ROV! 38

  39. Data Plane Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes P A and P E Successful traceroute to P A + Unsuccessful traceroute to P E when routes are invalid = Some AS on path is using ROV! Note: Fals lse negativ ives are possib ible le because of f default lt routes! 39

  40. Conclusion 40

  41. Conclusion • Controlled experiments are crucial to measuring adoption of ROV- based filtering policies 41

  42. Conclusion • Controlled experiments are crucial to measuring adoption of ROV- based filtering policies • There are ASes that do ROV-based filtering. Before Oct. 2017: At least 3 AS drop invalids After Oct. 2017: 50+ AS drop invalids via Route Server@AMSIX 42

  43. Conclusion • Controlled experiments are crucial to measuring adoption of ROV- based filtering policies • There are ASes that do ROV-based filtering. Before Oct. 2017: At least 3 AS drop invalids After Oct. 2017: 50+ AS drop invalids via Route Server@AMSIX • IXP offering ROV at Route Servers can boost deployment 43

  44. Conclusion Please peer with PEERING* and Route Collectors! Questions? *https://peering.usc.edu/ ROV Deployment Monitor: rov.rpki.net More details about methodology: ACM CCR 48(1) 44

  45. Reference Andreas Reuter, Randy Bush, Italo Cunha, Ethan Katz-Bassett, Thomas C. Schmidt, Matthias Wählisch, Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and Filtering , ACM SIGCOMM Computer Communication Review, Vol. 48 , No. 1, pp. 19-27, Jan. 2018. 45

  46. Backup 46

  47. Uncontrolled Experiments Don’t know origin AS policy Limited Control Can’t distinguish between ROV- filtering and other filtering Incomplete data can lead to Limited Visibility misclassification Reproducibility No 47

  48. Controlled: Advantages Control origin AS policy, can announce own routes Limited Control Can distinguish ROV-filtering by changing route RPKI state Less of an issue: Limited Visibility Only care about our routes Reproducibility Yes 48

  49. Uncontrolled Experiments AS B P 2 P 2 AS E AS A P 1 P 1 AS C Vantage Point 49

  50. Uncontrolled Experiments Does AS C filter P 2 because it’s AS B announcement is invalid ? P 2 P 2 AS E AS A P 1 P 1 AS C Vantage Point E 50

  51. Uncontrolled Experiments Vantage Point D AS B AS D P 2 P 1 P 2 AS A P 1 Probably not! AS C 51

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study.

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study.

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study. IETF 89 LONDRES MARCH 2014 Fabin Meja Why and who? BGP origin validation based on RPKI is in early stages of deployment. It is necessary to

314 views • 13 slides
IXP Route Server Prefix Validation at LINX Progress & Challenges Mo Shivji, LINX

IXP Route Server Prefix Validation at LINX Progress & Challenges Mo Shivji, LINX

IXP Route Server Prefix Validation at LINX Progress & Challenges Mo Shivji, LINX Contents LINX Route-Server History Prefix Validation & Criteria Challenges Collecting the data Prefix Validation Test Results

734 views • 21 slides
Executive Training on Negotiating and Drafting Rules of Origin Measuring restrictiveness of RoO

Executive Training on Negotiating and Drafting Rules of Origin Measuring restrictiveness of RoO

United Nations Conference on Trade and Development Division for Africa, Least Developed Countries and Special Programmes ( ALDC ) Executive Training on Negotiating and Drafting Rules of Origin Measuring restrictiveness of RoO (2) -

207 views • 17 slides
Route-Aware Edge Bundling for Visualizing Origin-Destination Trails in Urban Traffic Wei Zeng 1 ,

Route-Aware Edge Bundling for Visualizing Origin-Destination Trails in Urban Traffic Wei Zeng 1 ,

Route-Aware Edge Bundling for Visualizing Origin-Destination Trails in Urban Traffic Wei Zeng 1 , Qiaomu Shen 2 , Yuzhe Jiang 2 , Alex Telea 3 1. Shenzhen Institutes of Advanced Technology, Chinese Academy of Sciences 2. The Hong Kong

432 views • 24 slides
ROUTE CHOICE Dr. Randa Oqab Mujalli Route choice User Equilibrium The rule of choice

ROUTE CHOICE Dr. Randa Oqab Mujalli Route choice User Equilibrium The rule of choice

ROUTE CHOICE Dr. Randa Oqab Mujalli Route choice User Equilibrium The rule of choice underlying user equilibrium is that travelers will select a route so as to minimize their personal travel time between the origin and destination. User

274 views • 14 slides
Measuring Hope An Empirical Approach with Validation from Rural Myanmar Jeffrey R. Bloem

Measuring Hope An Empirical Approach with Validation from Rural Myanmar Jeffrey R. Bloem

Introduction Literature Review Survey Design Validity Tests Discussion Appendix Measuring Hope An Empirical Approach with Validation from Rural Myanmar Jeffrey R. Bloem Department of Agricultural, Food, and Resource Economics Michigan

682 views • 55 slides
Route 147 and Route 11 Roadway Reconstruction Project PA Route 147 Section 110 US Route 11

Route 147 and Route 11 Roadway Reconstruction Project PA Route 147 Section 110 US Route 11

Route 147 and Route 11 Roadway Reconstruction Project PA Route 147 Section 110 US Route 11 Section 113 Northumberland County LARSON DESIGN GROUP, INC. DEPARTMENT OF TRANSPORTATION 715 JORDAN AVENUE 1000 COMMERCE PARK DRIVE, SUITE 201

661 views • 16 slides
Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Session 15: Crime and Protection Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla, Esther Han Beol Jang Richard Anderson, Tadayoshi Kohno, Kurtis Heimerl University of Washington

525 views • 18 slides
Measuring Adoption of Security Additions to the HTTPS Ecosystem Quirin Scheitle July 16, 2018

Measuring Adoption of Security Additions to the HTTPS Ecosystem Quirin Scheitle July 16, 2018

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Measuring Adoption of Security Additions to the HTTPS Ecosystem Quirin Scheitle July 16, 2018 Applied Networking Research Workshop (ANRW)

303 views • 11 slides
Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Session 15: Crime and Protection Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla, Esther Han Beol Jang Richard Anderson, Tadayoshi Kohno, Kurtis Heimerl University of Washington Presented

504 views • 29 slides
Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate Emily Stark , Ryan

Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate Emily Stark , Ryan

Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate Emily Stark , Ryan Sleevi, Rijad Muminovic, Devon OBrien, Eran Messeri, Adrienne Porter Felt, Brendan McMillion, Parisa Tabriz estark@chromium.org How

484 views • 31 slides
Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Qualifying Evaluation Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla University of Washington Understanding Web Communication Browse to www.cutepuppies.ext (

806 views • 42 slides
Measurement Data on AS_SET and AGGREGATOR: Implications for {Prefix, Origin} Validation

Measurement Data on AS_SET and AGGREGATOR: Implications for {Prefix, Origin} Validation

Measurement Data on AS_SET and AGGREGATOR: Implications for {Prefix, Origin} Validation Algorithms NIST BGP Security Team July 2010 National Institute of Standards and Technology National Institute of Standards and Technology Contact:

103 views • 7 slides
ANALYSTS MEETING 1/2017 ORIGIN PROPERTY PCL. B usiness Group Structure Origin Condominium Origin

ANALYSTS MEETING 1/2017 ORIGIN PROPERTY PCL. B usiness Group Structure Origin Condominium Origin

ANALYSTS MEETING 1/2017 ORIGIN PROPERTY PCL. B usiness Group Structure Origin Condominium Origin Vertical Origin Vertical 2 Condominium Origin Prime Origin Sathorn House Origin House Origin Sphere Freehold Primo Realtor Leasehold

723 views • 35 slides
Measuring Social Networks Eects on Agricultural Technology Adoption Annemie Maertens and

Measuring Social Networks Eects on Agricultural Technology Adoption Annemie Maertens and

Measuring Social Networks Eects on Agricultural Technology Adoption Annemie Maertens and Christopher B. Barrett University of Pittsburgh and Cornell University 7 January 2012 Annemie Maertens and Christopher B. Barrett University of

518 views • 17 slides
Form Validation 1 CS380 What is form validation? 2 validation: ensuring that form's values

Form Validation 1 CS380 What is form validation? 2 validation: ensuring that form's values

Form Validation 1 CS380 What is form validation? 2 validation: ensuring that form's values are correct some types of validation: preventing blank values (email address) ensuring the type of values integer, real number,

284 views • 24 slides
Perfect Imitation and Secure Asymmetry for Decoy Routing Systems with Slitheen Cecylia Bocovich

Perfect Imitation and Secure Asymmetry for Decoy Routing Systems with Slitheen Cecylia Bocovich

Perfect Imitation and Secure Asymmetry for Decoy Routing Systems with Slitheen Cecylia Bocovich Ian Goldberg 20 June 2017 EPFL Summer Research Institute Censorship Censors may monitor, alter or block traffic that enters or leaves their area

909 views • 53 slides
Agenda Topology Discovery Background Limitations using mrinfo-rec A new probing tool:

Agenda Topology Discovery Background Limitations using mrinfo-rec A new probing tool:

MERLIN Measure the Router Level of the INternet Pascal Mrindol, Benoit Donnet, Jean-Jacques Pansiot, Matthew Luckie, Young Hyun Kaiserslautern - June 2011 Next Generation Internet 2011 Agenda Topology Discovery Background Limitations

414 views • 9 slides
Firewall-On-Demand Service Andreas Polyrakis, GRNET 15-16 February 2012, 5 th TF-NOC meeting,

Firewall-On-Demand Service Andreas Polyrakis, GRNET 15-16 February 2012, 5 th TF-NOC meeting,

GRNET Firewall-On-Demand Service Andreas Polyrakis, GRNET 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Contents 2 Firewall-On-Demand Motivation & Technology background Implementation Future plans &

470 views • 26 slides
Revisiting Bloom Filters Payload attribution via Hierarchiecal Bloom Filters Kulesh

Revisiting Bloom Filters Payload attribution via Hierarchiecal Bloom Filters Kulesh

Revisiting Bloom Filters Payload attribution via Hierarchiecal Bloom Filters Kulesh Shanmugasundaram, Herve Bronnimann, Nasir Memon 600.624 - Advanced Network Security version 3 Overview Questions Collaborative Intrusion Detection

1.29k views • 58 slides
Jobber Automating Inter-Tenant Trust in The Cloud Andy Sayler Eric Keller Dirk Grunwald How

Jobber Automating Inter-Tenant Trust in The Cloud Andy Sayler Eric Keller Dirk Grunwald How

Jobber Automating Inter-Tenant Trust in The Cloud Andy Sayler Eric Keller Dirk Grunwald How can we make the Data Center... more efficient? more secure? more manageable? Over 50% Enterprise Companies Use Cloud Infrastructure* * Cohen,

1k views • 59 slides
Performance Evaluation of Open Virtual Routers M.Siraj Rathore siraj@kth.se Outline Network

Performance Evaluation of Open Virtual Routers M.Siraj Rathore siraj@kth.se Outline Network

Performance Evaluation of Open Virtual Routers M.Siraj Rathore siraj@kth.se Outline Network Virtualization PC based Virtual Routers Challenges Virtual Router Design Performance Evaluation Conclusion Network

619 views • 17 slides
2Q19 Supplemental Slides John McCallion Chief Financial Officer Cautionary Statement on

2Q19 Supplemental Slides John McCallion Chief Financial Officer Cautionary Statement on

2Q19 Supplemental Slides John McCallion Chief Financial Officer Cautionary Statement on Forward-Looking Statements This presentation may contain or refer to forward-looking statements. Forward-looking statements give expectations or forecasts

510 views • 21 slides
NON-GAAP FINANCIAL MEASURES Quarter Ended March 31, 2020 1 NON-GAAP FINANCIAL MEASURES We

NON-GAAP FINANCIAL MEASURES Quarter Ended March 31, 2020 1 NON-GAAP FINANCIAL MEASURES We

NON-GAAP FINANCIAL MEASURES Quarter Ended March 31, 2020 1 NON-GAAP FINANCIAL MEASURES We believe that revenues, net income and net income attributable to common stockholders (NICS), as defined by U.S. generally accepted accounting principles

447 views • 18 slides

More recommend