Measuring the Adoption of Route Origin Validation and Filtering - - PowerPoint PPT Presentation

Measuring the Adoption of Route Origin Validation and Filtering

PEERING

The BGP Testbed

Andreas Reuter (andreas.reuter@fu-berlin.de) Joint work with Randy Bush, Ethan Katz-Bassett, Italo Cunha, Thomas C. Schmidt, and Matthias Wählisch

AS C AS B AS D AS A

The BGP Problem…

P P P

2

AS C AS B AS D AS A

The BGP Problem…

P P P

Attacker Legitimate Origin

3

AS C AS B AS D AS A

P P P

…and the (partial) solution: RPKI

4

AS C AS B AS D AS A

P P P

…and the (partial) solution: RPKI

Prefix: P Legitimate Origin: AS A

Owner of P

5

AS C AS B AS D AS A

P P P

…and the (partial) solution: RPKI

Prefix: P Legitimate Origin: AS A

Owner of P

6

AS C AS B AS D AS A

P P P

…and the (partial) solution: RPKI

Prefix: P Legitimate Origin: AS A

Owner of P

7

Prefix owner authorizes AS to legitimately announce the prefix

ROA and ROV

8

Route Orig igin Authoriz ization (ROA)

Route Orig igin Authoriz ization (ROA) Prefix owner authorizes AS to legitimately announce the prefix Route Orig igin Vali lidation (ROV) BGP router validates received routes using ROA information

ROA and ROV

9

Research Problem

10

Goal: Are any ASes using ROV-based filtering policies?

Research Problem

11

Goal: Are any ASes using ROV-based filtering policies? Assess current state of deployment Track deployment over time Create an incentive to deploy

Research Problem

12

Goal: Are any ASes using ROV-based filtering policies? Assess current state of deployment Track deployment over time Create an incentive to deploy Challenge: Private router configurations must be inferred.

Route Collectors & Vantage Points

AS A AS B

Route Collector

P P

Vantage Point (VP)

BGP Router that exports BGP Updates to a Route Collector

13

Route Collector (RC)

BGP Router that dumps received BGP Updates

Measuring ROV: Approaches

Description Property

14

Measuring ROV: Approaches

Uncontrolled

Description Property Analyzing existing BGP data and ROAs, trying to infer who is filtering Fast Needs Existing Data

15

Measuring ROV: Approaches

Uncontrolled

Description Property Analyzing existing BGP data and ROAs, trying to infer who is filtering Fast Needs Existing Data

Controlled

Actively inject routes and dynamically create ROAs Analyze resulting data to infer who is filtering Slow Needs own AS & Prefixes

16

Controlled Experiments

17

Goal: Find AS that filter invalid routes

Controlled Experiments

18

Goal: Find AS that filter invalid routes

BGP

Announce prefixes PA (Anchor) and PE (Experiment)  Same RIR DB route object  Same prefix length  Announced at the same time  Announced to same peers  Announced from same origin AS

Controlled Experiments

19

Goal: Find AS that filter invalid routes

BGP

Announce prefixes PA (Anchor) and PE (Experiment)  Same RIR DB route object  Same prefix length  Announced at the same time  Announced to same peers  Announced from same origin AS

RPKI

Issue ROAs for both prefixes PA announcement is always val alid id. Periodically change ROA for PE :

• Flips announcement from

val alid id to in inva valid lid to val alid id daily.

Controlled Experiments

AS47065

PEERING*

*https://peering.usc.edu/

AS A PA PE

Initial Situation: Origin AS and vantage point AS peer directly

20

Vantage Point

Controlled Experiments

AS47065

PEERING*

AS A PA PE

21

*https://peering.usc.edu/

Initial Situation: Origin AS and vantage point AS peer directly

Vantage Point

Controlled Experiments

AS47065

PEERING*

AS A PA

Observation 1: Vantage point exports no route for PE

Vantage Point

22

*https://peering.usc.edu/

Controlled Experiments

AS47065

PEERING*

AS A PA

Observation 1: Vantage point exports no route for PE

Vantage Point

23

*https://peering.usc.edu/

Conclusion: Vantage point is using ROV-based filtering

Controlled Experiments

AS47065

PEERING*

AS A PA AS X PE PE

24

*https://peering.usc.edu/

Observation 2: Vantage point exports alternate route for PE

Vantage Point

Controlled Experiments

AS47065

PEERING*

AS A PA AS X PE PE

25

*https://peering.usc.edu/

Observation 2: Vantage point exports alternate route for PE Conclusion: Vantage point is using ROV-based filtering selectively.

Vantage Point

Controlled Experiments

AS47065

PEERING*

*https://peering.usc.edu/

AS A PA PE

Situation: Origin AS and vantage point AS do not peer directly

26

Vantage Point

AS X PA PE

Controlled Experiments

AS47065

PEERING*

*https://peering.usc.edu/

AS A PA PE

Situation: Origin AS and vantage point AS do not peer directly

27

Vantage Point

AS X PA PE

Controlled Experiments

AS47065

PEERING*

*https://peering.usc.edu/

AS A PA

28

Vantage Point

AS X PA

Observation 1: Vantage point exports no route for PE

Controlled Experiments

AS47065

PEERING*

*https://peering.usc.edu/

AS A PA

29

Vantage Point

AS X PA

Observation 2: Vantage point exports different route for PE

AS Y PE PE

Controlled Experiments

30

Measuring vantage point AS that is not direct peer introduces ambiguity: Is the vantage point AS filtering or an intermediate AS?

Problem

Controlled Experiments

31

Measuring vantage point AS that is not direct peer introduces ambiguity: Is the vantage point AS filtering or an intermediate AS?

Problem

Establishing direct peering with vantage point AS

• r

Check if intermediate ASes have vantage points

Solution

Controlled Experiments Results

Before October 20th 2017:

• Three AS drop invalid routes

October 20th 2017:

• AMS-IX Route Server changes ROV based filtering to ‘opt-out’
• 50+ ASes “drop” invalid routes

Caveat: Technically, using Route Server filtering isn’t “deploying ROV”!

32

ROV Deployment Monitor

Idea

Give the networking community means to assess state of deployment

Launched rov.rpki.net

33

ROV Deployment Monitor

https://rov.rpki.net

34

Implements our measurement methodology. Table with AS that have deployed ROV. Updated daily.

Details show vantage points of AS

35

ROV Deployment Monitor

https://rov.rpki.net

Data Plane

Idea: Complementary Measurements

Using RIPE Atlas, traceroute towards prefixes P

A and PE

36

Idea: Complementary Measurements

Using RIPE Atlas, traceroute towards prefixes P

A and PE

Unsuccessful traceroute to PE when routes are invalid

Data Plane

Successful traceroute to PA +

37

Idea: Complementary Measurements

Using RIPE Atlas, traceroute towards prefixes P

A and PE

Unsuccessful traceroute to PE when routes are invalid

Data Plane

Successful traceroute to PA +

38

= Some AS on path is using ROV!

Idea: Complementary Measurements

Using RIPE Atlas, traceroute towards prefixes P

A and PE

Unsuccessful traceroute to PE when routes are invalid

Data Plane

Successful traceroute to PA +

39

= Some AS on path is using ROV! Note: Fals lse negativ ives are possib ible le because of f default lt routes!

Conclusion

40

Conclusion

• Controlled experiments are crucial to measuring adoption of ROV-

based filtering policies

41

Conclusion

• Controlled experiments are crucial to measuring adoption of ROV-

based filtering policies

• There are ASes that do ROV-based filtering.

Before Oct. 2017: At least 3 AS drop invalids After Oct. 2017: 50+ AS drop invalids via Route Server@AMSIX

42

Conclusion

• Controlled experiments are crucial to measuring adoption of ROV-

based filtering policies

• There are ASes that do ROV-based filtering.

Before Oct. 2017: At least 3 AS drop invalids After Oct. 2017: 50+ AS drop invalids via Route Server@AMSIX

• IXP offering ROV at Route Servers can boost deployment

43

Conclusion

44

Please peer with PEERING* and Route Collectors! Questions?

*https://peering.usc.edu/ ROV Deployment Monitor: rov.rpki.net More details about methodology: ACM CCR 48(1)

Reference

Andreas Reuter, Randy Bush, Italo Cunha, Ethan Katz-Bassett, Thomas C. Schmidt, Matthias Wählisch, Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and Filtering, ACM SIGCOMM Computer Communication Review, Vol. 48, No. 1, pp. 19-27, Jan. 2018.

45

Backup

46

47

Uncontrolled Experiments

Don’t know origin AS policy Can’t distinguish between ROV- filtering and other filtering Limited Control Incomplete data can lead to misclassification Limited Visibility No Reproducibility

48

Controlled: Advantages

Control origin AS policy, can announce own routes Can distinguish ROV-filtering by changing route RPKI state Limited Control Less of an issue: Only care about our routes Limited Visibility Yes Reproducibility

Uncontrolled Experiments

49

P1 P2

AS E AS C AS A AS B

P1 P2 Vantage Point

Does AS C filter P2 because it’s announcement is invalid?

50

P1 P2

AS E AS C AS A AS B

P1 P2 Vantage Point E

Uncontrolled Experiments

51

P1 P2

AS D AS C AS A AS B

P1 P2 Vantage Point D

Uncontrolled Experiments

Probably not!

Router operation to validate BGP Updates based on ROA data

Research Problem

Goal: Measure the adoption of ROV-based filtering policies

Which AS is allowed to announce an IP prefix

ROA

Public Repository Private Configuration

Decide handling

• f invalid BGP

routes (Drop?) (De-preference?)

Challenge: Private policies must be inferred from measurements

52

ROV Local Policy