Abstract
Securing the Internet’s inter-domain routing system against illicit prefix advertisements by third-party networks remains a great concern for the research, standardization, and operator communities. After many unsuccessful attempts to deploy additional security mechanisms for BGP, we now witness increasing adoption of the RPKI (Resource Public Key Infrastructure). Backed by strong cryptography, the RPKI allows network operators to register their BGP prefixes together with the legitimate Autonomous System (AS) number that may originate them via BGP. Recent research shows an encouraging trend: an increasing number of networks around the globe start to register their prefixes in the RPKI. While encouraging, the actual benefit of registering prefixes in the RPKI eventually depends on whether transit providers in the Internet enforce the RPKI’s content, i.e., configure their routers to validate prefix announcements and filter invalid BGP announcements. In this work, we present a broad empirical study tackling the question: To what degree does registration in the RPKI protect a network from illicit announcements of their prefixes, such as prefix hijacks? To this end, we first present a longitudinal study of filtering behavior of transit providers in the Internet, and second we carry out a detailed study of the visibility of legitimate and illegitimate prefix announcements in the global routing table, contrasting prefixes registered in the RPKI with those not registered. We find that an increasing number of transit and access providers indeed do enforce RPKI filtering, which translates to a direct benefit for the networks using the RPKI in the case of illicit announcements of their address space. Our findings bode well for further RPKI adoption and for increasing routing security in the Internet.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Or the closest day for which validated historical RPKI data is available.
- 2.
Note that a prefix can have multiple origins in the global routing table, in this case we extract multiple prefix-origin pairs.
- 3.
For 0.37% IPv4 prefix-origin timelines, the RPKI state changed due to churn in the RPKI database caused by changes of RPKI entries during our measurement window. We remove these instances.
- 4.
We tested different thresholds, finding that the modes of the distribution do not change much.
- 5.
0.13% of IPv6 prefix-origin timelines whose RPKI state changed during our measurement window were removed.
References
AS286 Routing Policy. https://as286.net/AS286-routing-policy.html
AT&T/as7018 now drops invalid prefixes from peers. https://mailman.nanog.org/pipermail/nanog/2019-February/099501.html
Cymru BGP Bogon Refence. http://www.team-cymru.org/bogon-reference-bgp.html
PeeringDB. https://www.peeringdb.com
RIPE NCC RPKI Validator. https://rpki-validator.ripe.net/
RPKI Route Origin Validation - Africa. https://mailman.nanog.org/pipermail/nanog/2019-April/100445.html
Telia Carrier Takes Major Step to Improve the Integrity of the Internet Core. https://www.teliacarrier.com/Press-room/Press-releases/Telia-Carrier-Takes-Major-Step-to-Improve-the-Integrity-of-the-Internet-Core-.html
The hunt for 3ve: taking down a major ad fraud operation through industry collaboration. Technical report, November 2018. https://services.google.com/fh/files/blogs/3ve_google_whiteops_whitepaper_final_nov_2018.pdf?__hstc=&__hssc=&hsCtaTracking=c7b87c5c-1676-4d53-99fb-927a07720b17%7C9d63bf77-0926-4d08-b5ec-46b1a06846bc
Bush, R., Austein, R.: The Resource Public Key Infrastructure (RPKI) to Router Protocol. RFC 6810 (Proposed Standard), January 2013. https://www.rfc-editor.org/rfc/rfc6810.txt (updated by RFC 8210)
Cartwright-Cox, B.: The year of RPKI on the control plane, September 2019. https://blog.benjojo.co.uk/post/the-year-of-rpki-on-the-control-plane
Chung, T., et al.: RPKI is coming of age: a longitudinal study of RPKI deployment and invalid route origins. In: Proceedings of the Internet Measurement Conference (IMC 2019), pp. 406–419. Association for Computing Machinery, Amsterdam, Netherlands, October 2019. https://doi.org/10.1145/3355369.3355596
Cisco: IP Routing: BGP Configuration Guide, Cisco IOS XE Release 3S. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-xe-3s-book/bgp-origin-as-validation.html
Gilad, Y., Cohen, A., Herzberg, A., Schapira, M., Shulman, H.: Are we there yet? On RPKI’s deployment and security. In: Proceedings 2017 Network and Distributed System Security Symposium. Internet Society, San Diego (2017)
Goodin, D.: Suspicious event hijacks Amazon traffic for 2 hours, steals cryptocurrency, April 2018. https://arstechnica.com/information-technology/2018/04/suspicious-event-hijacks-amazon-traffic-for-2-hours-steals-cryptocurrency/
Huston, G., Michaelson, G., Loomans, R.: A Profile for X.509 PKIX Resource Certificates. RFC 6487 (Proposed Standard), February 2012. https://www.rfc-editor.org/rfc/rfc6487.txt (updated by RFCs 7318, 8209)
Huston, G., Michaelson, G., Martinez, C., Bruijnzeels, T., Newton, A., Shaw, D.: Resource Public Key Infrastructure (RPKI) Validation Reconsidered. RFC 8360 (Proposed Standard), April 2018. https://www.rfc-editor.org/rfc/rfc8360.txt
Huston, G., Michaelson, G.: RFC 6483: Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations (ROAs), February 2012. https://tools.ietf.org/html/rfc6483
Iamartino, D., Pelsser, C., Bush, R.: Measuring BGP route origin registration and validation. In: Mirkovic, J., Liu, Y. (eds.) PAM 2015. LNCS, vol. 8995, pp. 28–40. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15509-8_3
Kent, S., Kong, D., Seo, K., Watro, R.: Certificate Policy (CP) for the Resource Public Key Infrastructure (RPKI). RFC 6484 (Best Current Practice), February 2012. https://www.rfc-editor.org/rfc/rfc6484.txt
Lepinski, M., Kent, S.: An Infrastructure to Support Secure Internet Routing. RFC 6480 (Informational), February 2012. https://www.rfc-editor.org/rfc/rfc6480.txt
Lepinski, M., Kent, S., Kong, D.: A Profile for Route Origin Authorizations (ROAs). RFC 6482 (Proposed Standard), February 2012. https://www.rfc-editor.org/rfc/rfc6482.txt
Maddison, B.: RIPE Forum - Routing Working Group - RPKI Route Origin Validation - Africa, April 2019. https://www.ripe.net/participate/mail/forum/routing-wg/PDZlMzAzMzhhLWVhOTAtNzIxOC1lMzI0LTBjZjMyOGI1Y2NkM0BzZWFjb20ubXU+
Newman, L.H.: Why Google Internet Traffic Rerouted Through China and Russia. Wired, November 2018. https://www.wired.com/story/google-internet-traffic-china-russia-rerouted/
Newton, A., Huston, G.: Policy Qualifiers in Resource Public Key Infrastructure (RPKI) Certificates. RFC 7318 (Proposed Standard), July 2014. https://www.rfc-editor.org/rfc/rfc7318.txt
Orsini, C., King, A., Giordano, D., Giotsas, V., Dainotti, A.: BGPStream: a software framework for live and historical BGP data analysis. In: Proceedings of the 2016 Internet Measurement Conference (IMC 2016), pp. 429–444. Association for Computing Machinery, Santa Monica, November 2016. https://doi.org/10.1145/2987443.2987482
Reuter, A., Bush, R., Cunha, I., Katz-Bassett, E., Schmidt, T.C., Waehlisch, M.: Towards a rigorous methodology for measuring adoption of RPKI route validation and filtering. ACM SIGCOMM Comput. Commun. Rev. 48(1), 9 (2018)
Sermpezis, P., et al.: ARTEMIS: Neutralizing BGP Hijacking within a Minute. arXiv:1801.01085 [cs], January 2018. http://arxiv.org/abs/1801.01085
Strickx, T.: How Verizon and a BGP Optimizer Knocked Large Parts of the Internet Offline Today, June 2019. https://blog.cloudflare.com/how-verizon-and-a-bgp-optimizer-knocked-large-parts-of-the-internet-offline-today/
Testart, C., Richter, P., King, A., Dainotti, A., Clark, D.: Profiling BGP serial hijackers: capturing persistent misbehavior in the global routing table. In: Proceedings of the Internet Measurement Conference (IMC 2019), pp. 420–434. ACM Press, Amsterdam (2019). https://doi.org/10.1145/3355369.3355581
Yoo, C., Wishnick, D.: Lowering legal barriers to RPKI adoption. Faculty Scholarship at Penn Law, January 2019. https://scholarship.law.upenn.edu/faculty_scholarship/2035
Acknowledgments
We thank the anonymous reviewers for their thoughtful feedback. This work was partially supported by the MIT Internet Policy Research Initiative, William and Flora Hewlett Foundation grant 2014-1601. We acknowledge funding support from the NSF Grants CNS 1705024 and OAC 1724853. This material is based on research sponsored by Air Force Research Laboratory under agreement number FA8750-18-2-0049. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions in this paper are those of the authors and do not necessarily reflect the opinions of a sponsor, Air Force Research Laboratory or the U.S. Government.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix: IPv6 Results
Appendix: IPv6 Results
Detecting RPKI-Filtering in IPv6: We apply the method described in Sect. 3.1, setting equivalent thresholds to those used for IPv4. In September 2019, out of 402 ASes peering with collectors for IPv6, we consider 232 to be full-feeders, and of those 232 we infer 18 are filtering RPKI-invalid announcements (Fig. 6).
Tracking Visibility in the Global IPv6 Routing Table: Using the methodology described in Sect. 4.1, we build prefix-origin timelines for IPv6 prefixesFootnote 5. Table 2 shows the properties of our resulting dataset.
Overall IPv6 Prefix-Origin Visibility by RPKI State: Figure 7 shows CDFs of the visibility of prefix-origin timelines, which show very similar behavior to the ones described in Sect. 4.1 for IPv4. In IPv6, there are even fewer RPKI-valid prefix-origins with low visibility compared to IPv4: less than 10% IPv6 prefix-origins have less than 80% visibility compared to 20% for IPv4.
Visibility of Multiple Origin AS (MOAS) IPv6 Prefixes: In total, we find about 41,000 instances of MOAS prefix-origin pairs in September 2019 for IPv6, of which some 133 are cases in which at least one prefix-origin is RPKI-valid while others are not. Figure 8 shows the distribution of the maximum visibility of prefix-origin timelines during MOAS conflicts.
Visibility of IPv6 Subprefix Announcements: We find 575 subMOAS prefix conflicting with 102 covering prefixes (Fig. 9a) and 1,903 subprefixes conflicting with 235 covering prefixes (Fig. 9b).
Issuing RPKI records for IPv6 prefixes also benefit networks in the case of conflicting (and potentially malicious) announcements.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Testart, C., Richter, P., King, A., Dainotti, A., Clark, D. (2020). To Filter or Not to Filter: Measuring the Benefits of Registering in the RPKI Today. In: Sperotto, A., Dainotti, A., Stiller, B. (eds) Passive and Active Measurement. PAM 2020. Lecture Notes in Computer Science(), vol 12048. Springer, Cham. https://doi.org/10.1007/978-3-030-44081-7_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-44081-7_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-44080-0
Online ISBN: 978-3-030-44081-7
eBook Packages: Computer ScienceComputer Science (R0)