Measuring and Understanding the Route Origin Validation (ROV) in RPKI
apnic
270 views
37 slides
Jun 25, 2024
Slide 1 of 37
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
About This Presentation
Shane Hermoso, APNIC's Training Delivery Manager (Southeast Asia and East Asia), presented on 'Measuring and Understanding the Route Origin Validation (ROV) in RPKI' during VNNIC Internet Conference 2024 held in Hanoi, Viet Nam from 4 to 7 July 2024.
Slide Content
1 v1.1
2 v1.1
Measuring and Understanding the Route Origin Validation (ROV) in RPKI
Sheryl (Shane) Hermoso
June 2024
Measuring and Understanding the Route Origin Validation (ROV) in RPKI
Sheryl (Shane) Hermoso
June 2024
3 v1.1
•RPKI/ROV in a nutshell
•ROV Measurement
•ROV Filtering Status
•Next Steps
Overview
•RPKI/ROV in a nutshell
•ROV Measurement
•ROV Filtering Status
•Next Steps
Overview
4 v1.1
RPKI/ROV in a nutshell
RPKI/ROV in a nutshell
5 v1.1
•RPKI deployment has 2 phases
•ROA is just the beginning
•ROAs only serve their purpose if routes are validating
What is RPKI and ROV?
Phase 1: ROA (Signing origin)
Resource holders must create their
ROA objects, which gets published to
the RPKI repo
Phase 2: ROV (Validating origin)
Routers are validating route entries
against the RPKI cache and
RPKI
robust security framework for
verifying the association
between resource holders
and their Internet number
resources
•RPKI deployment has 2 phases
•ROA is just the beginning
•ROAs only serve their purpose if routes are validating
What is RPKI and ROV?
Phase 1: ROA (Signing origin)
Resource holders must create their
ROA objects, which gets published to
the RPKI repo
Phase 2: ROV (Validating origin)
Routers are validating route entries
against the RPKI cache and
RPKI
robust security framework for
verifying the association
between resource holders
and their Internet number
resources
6 v1.1
Phase 1 – Create ROAs
If you are a resource holder of an IP address block,
create your ROAs now!
From APNIC or VNNIC portal:
Phase 1 – Create ROAs
If you are a resource holder of an IP address block,
create your ROAs now!
From APNIC or VNNIC portal:
7 v1.1
Route Origin Authorization
What is contained in a ROA?
üThe AS number you have authorized
üThe prefix that is being originated from it
üThe most specific prefix (maximum length) that the AS may announce
For example:
“ISP A permits AS65551 to originate a route for the prefix198.51.100.0/24”
Who should create a ROA?
qResource holders
Route Origin Authorization
What is contained in a ROA?
üThe AS number you have authorized
üThe prefix that is being originated from it
üThe most specific prefix (maximum length) that the AS may announce
For example:
“ISP A permits AS65551 to originate a route for the prefix198.51.100.0/24”
Who should create a ROA?
qResource holders
8 v1.1
Phase 2 – Implement ROV
Configure router to get validated routes from an RPKI cache (RTR session)
Apply rules/filters based on RPKI states
Setup your own RPKI validator
üRouter fetches ROA information from the validated RPKI cache
(Crypto stripped by the validator)
üBGP checks each BGP update received against the ROA
information and labels them accordingly
Phase 2 – Implement ROV
Configure router to get validated routes from an RPKI cache (RTR session)
Apply rules/filters based on RPKI states
Setup your own RPKI validator
üRouter fetches ROA information from the validated RPKI cache
(Crypto stripped by the validator)
üBGP checks each BGP update received against the ROA
information and labels them accordingly
9 v1.1
Route Origin Validation
Valid
The prefix (prefix length) and AS pair
found in the database
Invalid
Prefix is found, but origin-AS is wrong,
OR
The prefix length is longer than the
maximum length
Not Found / Unknown
Neither valid nor invalid (perhaps not
created)
There are 3 validation states:Ex: This ROA is created
ASNPrefixMax Length
17862203.176.189.0/2223
With Origin Validation, these BGP routes will have an RPKI state as follows:
ASNPrefixRPKI State
17862203.176.189.0/22VALID
17862203.176.189.0/23VALID
17862203.176.189.0/24INVALID
17861203.176.189.0/22INVALID
17862203.176.189.0/21NOT FOUND
Route Origin Validation
Valid
The prefix (prefix length) and AS pair
found in the database
Invalid
Prefix is found, but origin-AS is wrong,
OR
The prefix length is longer than the
maximum length
Not Found / Unknown
Neither valid nor invalid (perhaps not
created)
There are 3 validation states:Ex: This ROA is created
ASNPrefixMax Length
17862203.176.189.0/2223
With Origin Validation, these BGP routes will have an RPKI state as follows:
ASNPrefixRPKI State
17862203.176.189.0/22VALID
17862203.176.189.0/23VALID
17862203.176.189.0/24INVALID
17861203.176.189.0/22INVALID
17862203.176.189.0/21NOT FOUND
10 v1.1
Route Origin Validation (ROV)
1782165550
2406:6400::/48
65551
2406:6400::/48 65551 65550 17821 i
6555265553
2406:6400::/48
2406:6400::/48 65553 65552 i
rsync/RRDP
Validator
Global
(RPKI)
Repository
RPKI-to-Router
(RTR)
2406:6400::/32-48
17821
ROA
2406:6400::/32-48
17821
Invalid
Valid
Route Origin Validation (ROV)
1782165550
2406:6400::/48
65551
2406:6400::/48 65551 65550 17821 i
6555265553
2406:6400::/48
2406:6400::/48 65553 65552 i
rsync/RRDP
Validator
Global
(RPKI)
Repository
RPKI-to-Router
(RTR)
2406:6400::/32-48
17821
ROA
2406:6400::/32-48
17821
Invalid
Valid
11 v1.1
•Many options to choose from:
oRoutinator
oRpki-client
oFort
oOctoRPKI/GoRTR
•More mature – easier to install, better
documentation
•Considerations:
oWhich validator to use?
oDo I need multiple validators?
oWhat happens when RTR session fails?
RPKI Validators
•Many options to choose from:
oRoutinator
oRpki-client
oFort
oOctoRPKI/GoRTR
•More mature – easier to install, better
documentation
•Considerations:
oWhich validator to use?
oDo I need multiple validators?
oWhat happens when RTR session fails?
RPKI Validators
12 v1.1
Phase 2 – ROV Filtering
https://isbgpsafeyet.com/
Tag
If you have downstream customers or run a
route server (IXP)
Modify preference values – RFC7115
Drop Invalids
Many providers are already dropping invalid routes.
[Valid > Not Found > Invalid]
[Valid (ASN:65XX0),
Not Found (ASN:65XX1),
Invalid (ASN:65XX2)]
Phase 2 – ROV Filtering
https://isbgpsafeyet.com/
Tag
If you have downstream customers or run a
route server (IXP)
Modify preference values – RFC7115
Drop Invalids
Many providers are already dropping invalid routes.
[Valid > Not Found > Invalid]
[Valid (ASN:65XX0),
Not Found (ASN:65XX1),
Invalid (ASN:65XX2)]
13 v1.1
ROV Measurement
ROV Measurement
14 v1.1
ROV Measurement – APNIC Stats
•Using Google Ads
oImpressions over clicks
oMeasure new sample points
•Run scripts
oEach time an ad is loaded the ad
server loads creative content and
scripts on to the client’s browser
oUse on-Load scripting to minimise
interaction
ROV Measurement – APNIC Stats
•Using Google Ads
oImpressions over clicks
oMeasure new sample points
•Run scripts
oEach time an ad is loaded the ad
server loads creative content and
scripts on to the client’s browser
oUse on-Load scripting to minimise
interaction
15 v1.1
ROV Measurement – APNIC Stats
ROV Measurement – APNIC Stats
16 v1.1
•Using an invalid destination advertised by a CDN (Cloudflare)
oWe do this to minimize the effects of transit networks masking the ROV
behaviour of stub networks
•Use an online ad campaign to enroll ~10M endpoints to reach this
destination per day
•The measurement is the proportion of endpoints who cannot reach
the invalid destination
ROV Measurement – APNIC Stats
https://www.potaroo.net/presentations/2024-05-15-manrs-rov.pdf
•Using an invalid destination advertised by a CDN (Cloudflare)
oWe do this to minimize the effects of transit networks masking the ROV
behaviour of stub networks
•Use an online ad campaign to enroll ~10M endpoints to reach this
destination per day
•The measurement is the proportion of endpoints who cannot reach
the invalid destination
ROV Measurement – APNIC Stats
https://www.potaroo.net/presentations/2024-05-15-manrs-rov.pdf
17 v1.1
•Many networks sign ROAs, but fewer perform I-ROV filtering
ROV Measurement – APNIC Stats
ROA SignedI-ROV filtering
•Many networks sign ROAs, but fewer perform I-ROV filtering
ROV Measurement – APNIC Stats
ROA SignedI-ROV filtering
18 v1.1
•A new measurement platform to measure current deployment rate
status of ROV
•Two techniques:
oIdentifying the hosts that are reachable under RPKI-invalid prefixes.
oMeasuring the connectivity status between two end hosts using the
IP-ID side-channel technique.
ROV Measurement - RoVISTA
https://blog.apnic.net/2023/02/15/rovista-measuring-the-current-deployment-rate-status-of-rov/
•A new measurement platform to measure current deployment rate
status of ROV
•Two techniques:
oIdentifying the hosts that are reachable under RPKI-invalid prefixes.
oMeasuring the connectivity status between two end hosts using the
IP-ID side-channel technique.
ROV Measurement - RoVISTA
https://blog.apnic.net/2023/02/15/rovista-measuring-the-current-deployment-rate-status-of-rov/
19 v1.1
ROV Measurement - RoVISTA
https://rovista.netsecurelab.org/
ROV Score for VN: 16.22
(based on cone size)
% ASN:
Fully protected: 7.77%
Partially protected: 30%
ROV Measurement - RoVISTA
https://rovista.netsecurelab.org/
ROV Score for VN: 16.22
(based on cone size)
% ASN:
Fully protected: 7.77%
Partially protected: 30%
20 v1.1
ROV Filtering Status
ROV Filtering Status
21 v1.1
Route Origin Validation (ROV) Filtering
https://stats.labs.apnic.net/rpki
Route Origin Validation (ROV) Filtering
https://stats.labs.apnic.net/rpki
22 v1.1
18.74
53.96
37.6236.23
16.3
5.15
0
10
20
30
40
50
60
WorldOceaniaAmericaEuropeAfricaAsia
% ROV Filtering
% ROV Filtering
ROV – Global Leaderboard
18.74
53.96
37.6236.23
16.3
5.15
0
10
20
30
40
50
60
WorldOceaniaAmericaEuropeAfricaAsia
% ROV Filtering
% ROV Filtering
ROV – Global Leaderboard
23 v1.1
0
20
40
60
80
100
120
Western Samoa
TongaAustraliaTaiwan
Hong Kong
Fiji
BhutanMongolia
PNG
New Zealand
China
American Samoa
Timor LesteMyanmar
Japan
AfghanistanSingaporeThailand
Northern Mariana Islands
Nepal
% ROV filtering
% ROV
ROV – APAC Top 20
0
20
40
60
80
100
120
Western Samoa
TongaAustraliaTaiwan
Hong Kong
Fiji
BhutanMongolia
PNG
New Zealand
China
American Samoa
Timor LesteMyanmar
Japan
AfghanistanSingaporeThailand
Northern Mariana Islands
Nepal
% ROV filtering
% ROV
ROV – APAC Top 20
24 v1.1
0
2
4
6
8
10
12
14
16
Timor LesteMyanmarSingaporeThailandVietnamIndonesiaLao PDRCambodiaPhilippinesMalaysiaBrunei
% ROV
% ROV
ROV – South-East Asia Leaderboard
0
2
4
6
8
10
12
14
16
Timor LesteMyanmarSingaporeThailandVietnamIndonesiaLao PDRCambodiaPhilippinesMalaysiaBrunei
% ROV
% ROV
ROV – South-East Asia Leaderboard
25 v1.1
ROV – Vietnam
ROV – Vietnam
26 v1.1
ROV – Top ASNs
ROV – Top ASNs
27 v1.1
ROV – Top ASNs
ROV – Top ASNs
28 v1.1
Next Steps
Next Steps
29 v1.1
A major consideration before dropping
invalids
•Common issue: Invalid AS & Max Length
oEspecially for large providers, when they change size of prefix announcements it needs to be updated in MyAPNIC
•To fix:
oMax-length - Make sure the max-length value covers your BGP announcements
oMinimal ROAs - Reduce spoofed origin-AS attack surface. ROAs should cover only those prefixes announced in BGP
Fixing Invalids
https://rpki-monitor.antd.nist.gov/
A major consideration before dropping
invalids
•Common issue: Invalid AS & Max Length
oEspecially for large providers, when they change size of prefix announcements it needs to be updated in MyAPNIC
•To fix:
oMax-length - Make sure the max-length value covers your BGP announcements
oMinimal ROAs - Reduce spoofed origin-AS attack surface. ROAs should cover only those prefixes announced in BGP
Fixing Invalids
https://rpki-monitor.antd.nist.gov/
30 v1.1
0
50
100
150
200
250
300
InvalidASInvalidASMLInvalidML
# Invalid ROAs
IPv4IPv6
Invalid ROAs in Vietnam
0
50
100
150
200
250
300
InvalidASInvalidASMLInvalidML
# Invalid ROAs
IPv4IPv6
Invalid ROAs in Vietnam
31 v1.1
Always check your ROA!
https://rpki-validator.ripe.net/ui/ https://rpki.cloudflare.com
Always check your ROA!
https://rpki-validator.ripe.net/ui/ https://rpki.cloudflare.com
32 v1.1
•ROA with origin AS0 instead of a real ASN
oRoutes will be RPKI-invalid when they would otherwise be RPKI-unknown.
•Why use it?
oPrevent unused delegations from being hijacked
oMitigate leakage of private-use public address space
•AS0 will never appear as a functional origin in a ROA (see RFC7607)
AS0 ROAs
Ex: For the following VRPs
VRPs
2.0.0.0/16-16, AS0
3.0.0.0/22-24, AS0
4.0.0.0/24-24, AS0
4.0.0.0/24-24, AS1234
With Origin Validation, these BGP routes will have an RPKI state as follows:
ASNPrefixRPKI State
12341.0.0.0/24NOT FOUND
12342.0.0.0/16INVALID
12342.0.0.0/24INVALID
12343.0.0.0/16NOT FOUND
12344.0.0.0/24VALID
•ROA with origin AS0 instead of a real ASN
oRoutes will be RPKI-invalid when they would otherwise be RPKI-unknown.
•Why use it?
oPrevent unused delegations from being hijacked
oMitigate leakage of private-use public address space
•AS0 will never appear as a functional origin in a ROA (see RFC7607)
AS0 ROAs
Ex: For the following VRPs
VRPs
2.0.0.0/16-16, AS0
3.0.0.0/22-24, AS0
4.0.0.0/24-24, AS0
4.0.0.0/24-24, AS1234
With Origin Validation, these BGP routes will have an RPKI state as follows:
ASNPrefixRPKI State
12341.0.0.0/24NOT FOUND
12342.0.0.0/16INVALID
12342.0.0.0/24INVALID
12343.0.0.0/16NOT FOUND
12344.0.0.0/24VALID
33 v1.1
•ASPA - Autonomous System Provider Authorisation
ohttps://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-profile/16/
•ASPA indicates the ASNs allowed/authorized to propagate their
routes
•Supported in:
oValidators rpki-client and Routinator
oRPKI to Router Protocol (RTRv2)
oOpenBGPD
What’s next? AS Path Validation
•ASPA - Autonomous System Provider Authorisation
ohttps://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-profile/16/
•ASPA indicates the ASNs allowed/authorized to propagate their
routes
•Supported in:
oValidators rpki-client and Routinator
oRPKI to Router Protocol (RTRv2)
oOpenBGPD
What’s next? AS Path Validation
34 v1.1
•RIPE NCC starts ASPA pilot
•aspa-objects on test:
oAS 970
oAS 21957
oAS 15562
What’s next? AS Path Validation
•RIPE NCC starts ASPA pilot
•aspa-objects on test:
oAS 970
oAS 21957
oAS 15562
What’s next? AS Path Validation
v1.035
https://www.apnic.net/community/security/resource-certification/#routing
https://www.apnic.net/community/security/resource-certification/#routing
36 v1.1
Thank You!
END OF SESSIONThank You!
END OF SESSION
Thank You!
END OF SESSIONThank You!
END OF SESSION
37 v1.1
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 270
- Slides 37
- Age 527 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
33 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
36 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
33 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
29 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views