Measuring and Understanding the Route Origin Validation (ROV) in RPKI
apnic
408 views
30 slides
Aug 06, 2024
Slide 1 of 30
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
About This Presentation
Shane Hermoso, APNIC's Training Delivery Manager (South East Asia and East Asia), presented on RPKI at PHNOG 2024, held in Manila Philippines from 8 to 12 July 2024.
Slide Content
1 v1.1
Measuring and Understanding the Route Origin Validation (ROV) in RPKI
Sheryl (Shane) Hermoso
July 2024
Measuring and Understanding the Route Origin Validation (ROV) in RPKI
Sheryl (Shane) Hermoso
July 2024
2 v1.1
RPKI/ROV in a nutshell
RPKI/ROV in a nutshell
3 v1.1
•RPKI deployment has 2 phases
•ROA is just the beginning
•ROAs only serve their purpose if routes are validating
What is RPKI and ROV?
Phase 1: ROA (Signing origin)
Resource holders must create their
ROA objects, which gets published to
the RPKI repo
Phase 2: ROV (Validating origin)
Routers are validating route entries
against the RPKI cache
RPKI
robust security framework for
verifying the association
between resource holders
and their Internet number
resources
•RPKI deployment has 2 phases
•ROA is just the beginning
•ROAs only serve their purpose if routes are validating
What is RPKI and ROV?
Phase 1: ROA (Signing origin)
Resource holders must create their
ROA objects, which gets published to
the RPKI repo
Phase 2: ROV (Validating origin)
Routers are validating route entries
against the RPKI cache
RPKI
robust security framework for
verifying the association
between resource holders
and their Internet number
resources
4 v1.1
Route Origin Authorization
What is contained in a ROA?
üThe AS number you have authorized
üThe prefix that is being originated from it
üThe most specific prefix (maximum length) that the AS may announce
For example:
“ISP A permits AS65551 to originate a route for the prefix198.51.100.0/24”
Who should create a ROA?
qResource holders
Route Origin Authorization
What is contained in a ROA?
üThe AS number you have authorized
üThe prefix that is being originated from it
üThe most specific prefix (maximum length) that the AS may announce
For example:
“ISP A permits AS65551 to originate a route for the prefix198.51.100.0/24”
Who should create a ROA?
qResource holders
5 v1.1
Phase 1 – Create ROAs
If you are a resource holder of an IP address block,
create your ROAs now!
From APNIC portal:
Phase 1 – Create ROAs
If you are a resource holder of an IP address block,
create your ROAs now!
From APNIC portal:
6 v1.1
Phase 2 – Implement ROV
Configure router to get validated routes from an RPKI cache (RTR session)
Apply rules/filters based on RPKI states
Setup your own RPKI validator
üRouter fetches ROA information from the validated RPKI cache
(Crypto stripped by the validator)
üBGP checks each BGP update received against the ROA
information and labels them accordingly
Phase 2 – Implement ROV
Configure router to get validated routes from an RPKI cache (RTR session)
Apply rules/filters based on RPKI states
Setup your own RPKI validator
üRouter fetches ROA information from the validated RPKI cache
(Crypto stripped by the validator)
üBGP checks each BGP update received against the ROA
information and labels them accordingly
7 v1.1
Route Origin Validation
Valid
The prefix (prefix length) and AS pair
found in the database
Invalid
Prefix is found, but origin-AS is wrong,
OR
The prefix length is longer than the
maximum length
Not Found / Unknown
Neither valid nor invalid (perhaps not
created)
There are 3 validation states:Ex: This ROA is created
ASNPrefixMax Length
17862203.176.189.0/2223
With Origin Validation, these BGP routes will have an RPKI state as follows:
ASNPrefixRPKI State
17862203.176.189.0/22VALID
17862203.176.189.0/23VALID
17862203.176.189.0/24INVALID
17861203.176.189.0/22INVALID
17862203.176.189.0/21NOT FOUND
Route Origin Validation
Valid
The prefix (prefix length) and AS pair
found in the database
Invalid
Prefix is found, but origin-AS is wrong,
OR
The prefix length is longer than the
maximum length
Not Found / Unknown
Neither valid nor invalid (perhaps not
created)
There are 3 validation states:Ex: This ROA is created
ASNPrefixMax Length
17862203.176.189.0/2223
With Origin Validation, these BGP routes will have an RPKI state as follows:
ASNPrefixRPKI State
17862203.176.189.0/22VALID
17862203.176.189.0/23VALID
17862203.176.189.0/24INVALID
17861203.176.189.0/22INVALID
17862203.176.189.0/21NOT FOUND
8 v1.1
Route Origin Validation (ROV)
1782165550
2406:6400::/48
65551
2406:6400::/48 65551 65550 17821 i
6555265553
2406:6400::/48
2406:6400::/48 65553 65552 i
rsync/RRDP
Validator
Global
(RPKI)
Repository
RPKI-to-Router
(RTR)
2406:6400::/32-48
17821
ROA
2406:6400::/32-48
17821
Invalid
Valid
Apply rules based on the validation state
Route Origin Validation (ROV)
1782165550
2406:6400::/48
65551
2406:6400::/48 65551 65550 17821 i
6555265553
2406:6400::/48
2406:6400::/48 65553 65552 i
rsync/RRDP
Validator
Global
(RPKI)
Repository
RPKI-to-Router
(RTR)
2406:6400::/32-48
17821
ROA
2406:6400::/32-48
17821
Invalid
Valid
Apply rules based on the validation state
9 v1.1
•Many options to choose from:
oRoutinator
oRpki-client
oFort
oOctoRPKI/GoRTR
•More mature – easier to install, better
documentation
•Considerations:
oWhich validator to use?
oDo I need multiple validators?
oWhat happens when RTR session fails?
RPKI Validators
•Many options to choose from:
oRoutinator
oRpki-client
oFort
oOctoRPKI/GoRTR
•More mature – easier to install, better
documentation
•Considerations:
oWhich validator to use?
oDo I need multiple validators?
oWhat happens when RTR session fails?
RPKI Validators
10 v1.1
Phase 2 – ROV Filtering
https://isbgpsafeyet.com/
Tag
If you have downstream customers or run a
route server (IXP)
Modify preference values – RFC7115
Drop Invalids
Many providers are already dropping invalid routes.
[Valid > Not Found > Invalid]
[Valid (ASN:65XX0),
Not Found (ASN:65XX1),
Invalid (ASN:65XX2)]
https://isbgpsafeyet.com/
Phase 2 – ROV Filtering
https://isbgpsafeyet.com/
Tag
If you have downstream customers or run a
route server (IXP)
Modify preference values – RFC7115
Drop Invalids
Many providers are already dropping invalid routes.
[Valid > Not Found > Invalid]
[Valid (ASN:65XX0),
Not Found (ASN:65XX1),
Invalid (ASN:65XX2)]
https://isbgpsafeyet.com/
11 v1.1
ROA & ROV Measurement
ROA & ROV Measurement
12 v1.1
Over the last few years, we’ve made great efforts to reach ~90% ROA
coverage for the Philippines!
ROA Measurements
95.83% ROA coverage for IPv478.83% ROA coverage for IPv6
Over the last few years, we’ve made great efforts to reach ~90% ROA
coverage for the Philippines!
ROA Measurements
95.83% ROA coverage for IPv478.83% ROA coverage for IPv6
13 v1.1
•Using an invalid destination advertised by a CDN (Cloudflare)
oWe do this to minimize the effects of transit networks masking the ROV
behaviour of stub networks
•Use an online ad campaign to enroll ~10M endpoints to reach this
destination per day
•The measurement is the proportion of endpoints who cannot reach
the invalid destination
ROV Measurement – APNIC Stats
https://www.potaroo.net/presentations/2024-05-15-manrs-rov.pdf
•Using an invalid destination advertised by a CDN (Cloudflare)
oWe do this to minimize the effects of transit networks masking the ROV
behaviour of stub networks
•Use an online ad campaign to enroll ~10M endpoints to reach this
destination per day
•The measurement is the proportion of endpoints who cannot reach
the invalid destination
ROV Measurement – APNIC Stats
https://www.potaroo.net/presentations/2024-05-15-manrs-rov.pdf
14 v1.1
Many networks sign ROAs, but fewer perform I-ROV filtering
ROV Measurement – APNIC Stats
ROA Signed (Total IPv4 & IPv6)I-ROV filtering
Many networks sign ROAs, but fewer perform I-ROV filtering
ROV Measurement – APNIC Stats
ROA Signed (Total IPv4 & IPv6)I-ROV filtering
15 v1.1
•A new measurement platform to measure current deployment rate
status of ROV
•Two techniques:
oIdentifying the hosts that are reachable under RPKI-invalid prefixes.
oMeasuring the connectivity status between two end hosts using the
IP-ID side-channel technique.
ROV Measurement - RoVISTA
https://blog.apnic.net/2023/02/15/rovista-measuring-the-current-deployment-rate-status-of-rov/
•A new measurement platform to measure current deployment rate
status of ROV
•Two techniques:
oIdentifying the hosts that are reachable under RPKI-invalid prefixes.
oMeasuring the connectivity status between two end hosts using the
IP-ID side-channel technique.
ROV Measurement - RoVISTA
https://blog.apnic.net/2023/02/15/rovista-measuring-the-current-deployment-rate-status-of-rov/
16 v1.1
ROV Measurement - RoVISTA
https://rovista.netsecurelab.org/
ROV Score for PH: 1.56
(based on cone size)
% ASN:
Fully protected: 7.5%
Partially protected: 15.625%
ROV Score
(cone size)
ROV Score
(address space)
ROV Measurement - RoVISTA
https://rovista.netsecurelab.org/
ROV Score for PH: 1.56
(based on cone size)
% ASN:
Fully protected: 7.5%
Partially protected: 15.625%
ROV Score
(cone size)
ROV Score
(address space)
17 v1.1
ROV Filtering Status
ROV Filtering Status
18 v1.1
Route Origin Validation (ROV) Filtering
https://stats.labs.apnic.net/rpki
Route Origin Validation (ROV) Filtering
https://stats.labs.apnic.net/rpki
19 v1.1
19.62
52.1
41.56
33.38
15.36
5.81
0
10
20
30
40
50
60
WorldOceaniaAmericaEuropeAfricaAsia
% ROV Filtering
% ROV Filtering
ROV – Global Leaderboard
19.62
52.1
41.56
33.38
15.36
5.81
0
10
20
30
40
50
60
WorldOceaniaAmericaEuropeAfricaAsia
% ROV Filtering
% ROV Filtering
ROV – Global Leaderboard
20 v1.1
0
5
10
15
20
25
30
35
MalaysiaSingaporeTimor LesteMyanmarIndonesiaVietnamLao PDRPhilippinesCambodiaBruneiThailand
% ROV
% ROV
ROV – South-East Asia Leaderboard
0
5
10
15
20
25
30
35
MalaysiaSingaporeTimor LesteMyanmarIndonesiaVietnamLao PDRPhilippinesCambodiaBruneiThailand
% ROV
% ROV
ROV – South-East Asia Leaderboard
21 v1.1
ROV – Top ASNs (% Validates)
ROV – Top ASNs (% Validates)
22 v1.1
ROV – Top ASNs (Samples)
ROV – Top ASNs (Samples)
23 v1.1
Next Steps
Next Steps
24 v1.1
A major consideration before dropping
invalids
•Common issue: Invalid AS & Max Length
oEspecially for large providers, when they change size of prefix announcements it needs to be updated in MyAPNIC
•To fix:
oMax-length - Make sure the max-length value covers your BGP announcements
oMinimal ROAs - Reduce spoofed origin-AS attack surface. ROAs should cover only those prefixes announced in BGP
Fixing Invalids
https://rpki-monitor.antd.nist.gov/
A major consideration before dropping
invalids
•Common issue: Invalid AS & Max Length
oEspecially for large providers, when they change size of prefix announcements it needs to be updated in MyAPNIC
•To fix:
oMax-length - Make sure the max-length value covers your BGP announcements
oMinimal ROAs - Reduce spoofed origin-AS attack surface. ROAs should cover only those prefixes announced in BGP
Fixing Invalids
https://rpki-monitor.antd.nist.gov/
25 v1.1
Always check your ROA!
https://rpki-validator.ripe.net/ui/ https://rpki.cloudflare.com
Always check your ROA!
https://rpki-validator.ripe.net/ui/ https://rpki.cloudflare.com
26 v1.1
•ROA with origin AS0 instead of a real ASN
oRoutes will be RPKI-invalid when they would otherwise be RPKI-unknown.
•Why use it?
oPrevent unused delegations from being hijacked
oMitigate leakage of private-use public address space
•AS0 will never appear as a functional origin in a ROA (see RFC7607)
AS0 ROAs
Ex: For the following VRPs
VRPs
2.0.0.0/16-16, AS0
3.0.0.0/22-24, AS0
4.0.0.0/24-24, AS0
4.0.0.0/24-24, AS1234
With Origin Validation, these BGP routes will have an RPKI state as follows:
ASNPrefixRPKI State
12341.0.0.0/24NOT FOUND
12342.0.0.0/16INVALID
12342.0.0.0/24INVALID
12343.0.0.0/16NOT FOUND
12344.0.0.0/24VALID
•ROA with origin AS0 instead of a real ASN
oRoutes will be RPKI-invalid when they would otherwise be RPKI-unknown.
•Why use it?
oPrevent unused delegations from being hijacked
oMitigate leakage of private-use public address space
•AS0 will never appear as a functional origin in a ROA (see RFC7607)
AS0 ROAs
Ex: For the following VRPs
VRPs
2.0.0.0/16-16, AS0
3.0.0.0/22-24, AS0
4.0.0.0/24-24, AS0
4.0.0.0/24-24, AS1234
With Origin Validation, these BGP routes will have an RPKI state as follows:
ASNPrefixRPKI State
12341.0.0.0/24NOT FOUND
12342.0.0.0/16INVALID
12342.0.0.0/24INVALID
12343.0.0.0/16NOT FOUND
12344.0.0.0/24VALID
27 v1.1
•ASPA - Autonomous System Provider Authorisation
ohttps://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-profile/16/
•ASPA indicates the ASNs allowed/authorized to propagate their
routes
•Supported in:
oValidators rpki-client and Routinator
oRPKI to Router Protocol (RTRv2)
oOpenBGPD
What’s next? AS Path Validation
•ASPA - Autonomous System Provider Authorisation
ohttps://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-profile/16/
•ASPA indicates the ASNs allowed/authorized to propagate their
routes
•Supported in:
oValidators rpki-client and Routinator
oRPKI to Router Protocol (RTRv2)
oOpenBGPD
What’s next? AS Path Validation
v1.028
https://www.apnic.net/community/security/resource-certification/#routing
https://www.apnic.net/community/security/resource-certification/#routing
29 v1.1
Thank You!
END OF SESSIONThank You!
END OF SESSION
Thank You!
END OF SESSIONThank You!
END OF SESSION
30 v1.1
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 408
- Slides 30
- Age 489 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
35 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
38 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
34 views
14
Fertility awareness methods for women in the society
Isaiah47
31 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
30 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
31 views