Measuring the Adoption of Route Origin Validation and Filtering Andreas Reuter (andreas.reuter@fu-berlin.de) Joint work with Randy Bush, Ethan Katz-Bassett, Italo Cunha, Thomas C. Schmidt, and Matthias Wählisch PEERING The BGP Testbed

A Problem with BGP… AS B AS D P P P AS C AS A

A Problem with BGP… AS B AS D ??? AS A AS C P P P Legitimate Origin Attacker

…and the (partial) solution: RPKI AS B AS D P P P AS C AS A

…and the (partial) solution: RPKI AS B AS D P P P AS C Prefix: P Legitimate Origin: AS A AS A Owner of P

…and the (partial) solution: RPKI AS B AS D P P P AS C Prefix: P Legitimate Origin: AS A Owner of P AS A

…and the (partial) solution: RPKI AS B AS D P Drop Invalid! P P AS C Prefix: P Legitimate Origin: AS A Owner of P AS A

Route Origin Authorization (ROA) ROA and ROV Route Origin Authorization (ROA) Prefix owner authorizes AS to originate a set of prefixes

Route Origin Authorization (ROA) ROA and ROV Route Origin Authorization (ROA) Prefix owner authorizes AS to originate a set of prefixes Route Origin Validation (ROV) BGP router validates received routes using ROA information

Motivation & Research Problem Goal: Which ASes use ROV-based filtering policies?

Motivation & Research Problem Goal: Which ASes use ROV-based filtering policies? Assess impact of defense mechanisms Track deployment over time Create an incentive to deploy

Motivation & Research Problem Goal: Which ASes use ROV-based filtering policies? Assess impact of defense mechanisms Track deployment over time Create an incentive to deploy Challenge: Private router configurations must be inferred

Route Collectors & Vantage Points Vantage Point (VP) BGP Router that exports BGP Updates to a Route Collector AS A AS B P P Route Collector (RC) BGP Router that dumps received BGP Updates Route Collector

Measuring ROV: Approaches Description Property

Measuring ROV: Approaches Uncontrolled Analyzing existing BGP data and ROAs, trying to infer who is filtering Description Relies on existing data Property [NDSS ‘17]

Measuring ROV: Approaches Uncontrolled Controlled Actively inject routes and dynamically create ROAs Analyze resulting data to infer who is filtering Analyzing existing BGP data and ROAs, trying to infer who is filtering Description Relies on existing data Needs own AS & Prefixes Property [NDSS ‘17] [CCR ‘18]

Uncontrolled Experiments: The Basic Idea Leverage divergence between AS paths of invalid and non-invalid routes to infer if an AS is filtering

Uncontrolled Experiments: The Basic Idea Leverage divergence between AS paths of invalid and non-invalid routes to infer if an AS is filtering AS A originates P1 (valid) and P2 (invalid) AS B P1 P1 AS C AS A Mention that we do in fact see this kind of situation, an AS originating an invalid and non-invalid, on the Internet P2 P2 AS D Vantage point selects divergent AS paths

Uncontrolled Experiments: The Basic Idea Filtering invalid routes? AS A originates P1 (valid) and P2 (invalid) AS B P1 P1 AS C AS A The existing work ASSUMES that AS C wants a route for P1, and that it prefers routes from AS B to routes from AS D. So the fact that P2 is routed through AS D is taken as an indicator that AS B is filtering. EXPLAIN ”POSSIBLY FILTERING”, “FILTERING”, and “NOT FILTERING”. P2 P2 AS D Vantage point selects divergent AS paths

Uncontrolled Experiments: Problems

Uncontrolled Experiments: Problems Limited Control 1. Don’t know origin AS policy

Uncontrolled Experiments: Limited Control Origin Policy AS B P1 AS C AS A P2 AS D Vantage Point

Uncontrolled Experiments: Limited Control Filtering invalids or traffic engineering? AS B 10.20.0.0/22 AS C AS A 10.20.0.0/24 AS D Vantage Point

Uncontrolled Experiments: Limited Control Filtering invalids or traffic engineering? Prefix: 10.20.0.0/22 - 22 Legitimate Origin: AS A Owner of prefix AS B 10.20.0.0/22 AS C AS A Explizit sagen: Paper zeigt dass 1-Hop divergence wahrscheinlicher TE ist! 10.20.0.0/24 AS D Vantage Point

Uncontrolled Experiments: Problems Limited Control 1. Don’t know origin AS policy 2. Can’t distinguish between ROV-filtering and other filtering

Uncontrolled Experiments: Limited Control Real World Example AS3356 AS3130 P1 AS25220 AS47065 P2 AS1239 Vantage Point AS1299

Uncontrolled Experiments: Limited Control Real World Example Filtering invalid routes? AS3356 AS3130 P1 AS25220 AS47065 P2 AS1239 Vantage Point AS1299

Uncontrolled Experiments: Limited Control Real World Example Filtering invalid routes? No! AS3356 AS3130 P1 AS25220 AS47065 P2 AS1239 Vantage point receives routes for both prefixes from AS3356 and AS1299, but uses route age as a tie-breaker! Vantage Point AS1299

Uncontrolled Experiments: Problems Limited Control 1. Don’t know origin AS policy 2. Can’t distinguish between ROV-filtering and other filtering

Uncontrolled Experiments: Problems Limited Control 1. Don’t know origin AS policy 2. Can’t distinguish between ROV-filtering and other filtering Limited Visibility Incomplete data can lead to misclassification

Uncontrolled Experiments: Limited Visibility

Uncontrolled Experiments: Limited Visibility X-Axis includes all Routeviews & RIPE RIS vantage points. Mention: VPs could have all full tables, this is only the stuff they export to the route collector. However, for the existing work it matters only what is exported.

Uncontrolled Experiments: Limited Visibility Analyzing data from different sets of vantage points can yield contradicting classifications Filtering invalid routes? AS B AS D P1 Vantage Point AS A AS C P2

Uncontrolled Experiments: Limited Visibility Analyzing data from different sets of vantage points can yield contradicting classifications AS E Filtering invalid routes? Probably not! AS B AS D Vantage Point P1 P2 Vantage Point AS A AS C

Uncontrolled Experiments: Limited Visibility Relative frequency of false positives Groesse der Vantage point sets erwaehnen Vantage Point Sets

Uncontrolled Experiments: Limited Visibility We don’t have a complete view of AS-level Internet. Inference without considering missing data can lead to misclassification! Relative frequency of false positives Vantage Point Sets

Uncontrolled Experiments: Problems Limited Control 1. Don’t know origin AS policy 2. Can’t distinguish between ROV-filtering and other filtering Limited Visibility Incomplete data can lead to misclassification Repeatability No

Uncontrolled Experiments: Problems Limited Control 1. Don’t know origin AS policy 2. Can’t distinguish between ROV-filtering and other filtering Inferring the routing policy of an AS on the basis of uncontrolled experiments is prone to misclassification! Limited Visibility Incomplete data can lead to misclassification Reproducibility No

Controlled Experiments Hand-crafted ROAs and BGP Updates

Controlled Experiments Hand-crafted ROAs and BGP Updates Goal: Find ASes that filter invalid routes Sagen: ASes welche _irgendwo_ filtern.

Controlled Experiments: Setup Hand-crafted ROAs and BGP Updates Goal: Find ASes that filter invalid routes BGP Announce prefixes PA (Anchor) and PE (Experiment) Same RIR DB route object Same prefix length Announced at the same time Announced to same peers Announced from same origin AS

Controlled Experiments: Setup Hand-crafted ROAs and BGP Updates Goal: Find ASes that filter invalid routes BGP RPKI Announce prefixes PA (Anchor) and PE (Experiment) Issue ROAs for both prefixes Same RIR DB route object Same prefix length Announced at the same time Announced to same peers Announced from same origin AS PA announcement is always valid. Periodically change ROA for PE : Flips announcement from valid to invalid to valid daily.

Controlled Experiments: Advantages Hand-crafted ROAs and BGP Updates Control Announcement Policy Control origin AS policy, can announce own routes Can distinguish ROV-filtering by changing route RPKI state

Controlled Experiments: Advantages Hand-crafted ROAs and BGP Updates Control Announcement Policy Control origin AS policy, can announce own routes Can distinguish ROV-filtering by changing route RPKI state Limited Visibility Less of an issue: Only care about our routes

Controlled Experiments: Advantages Hand-crafted ROAs and BGP Updates Control Announcement Policy Control origin AS policy, can announce own routes Can distinguish ROV-filtering by changing route RPKI state Limited Visibility Less of an issue: Only care about our routes Repeatability Yes

Controlled Experiments Initial Situation: Origin AS and vantage point AS peer directly AS47065 PEERING* AS A PA PE Prefix: PA ASN: 47065 Owner of PA ROA Owner of PE Prefix: PE Vantage Point *https://peering.usc.edu/

Controlled Experiments Initial Situation: Origin AS and vantage point AS peer directly AS47065 PEERING* AS A PA PE Vantage Point *https://peering.usc.edu/

Controlled Experiments Observation 1: Vantage point exports no route for PE AS47065 PEERING* AS A PA Vantage Point Prefix: PA ASN: 47065 Owner of PA ROA Owner of PE Prefix: PE ASN: 51224 *https://peering.usc.edu/

Controlled Experiments Observation 1: Vantage point exports no route for PE AS47065 PEERING* AS A PA Vantage Point Conclusion: Vantage point is using ROV-based filtering *https://peering.usc.edu/

Controlled Experiments Observation 2: Vantage point exports alternate route for PE AS47065 PEERING* AS A PA AS X PE PE Vantage Point Prefix: PA ASN: 47065 Owner of PA ROA Owner of PE Prefix: PE ASN: 51224 *https://peering.usc.edu/

Controlled Experiments Observation 2: Vantage point exports alternate route for PE AS47065 PEERING* AS A PA AS X PE PE Vantage Point Conclusion: Vantage point is using ROV-based filtering selectively. *https://peering.usc.edu/

Controlled Experiments Situation: Origin AS and vantage point AS do not peer directly AS47065 PEERING* PA AS A AS X PA PE PE Prefix: PA ASN: 47065 Owner of PA ROA Owner of PE Prefix: PE Vantage Point *https://peering.usc.edu/

Controlled Experiments Situation: Origin AS and vantage point AS do not peer directly AS47065 PEERING* PA AS A AS X PA PE PE Vantage Point *https://peering.usc.edu/

Controlled Experiments Observation 1: Vantage point exports no route for PE AS47065 PEERING* PA AS A AS X PA Prefix: PA ASN: 47065 Owner of PA ROA Owner of PE Prefix: PE ASN: 51224 Vantage Point *https://peering.usc.edu/

Controlled Experiments Observation 2: Vantage point exports different route for PE AS47065 PEERING* PA AS A AS X PA PE PE AS Y Vantage Point ROA ROA Prefix: PA ASN: 47065 Prefix: PE ASN: 51224 *https://peering.usc.edu/ Owner of PA Owner of PE

Controlled Experiments Problem Measuring vantage point AS that is not direct peer introduces ambiguity: Is the vantage point AS filtering or an intermediate AS?

Controlled Experiments Problem Solution Measuring vantage point AS that is not direct peer introduces ambiguity: Is the vantage point AS filtering or an intermediate AS? Establishing direct peering with vantage point AS or Check if intermediate ASes have vantage points

Controlled Experiments Results Before October 20th 2017: - (At least) Three ASes drop invalid routes October 20th 2017: - AMS-IX Route Server changes ROV based filtering to ‘opt-out’ MINDESTENS 3 AS: Operator confirmed!!!!!!!

IXP Route Servers AS C AS D AS B AS A AS E A Route Server (RS) is a BGP router that simplifies interconnection at IXPs.

IXP Route Servers AS C AS D AS B P P P P P AS A AS E BGP Route Server AS E Member AS announce to the RS. The RS propagates its best routes to the members

IXP Route Server: ROV Filtering AS C AS B AS D P P AS A BGP Route Server Underline looks weird, find alternative AS E Invalid announcements are only propagated to peers that opt-out of ROV filtering!

Controlled Experiments Results Before October 20th 2017: - (At least) Three ASes drop invalid routes October 20th 2017: - AMS-IX Route Server changes ROV based filtering to ‘opt-out’ - 50+ ASes “drop” invalid routes Mention: AMSIX isnt the first, there is Costa Rica IX and France IX. We want to be ready for other IXPs starting this, especially major ones. We are already at AMSIX, but unfortunately DE-CIX declined sponsoring PEERING. Gonna look into LINX as well… JOBs 2 ISPs Experimente erwähnen Andere IXPs erkennen Caveat: Technically, using Route Server filtering isn’t “deploying ROV”!

ROV Deployment Monitor Idea Give the networking community means to assess state of deployment Launched rov.rpki.net Implements our measurement methodology. Table with AS that have deployed ROV. Updated daily.

Next Step: Data Plane Measurements Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes PA and PE

Next Step: Data Plane Measurements Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes PA and PE Successful traceroute to PA + Unsuccessful traceroute to PE when routes are invalid

Next Step: Data Plane Measurements Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes PA and PE Successful traceroute to PA + Unsuccessful traceroute to PE when routes are invalid = Some AS on path is using ROV!

Next Step: Data Plane Measurements Idea: Complementary Measurements Using RIPE Atlas, traceroute towards prefixes PA and PE Successful traceroute to PA + Unsuccessful traceroute to PE when routes are invalid Mention: “We can explore approaches to identify the presence of default routes, so we can at least identify them and flag instances where they are at play” = Some AS on path is using ROV! Note: False negatives are possible because of default routes!

Conclusion Uncontrolled experiments are not suited to infer (RPKI-based filtering) routing policies

Conclusion Uncontrolled experiments are not suited to infer (RPKI-based filtering) routing policies Controlled experiments are crucial to measuring adoption of ROV- based filtering policies

Conclusion Uncontrolled experiments are not suited to infer (RPKI-based filtering) routing policies Controlled experiments are crucial to measuring adoption of ROV- based filtering policies There are ASes that do ROV-based filtering. Before Oct. 2017: At least 3 AS drop invalids After Oct. 2017: 50+ AS drop invalids via Route Server@AMSIX

Conclusion Uncontrolled experiments are not suited to infer (RPKI-based filtering) routing policies Controlled experiments are crucial to measuring adoption of ROV- based filtering policies There are ASes that do ROV-based filtering. Before Oct. 2017: At least 3 AS drop invalids After Oct. 2017: 50+ AS drop invalids via Route Server@AMSIX IXPs offering ROV at Route Servers can boost deployment

Questions? ROV Deployment Monitor: rov.rpki.net Andreas Reuter, Randy Bush, Italo Cunha, Ethan Katz-Bassett, Thomas C. Schmidt & Matthias Wählisch (2018). Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and Filtering. ACM SIGCOMM Computer Communication Review, 48, 19-27. ROV Deployment Monitor: rov.rpki.net

Backup

Uncontrolled Experiments: Limited Control Filtering invalids or traffic engineering? AS B Can path divergence be explained by traffic engineering at the origin? 10.20.0.0/22 AS C AS A 10.20.0.0/24 Vantage Point AS D

Path Divergence Divergence between AS paths of routes with the same origin Fraction of path pairs Divergence point between path pair

Path Divergence Divergence between AS paths of routes with the same origin Fraction of path pairs Divergence point between path pair

Path Divergence Divergence between AS paths of routes with the same origin No significant difference between distributions suggests lack of widespread filtering Fraction of path pairs Divergence point between path pair

Path Divergence Divergence between AS paths of routes with the same origin No significant difference between distributions suggests lack of widespread filtering Fraction of path pairs Invalid routes likely have different AS paths for non-RPKI related reasons! Divergence point between path pair

Controlled Experiments Setup Announce prefixes PA (Anchor) and PE (Experiment) BGP Same IRR entry Same origin AS Announced to same peers Same prefix length Announced at same time

Uncontrolled Experiments: Limited Visibility Analyzing data from different sets of vantage points can yield contradicting classifications Mit VP vis und False positive plots ersetzen

Uncontrolled Experiments: Limited Visibility Analyzing data from different sets of vantage points can yield contradicting classifications AS E Filtering invalid routes? Probably not! We don’t have a complete view of AS-level Internet. Inference without considering missing data can lead to misclassification! AS B AS D Vantage Point P1 P2 Vantage Point AS C AS A

Controlled Experiments Setup Announce prefixes PA (Anchor) and PE (Experiment) BGP Same IRR entry Same origin AS Announced to same peers Same prefix length Announced at same time 1. Issue ROAs for PA and PE to make routes valid RPKI 2. Periodically change ROA for PE to flip route state between valid and invalid

Uncontrolled Experiments AS B P2 P2 AS E AS A P1 AS C P1 Vantage Point

Uncontrolled Experiments Does AS C filter P2 because it’s announcement is invalid? AS B P2 P2 AS E AS A P1 P1 AS C Vantage Point E

Uncontrolled Experiments Vantage Point D AS B AS D P2 P1 P2 AS A Probably not! P1 AS C

Measuring ROV: Approaches Uncontrolled Controlled Limited Control Don’t know announcement policy Can’t distinguish between ROV filtering and other filtering Limited Visibility Incomplete data can lead to misclassification Can’t repeat experiments Limited Control Control announcement policy Can distinguish between ROV filtering and other by issuing ROAs Limited Visibility Less of an issue, we only care about routes we control Can repeat experiments

Conclusion Uncontrolled Experiments Unsuited to infer ROV filtering

Conclusion Uncontrolled Experiments Controlled Experiments Unsuited to infer ROV filtering Crucial to infer ROV filtering

At least 3 ASes use ROV-based filtering Conclusion Uncontrolled Experiments Controlled Experiments Result Ι Unsuited to infer ROV filtering Crucial to infer ROV filtering At least 3 ASes use ROV-based filtering

Conclusion Uncontrolled Experiments Controlled Experiments Result Ι Unsuited to infer ROV filtering Crucial to infer ROV filtering At least 3 ASes use ROV-based filtering Over 50 ASes use Route Server ROV filtering

Conclusion Latest results at rov.rpki.net Controlled Experiments Crucial to infer ROV filtering At least 3 ASes use ROV-based filtering Over 50 ASes use Route Server ROV filtering Latest results at rov.rpki.net

Goal: Measure the adoption of ROV-based filtering policies Research Problem Goal: Measure the adoption of ROV-based filtering policies

Goal: Measure the adoption of ROV-based filtering policies Research Problem Goal: Measure the adoption of ROV-based filtering policies

Research Problem Goal: Measure the adoption of ROV-based filtering policies Why? Assess the current state of deployment

Research Problem Goal: Measure the adoption of ROV-based filtering policies Why? Why? Assess the current state of deployment Track increase in deployment over time

Research Problem Goal: Measure the adoption of ROV-based filtering policies Why? Why? Why? Assess the current state of deployment Track increase in deployment over time Create an incentive to deploy

Challenge: Private policies must be inferred from measurements Research Problem Goal: Measure the adoption of ROV-based filtering policies Why? Why? Why? Assess the current state of deployment Track increase in deployment over time Create an incentive to deploy Challenge: Private policies must be inferred from measurements

Research Problem Goal: Measure the adoption of ROV-based filtering policies ROA Which AS is allowed to announce an IP prefix Public Repository

Research Problem Goal: Measure the adoption of ROV-based filtering policies ROA ROV Local Policy Which AS is allowed to announce an IP prefix Router operation to validate BGP Updates based on ROA data Decide handling of invalid BGP routes (Drop?) (De-preference?) Public Repository Private Configuration

Research Problem Goal: Measure the adoption of ROV-based filtering policies ROA ROV Local Policy Which AS is allowed to announce an IP prefix Router operation to validate BGP Updates based on ROA data Decide handling of invalid BGP routes (Drop?) (De-preference?) Public Repository Private Configuration Challenge: Private policies must be inferred from measurements