Cited By
View all- Livadariu IFontugne RPhokeer ACandela MStucchi M(2024)A Tale of Two Synergies: Uncovering RPKI Practices for RTBH at IXPsPassive and Active Measurement10.1007/978-3-031-56252-5_5(88-103)Online publication date: 11-Mar-2024
RPKI Time-of-Flight: Tracking Delays in the Management, Control, and Data Planes
Authors: 
Romain Fontugne, 
Amreesh Phokeer, Cristel Pelsser, Kevin Vermeulen, 
Randy BushAuthors Info & Claims
Romain Fontugne, Amreesh Phokeer, Cristel Pelsser, Kevin Vermeulen, Randy BushAuthors Info & ClaimsPages 429 - 457
Abstract
As RPKI is becoming part of ISPs’ daily operations and Route Origin Validation is getting widely deployed, one wonders how long it takes for the effect of RPKI changes to appear in the data plane. Does an operator that adds, fixes, or removes a Route Origin Authorization (ROA) have time to brew coffee or rather enjoy a long meal before the Internet routing infrastructure integrates the new information and the operator can assess the changes and resume work? The chain of ROA publication, from creation at Certification Authorities all the way to the routers and the effect on the data plane involves a large number of players, is not instantaneous, and is often dominated by ad hoc administrative decisions. This is the first comprehensive study to measure the entire ecosystem of ROA manipulation by all five Regional Internet Registries (RIRs), propagation on the management plane to Relying Parties (RPs) and to routers; measure the effect on BGP as seen by global control plane monitors; and finally, measure the effects on data plane latency and reachability. We found that RIRs usually publish new RPKI information within five minutes, except APNIC which averages ten minutes slower. At least one national CA is said to publish daily. We observe significant disparities in ISPs’ reaction time to new RPKI information, ranging from a few minutes to one hour. The delay for ROA deletion is significantly longer than for ROA creation as RPs and BGP strive to maintain reachability. Incidentally, we found and reported significant issues in the management plane of two RIRs and a Tier1 network.
References
[1]
Rekhter, Y., Hares, S., Li, T.: A Border Gateway Protocol 4 (BGP-4). RFC 4271, January (2006)
[2]
Lynn, C.: X.509 Extensions for Authorization of IP Addresses, AS Numbers, and Routers within an AS. Internet-Draft draft-clynn-bgp-x509-auth-00, Internet Engineering Task Force
[3]
Lepinski, M., Kent. S.: An Infrastructure to Support Secure Internet Routing. RFC 6480, February (2012)
[4]
Mohapatra, P., Scudder, J., Ward, D., Bush, R., Austein, R.: BGP Prefix Origin Validation. RFC 6811, January (2013)
[5]
Mao, Z.M., Bush, R., Griffin, T.G., Roughan, M.: BGP beacons. In: Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement, pp. 1–14 (2003)
[6]
Garcia-Martinez A and Bagnulo M Measuring bgp route propagation times IEEE Commun. Lett. 2019 23 12 2432-2436
[7]
Al-Musawi, B.: Common pitfalls in RPKI deployment and how to avoid them, Apr (2021)
[8]
Hlavacek, T.: DISCO: Sidestepping RPKI’s deployment barriers. In: Network and Distributed System Security Symposium (NDSS) (2020)
[9]
Iamartino D, Pelsser C, and Bush R Mirkovic J and Liu Y Measuring BGP route origin registration and validation Passive and Active Measurement 2015 Cham Springer 28-40
[10]
Candela, M.: A One-Year Review of RPKI Operations, RIPE 84, May (2022)
[11]
Candela, M.: One Does Not Simply “Deploy RPKI”, MANRS blog, July (2022)
[12]
Sermpezis P, Kotronis V, Gigis P, Dimitropoulos X, Cicalese D, King A, and Dainotti A ARTEMIS: Neutralizing BGP hijacking within a minute IEEE/ACM Trans. Netw. 2018 26 6 2471-2486
[13]
Kimura, T.: Long Chopsticks in Heaven - When Packets Dropped Using ROA, May (2019)
[14]
Gilad, Y., Cohen, A., Herzberg, A., Schapira, M., Shulman, H.: Are we there yet? on RPKI’s deployment and security. Cryptology ePrint Archive (2016)
[15]
RIPE NCC. Routing Information Service (RIS), May (2022)
[16]
RIPE NCC. RIPE Atlas, May (2022)
[17]
Boeyen, S., Santesson, S., Polk, T., Housley, R., Farrell, S., Cooper, D.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280, May (2008)
[18]
University Oregon. Route Views, September (2022)
[19]
Selenium. Selenium webdriver, September (2022)
[20]
Job Snijders. RPKIviews, May (2022)
[21]
OpenBSD. rpki-client, May (2022)
[22]
Housley, R.: Cryptographic Message Syntax (CMS). RFC 5652, September (2009)
[23]
Bush, R., Borkenhagen, J., Bruijnzeels, T., Snijders, J.: Timing Parameters in the RPKI based Route Origin Validation Supply Chain. Internet-Draft draft-ietf-sidrops-rpki-rov-timing-06, Internet Engineering Task Force, February 2022. Work in Progress
[24]
Kristoff, J.: On Measuring RPKI Relying Parties. In: Proceedings of the ACM Internet Measurement Conference, IMC ’20, pp. 484–491, New York, NY, USA, 2020. Association for Computing Machinery
[25]
Alfroy, T., Holterbach, T., Pelsser, C.: MVP: Measuring Internet routing from the most valuable points. In: Proceedings of the 22nd ACM Internet Measurement Conference, IMC ’22, pp. 770–771, New York, NY, USA, 2022. Association for Computing Machinery
[26]
Fontugne Romain, Shah Anant, and Aben Emile Beverly Robert, Smaragdakis Georgios, and Feldmann Anja The (thin) bridges of as connectivity: measuring dependency using as hegemony Passive and Active Measurement 2018 Cham Springer 216-227
[27]
Ongkanchana, P., Fontugne, R., Esaki, H., Snijders, J., Aben, E.: Hunting BGP zombies in the wild. In: Proceedings of the Applied Networking Research Workshop, pp. 1–7 (2021)
[28]
Cloudflare. Is BGP safe yet? No., May (2022)
[29]
Routinator.: Changelog (v0.11.2), April (2022)
[30]
Fontugne, R.: The Routing Game: Hunting Invalid Routes., November (2021)
[31]
Luckie, M., Huffaker, B., Dhamdhere, A., Giotsas, V., Claffy, KC.: AS relationships, customer cones, and validation. In: Proceedings of the 2013 Conference on Internet Measurement Conference, pp. 243–256 (2013)
[32]
RIPE NCC. RIPE NCC’s RPKI repository archive, May (2022)
[33]
Lepinski, M., Kong, D., Kent, S.: A Profile for Route Origin Authorizations (ROAs). RFC 6482, February (2012)
[34]
Harrison, T.: APNIC Registry API, APNIC blog, March (2022)
[35]
Reuter, A., Bush, R., Cunha, I., Katz-Bassett, E., Schmidt, T.C., Wählisch, M.: Towards a rigorous methodology for measuring adoption of rpki route validation and filtering. ACM SIGCOMM Comput. Commun. Rev. 48(1), 19–27 (2018)
[36]
Chung, T., et al.: RPKI is coming of age: A longitudinal study of RPKI deployment and invalid route origins. In: Proceedings of the Internet Measurement Conference, pp. 406–419 (2019)
[37]
Gilad, Y., Sagga, O., Goldberg, S.: Maxlength considered harmful to the RPKI. In: Proceedings of the 13th International Conference on Emerging Networking EXperiments and Technologies, pp. 101–107 (2017)
[38]
Hlavacek, T., Jeitner, P., Mirdita, D., Shulman, H., Waidner, M.: Stalloris: RPKI downgrade attack. In: 31st USENIX Security Symposium (USENIX Security 22), Boston, MA, August (2022) USENIX Association
[39]
Bush, R.: Origin validation operation based on the Resource Public Key Infrastructure (RPKI). IETF RFC7115 (January 2014)
[40]
Hlavacek, T.,Herzberg, A., Shulman, H., Waidner, M.: Practical experience: Methodologies for measuring route origin validation. In: 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 634–641. IEEE (2018)
Index Terms
- RPKI Time-of-Flight: Tracking Delays in the Management, Control, and Data Planes
Index terms have been assigned to the content through auto-classification.
Recommendations
Behind the Scenes of RPKI
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications SecurityBest practices for making RPKI resilient to failures and attacks recommend using multiple URLs and certificates for publication points as well as multiple relying parties. We find that these recommendations are already supported by 63% of the ASes with ...
RPKI is Coming of Age: A Longitudinal Study of RPKI Deployment and Invalid Route Origins
IMC '19: Proceedings of the Internet Measurement ConferenceDespite its critical role in Internet connectivity, the Border Gateway Protocol (BGP) remains highly vulnerable to attacks such as prefix hijacking, where an Autonomous System (AS) announces routes for IP space it does not control. To address this issue,...
RPKI MIRO: Monitoring and Inspection of RPKI Objects
SIGCOMM'15The Resource Public Key Infrastructure (RPKI) stores attestation objects for Internet resources. In this demo, we present RPKI MIRO, an open source software framework to monitor and inspect these RPKI objects. RPKI MIRO provides resource owners, RPKI ...
Comments
Information & Contributors
Information
Published In
Mar 2023
670 pages
ISBN:978-3-031-28485-4
DOI:10.1007/978-3-031-28486-1
- Editors:
- Anna Brunstrom,
- Marcel Flores,
- Marco Fiore
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 21 March 2023
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 12 Aug 2024
Other Metrics
Citations
Cited By
View all- Livadariu IFontugne RPhokeer ACandela MStucchi M(2024)A Tale of Two Synergies: Uncovering RPKI Practices for RTBH at IXPsPassive and Active Measurement10.1007/978-3-031-56252-5_5(88-103)Online publication date: 11-Mar-2024
View Options
View options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in