research-article

Open access

RoVista: Measuring and Analyzing the Route Origin Validation (ROV) in RPKI

Authors:

Md. Ishtiaq Ashiq,

Romain Fontugne,

Amreesh Phokeer,

Taejoong ChungAuthors Info & Claims

IMC '23: Proceedings of the 2023 ACM on Internet Measurement Conference

Pages 73 - 88

https://doi.org/10.1145/3618257.3624806

Published: 24 October 2023 Publication History

Abstract

The Resource Public Key Infrastructure (RPKI) is a system to add security to the Internet routing. In recent years, the publication of Route Origin Authorization (ROA) objects, which bind IP prefixes to their legitimate origin ASN, has been rapidly increasing. However, ROAs are effective only if the routers use them to verify and filter invalid BGP announcements, a process called Route Origin Validation (ROV).

There are many proposed approaches to measure the status of ROV in the wild, but they are limited in scalability or accuracy. In this paper, we present RoVista, an ROV measurement framework that leverages IP-ID side channel and in-the-wild RPKI-invalid prefix. With over 20 months of longitudinal measurement, RoVista successfully covers more than 28K ASes where 63.8% of ASes have derived benefits from ROV, although the percentage of fully protected ASes remains relatively low at 12.3%. In order to validate our findings, we have also sought input from network operators.

We then evaluate the security impact of current ROV deployment and reveal misconfigurations that will weaken the protection of ROV. Lastly, we compare RoVista with other approaches and conclude with a discussion of our findings and limitations.

References

[1]

Abuse.ch Feodo Tracker. https://feodotracker.abuse.ch/.

[2]

Registratie van RPKI-informatie voor een veilige routering. https://www.bit.nl/news/2081/88/Registratie-van-RPKI-informatie-voor-een-veilige-routering.

[3]

16.2R2-S9: Software Release Notification for Junos Software Service Release version 16.2R2-S9. https: //supportportal.juniper.net/s/article/16--2R2-S9-Software-Release-Notification-for-Junos-Software-Service-Release-version-16--2R2-S9?language=en US.

[4]

AT&T (AS 7018). Personal Communication.

[5]

H. Ballani, P. Francis, and X. Zhang. A study of prefix hijacking and interception in the internet. SIGCOMM, 2007.

Digital Library

[6]

J. Borkenhagen. AT&T/AS 7018 Now Drops Invalid Prefixes from Peers. https://mailman.nanog.org/pipermail/nanog/ 2019-February/099501.html, 2019.

[7]

K. Butler, T. R. Farley, P. McDaniel, and J. Rexford. A survey of BGP security issues and solutions. Proceedings of the IEEE, 98(1), IEEE, 2010.

[8]

R. Bush and R. Austein. The Resource Public Key Infrastructure (RPKI) to Router Protocol. RFC 6810, IETF, 2013.

[9]

R. Bush and R. Austein. https://tools.ietf.org/html/rfc8210. RFC 8210, IETF, 2017.

[10]

R. Brandom. Hackers emptied Ethereum wallets by breaking the basic infrastructure of the internet. 2018. https: //www.theverge.com/2018/4/24/17275982/myetherwallet-hack-bgp-dns-hijacking-stolen-ethereum.

[11]

S. Bisgaard and M. Kulahci. Time Series Analysis and Forecasting by Example. Wiley, 2011.

[12]

BGP Announcement Filtering - Extract from the route server guides. https://www.de-cix.net/en/about-de-cix/news/ insights-how-and-what-the-de-cix-route-servers-filter.

[13]

BGPStream. https://bgpstream.com/.

[14]

BIT (AS12859). Personal Communication.

[15]

J. Cowie. China's 18-Minute Mystery. 2010. https://dyn.com/ blog/chinas-18-minute-mystery/.

[16]

M. Candela. A One-Year Review of RPKI Operations. https: //ripe84.ripe.net/archives/video/741/.

[17]

T. Chung, E. Aben, T. Bruijnzeels, B. Chandrasekaran, D. Choffnes, D. Levin, B. M. Maggs, A. Mislove, R. van Rijswijk-Deij, J. P. Rula, and N. Sullivan. RPKI is Coming of Age: A Longitudinal Study of RPKI Deployment and Invalid Route Origins. IMC, 2019.

[18]

W. Chen, Z. Wang, D. Han, C. Duan, X. Yin, J. Yang, and X. Shi. ROV-MI: Large-Scale, Accurate and Efficient Measurement of ROV Deployment. NDSS, 2022.

[19]

B. Cartwright-Cox. Measuring RPKI Adoption via the data-plane. NLNOG Day 2018. https://nlnog.net/static/ nlnogday2018/8 Measuring RPKI ben NLNOG 2018.pdf.

[20]

Chapter: Implementing Cisco ASR 9000 vDDoS Mitigation. https://www.cisco.com/c/en/us/td/docs/routers/asr9000/ software/asr9k-r6-5/system-security/configuration/guide/b-system-security-cg-asr9000--65x/b-system-security-cg-asr9000--65x chapter 01110.html.

[21]

Cogent RPKI invalid filtering. https:// lists.archive.carbon60.com/nanog/users/216856.

[22]

Comcast (AS 7922). Personal Communication.

[23]

B. DU, C. Testart, R. Fontugne, G. Akiwate, A. C. Snoeren, and K. Claffy. Mind your MANRS: measuring the MANRS ecosystem. Proceedings of the 22nd ACM Internet Measurement Conference, 2022.

[24]

D. Dittrich and E. Kenneally. The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. 2012. https://www.dhs.gov/sites/default/files/ publications/CSD-MenloPrinciplesCORE-20120803 1.pdf.

[25]

T. Dai and H. Shulman. SMap: Internet-wide Scanning for Spoofing. ACSAC, IEEE Computer Society, 2021.

[26]

Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-Wide Scanning and its Security Applications. USENIX Security, 2013.

Digital Library

[27]

Deutsche Telekom Non-ROV. https://twitter.com/ deutschetelekom/status/1252177058555473920.

[28]

R. Ensafi, J. Knockel, G. Alexander, and J. R. Crandall. Detecting Intentional Packet Drops on the Internet via TCP/IP Side Channels. PAM, 2014.

Digital Library

[29]

W. A. Fuller. Introduction to statistical time series. John Wiley & Sons, 2009.

[30]

L. Gao. On inferring autonomous system relationships in the Internet. IEEE/ACM Transactions on networking, 9(6), IEEE, 2001.

[31]

W. George and S. Murphy. https://tools.ietf.org/html/rfc8206. RFC 8206, IETF, 2017.

[32]

Y. Gilad, A. Cohen, A. Herzberg, M. Schapira, and H. Shulman. Are We There Yet? On RPKI's Deployment and Security. NDSS, 2017.

[33]

Github: Cloudflare repository. https://github.com/cloudflare/ isbgpsafeyet.com/tree/master/data.

[34]

G. Huston and J. Damas. Measuring Route Origin Validation. 2020. https://www.potaroo.net/ispcol/2020-06/rov.html.

[35]

T. Hori. IIJ's Efforts with RPKI. https://www.iij.ad.jp/en/dev/ iir/pdf/iir vol50 focus1 EN.pdf.

[36]

Improved BGP Routing Security Adds Another Important Layer of Protection to Online Networks. https: //corporate.comcast.com/stories/improved-bgp-routing-security-adds-another-layer-of-protection-to-network.

[37]

Is BGP Safe Yet? https://isbgpsafeyet.com/.

[38]

C. Lynn, J. Mikkelson, and K. Seo. Secure BGP (S-BGP). IETF, 2003.

[39]

M. Lepinski and S. Kent. An Infrastructure to Support Secure Internet Routing. RFC 6480, IETF, 2012.

[40]

M. Luckie, B. Huffaker, K. Claffy, A. Dhamdhere, and V. Giotsas. AS Relationships, Customer Cones, and Validation. IMC, 2013.

Digital Library

[41]

Level3. Level3/AS 7018 Now Drops Invalid Prefixes from Peers and Customers. https://twitter.com/lumentechco/status/ 1374035675742412800, 2021.

[42]

A. Medina. CenturyLink / Level 3 Outage Analysis. 2020. https://www.thousandeyes.com/blog/centurylink-level-3-outage-analysis.

[43]

D. Ma, D. Mandelberg, and T. Bruijnzeels. Simplified Local Internet Number Resource Management with the RPKI (SLURM). IETF, 2018.

Digital Library

[44]

L. Miller and C. Pelsser. A taxonomy of attacks using bgp blackholing. European Symposium on Research in Computer Security, 2019.

Digital Library

[45]

O. Moll. Border Gateway Protocol Hijacking - Examples and Solutions. 2020. https://www.anapaya.net/blog/border-gateway-protocol-hijacking-examples-and-solutions.

[46]

P. Mohapatra, J. Scudder, D. Ward, R. Bush, and R. Austein. BGP Prefix Origin Validation. RFC 6811, IETF, 2013.

[47]

R. Morillo, J. Furuness, C. Morris, J. Breslin, A. Herzberg, and B. Wang. ROV: Improved Deployable Defense against BGP Hijacking. NDSS, 2021.

[48]

S. Mongkolluksamee, K. Fukuda, and P. Pongpaibool. Counting NATted hosts by observing TCP/IP field behaviors. IEEE ICC, 2012.

[49]

MANRS for Network Operators. 2021. https:// www.manrs.org/netops/network-operator-actions/.

[50]

MANRS. MANRS Observatory. https:// observatory.manrs.org/.

[51]

Microsoft introduces steps to improve internet routing security. https://azure.microsoft.com/en-us/blog/microsoft-introduces-steps-to-improve-internet-routing-security/.

[52]

Netflix (AS2906) Route Object Authorization. https:// bgp.he.net/AS2906# prefixes.

[53]

NTT. Routing Registry. https://www.gin.ntt.net/support-center/policies-procedures/routing-registry/#RPKI.

[54]

C. Orsini, A. King, D. Giordano, V. Giotsas, and A. Dainotti. BGPStream: A Software Framework for Live and Historical BGP Data Analysis. IMC, 2016.

Digital Library

[55]

Orange International Carriers - RPKI validation. https:// twitter.com/OrangeIC/status/1541436188241891328.

[56]

J. Postel. Internet Protocol. RFC 791, IETF, 1981.

[57]

P. Pearce, R. Ensafi, F. Li, N. Feamster, and V. Paxson. Augur: Internet-Wide Detection of Connectivity Disruptions. IEEE S&P, 2017.

[58]

V. Paxson, M. Allman, J. Chu, and M. Sargent. Computing TCP's Retransmission Timer. RFC 6298, IETF, 2011. http: //www.ietf.org/rfc/rfc6298.txt.

[59]

A. Reuter, R. Bush, I. Cunha, E. Katz-Bassett, T. C. Schmidt, and M. Whlisch. Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and Filtering. CCR, 48(1), 2018.

[60]

N. Rodday, I. Cunha, R. Bush, E. Katz-Bassett, G. D. Rodosek, T. C. Schmidt, and M. W ¨ahlisch. Revisiting RPKI Route Origin Validation on the Data Plane. TMA, 2021.

[61]

RIPE Atlas. https://atlas.ripe.net/.

[62]

RIPE NCC Annual Report 2015. https://www.ripe.net/ publications/docs/ripe-665.

[63]

RIPE Routing Information Service (RIS). http://www.ripe.net/ projects/ris/rawdata.html.

[64]

RPKI Community Discord. https://discord.gg/WaPgs8vEKy.

[65]

RPKI Deployment Monitor. https://rpki-monitor.antd.nist.gov.

[66]

RPKI I-ROV Per-Country filtering for AS7018: ATT-INTERNET4, United States of America (US). https://stats.labs.apnic.net/rpki/AS7018.

[67]

RPKI deployment state: rpki.exposed. https: //docs.google.com/spreadsheets/d/1qduCCF p-czzFr9N-5STh3-NNAxyrYjECRwtgULR2c0.

[68]

Rapid7 SSL Certificate Scans. https://scans.io/study/sonar.ssl.

[69]

RIPE. RPKI Test. https://www.ripe.net/s/rpki-test/.

[70]

University of Oregon RouteViews project. http: //www.routeviews.org/.

[71]

Routinator. https://nlnetlabs.nl/projects/rpki/routinator/.

[72]

A. Siddiqui. A Major BGP Hijack by AS55410-Vodafone Idea Ltd. 2020. https://www.manrs.org/2021/04/a-major-bgp-hijack-by-as55410-vodafone-idea-ltd/.

[73]

M. Salganik. Bit by Bit: Social Research for the Digital Age. 2016.

[74]

Swisscomm (AS3033). Personal Communication.

[75]

C. Testart, P. Richter, A. King, A. Dainotti, and D. Clark. To Filter or not to Filter: Measuring the Benefits of Registering in the RPKI Today. PAM, 2018.

[76]

H. Tomas, H. Amir, S. Haya, and W. Michael. Practical experience: Methodologies for measuring route origin validation. 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2018.

[77]

L. Tung. iCloud goes down: Apple joins the Google, Facebook, Cloudflare cloud outage club. 2019. https://www.zdnet.com/article/icloud-goes-down-apple-joins-the-google-facebook-cloudflare-cloud-outage-club/.

[78]

Telia (AS1299) announced ROV on June 10, 2021. https://www.arelion.com/our-network/bgp-routing/routing-security.html.

[79]

The Spamhaus Project. https://www.spamhaus.org/.

[80]

F. Wohlfart, N. Chatzis, C. Dabanoglu, G. Carle, and W. Willinger. Leveraging Interconnections for Performance: The Serving Infrastructure of a Large CDN. SIGCOMM, 2018.

Digital Library

[81]

R. White. Architecture and Deployment Considerations for Secure Origin BGP (soBGP). IETF, 2006.

[82]

YouTube Hijacking: A RIPE NCC RIS case study. 2008. https://www.ripe.net/publications/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study.

[83]

"Is BGP safe yet?" test. https://seclists.org/nanog/2020/Apr/ 257.

[84]

nielsfc: Rejecting invalids was fully implemented though-out the network February 24th 2021. https://github.com/ cloudflare/isbgpsafeyet.com/pull/523.

Cited By

Mendes MOliveira LCunha ÍKatz-Bassett E(2024)Identificação de Políticas de Validação de Rotas no RPKIAnais do XLII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos (SBRC 2024)10.5753/sbrc.2024.1496(910-923)Online publication date: 20-May-2024
https://doi.org/10.5753/sbrc.2024.1496
Jaw EMüller MHesselman CNieuwenhuis L(2024)Serial BGP Hijackers: A Reproducibility Study and Assessment of Current Dynamics2024 8th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA62044.2024.10559067(1-10)Online publication date: 21-May-2024
https://doi.org/10.23919/TMA62044.2024.10559067
Testart CWolff JGouda DFontugne R(2024)Identifying Current Barriers in RPKI AdoptionSSRN Electronic Journal10.2139/ssrn.4948317Online publication date: 2024
https://doi.org/10.2139/ssrn.4948317
Show More Cited By

Index Terms

RoVista: Measuring and Analyzing the Route Origin Validation (ROV) in RPKI
1. Networks
  1. Network performance evaluation
    1. Network measurement
  2. Network protocols
    1. Network layer protocols
      1. Routing protocols
2. Security and privacy
  1. Network security
    1. Security protocols

Recommendations

Evaluating the performance impact of RTR-BIRD in origin validation
RACS '14: Proceedings of the 2014 Conference on Research in Adaptive and Convergent Systems

RTR-BIRD we previously developed is the only software router that is not only capable of the resource public key infrastructure (RPKI) but able to access the route origin authorizations (ROAs) in the practical validated cache. Although RTR-BIRD ...
RFC 6483: Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations (ROAs)
Poster: Taking the Low Road: How RPKI Invalids Propagate
ACM SIGCOMM '23: Proceedings of the ACM SIGCOMM 2023 Conference

The Border Gateway Protocol (BGP) includes no mechanism to verify the correctness of routing information exchanged between networks. To defend against unauthorized use of address space, the IETF developed the Resource Public Key Infrastructure (RPKI), a ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '23: Proceedings of the 2023 ACM on Internet Measurement Conference

October 2023

746 pages

ISBN:9798400703829

DOI:10.1145/3618257

General Chairs:
Marie-José Montpetit
McGill University, Canada
,
Aris Leivadeas
École de Technologie Supérieure, Canada
,
Program Chairs:
Steve Uhlig
Queen Mary University of London, United Kingdom
,
Mobin Javed
Lahore University of Management Sciences, Pakistan

Copyright © 2023 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2023

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NSF

Conference

IMC '23

Sponsor:

SIGCOMM

IMC '23: ACM Internet Measurement Conference

October 24 - 26, 2023

Montreal QC, Canada

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
1,287
Total Downloads

Downloads (Last 12 months)1,155
Downloads (Last 6 weeks)113

Reflects downloads up to 28 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Mendes MOliveira LCunha ÍKatz-Bassett E(2024)Identificação de Políticas de Validação de Rotas no RPKIAnais do XLII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos (SBRC 2024)10.5753/sbrc.2024.1496(910-923)Online publication date: 20-May-2024
https://doi.org/10.5753/sbrc.2024.1496
Jaw EMüller MHesselman CNieuwenhuis L(2024)Serial BGP Hijackers: A Reproducibility Study and Assessment of Current Dynamics2024 8th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA62044.2024.10559067(1-10)Online publication date: 21-May-2024
https://doi.org/10.23919/TMA62044.2024.10559067
Testart CWolff JGouda DFontugne R(2024)Identifying Current Barriers in RPKI AdoptionSSRN Electronic Journal10.2139/ssrn.4948317Online publication date: 2024
https://doi.org/10.2139/ssrn.4948317
Khadka SBayhan SHolz RHesselman C(2024)Assessing the security of Internet paths: A case study of Dutch critical infrastructuresProceedings of the 2024 Applied Networking Research Workshop10.1145/3673422.3674899(67-73)Online publication date: 23-Jul-2024
https://dl.acm.org/doi/10.1145/3673422.3674899
Frieß JMirdita DSchulmann HWaidner MLuo BLiao XXu JKirda ELie D(2024)Byzantine-Secure Relying Party for Resilient RPKIProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690368(49-63)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690368
Du BFontugne RTestart CSnoeren Aclaffy kVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Sublet Your Subnet: Inferring IP Leasing in the WildProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689010(328-336)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689010
Rodday NRodosek GPras Avan Rijswijk - Deij R(2024)Exploring the Benefit of Path Plausibility Algorithms in BGPNOMS 2024-2024 IEEE Network Operations and Management Symposium10.1109/NOMS59830.2024.10575088(1-10)Online publication date: 6-May-2024
https://doi.org/10.1109/NOMS59830.2024.10575088
Clark DTestart CLuckie Mclaffy k(2024)A path forward: improving Internet routing security by enabling zones of trustJournal of Cybersecurity10.1093/cybsec/tyae02310:1Online publication date: 14-Dec-2024
https://doi.org/10.1093/cybsec/tyae023
Liu YChen JChen S(2024)TriNT: A Framework for ROV Identification Based on TripletInformation Security Practice and Experience10.1007/978-981-97-9053-1_2(20-32)Online publication date: 25-Oct-2024
https://doi.org/10.1007/978-981-97-9053-1_2
Rodday NCunha ÍBush RKatz-Bassett ERodosek GSchmidt TWählisch M(2023)The Resource Public Key Infrastructure (RPKI): A Survey on Measurements and Future ProspectsIEEE Transactions on Network and Service Management10.1109/TNSM.2023.332745521:2(2353-2373)Online publication date: 25-Oct-2023
https://dl.acm.org/doi/10.1109/TNSM.2023.3327455

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents