Top

Published in:

2020 | OriginalPaper | Chapter

To Filter or Not to Filter: Measuring the Benefits of Registering in the RPKI Today

Authors : Cecilia Testart, Philipp Richter, Alistair King, Alberto Dainotti, David Clark

Published in: Passive and Active Measurement

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Securing the Internet’s inter-domain routing system against illicit prefix advertisements by third-party networks remains a great concern for the research, standardization, and operator communities. After many unsuccessful attempts to deploy additional security mechanisms for BGP, we now witness increasing adoption of the RPKI (Resource Public Key Infrastructure). Backed by strong cryptography, the RPKI allows network operators to register their BGP prefixes together with the legitimate Autonomous System (AS) number that may originate them via BGP. Recent research shows an encouraging trend: an increasing number of networks around the globe start to register their prefixes in the RPKI. While encouraging, the actual benefit of registering prefixes in the RPKI eventually depends on whether transit providers in the Internet enforce the RPKI’s content, i.e., configure their routers to validate prefix announcements and filter invalid BGP announcements. In this work, we present a broad empirical study tackling the question: To what degree does registration in the RPKI protect a network from illicit announcements of their prefixes, such as prefix hijacks? To this end, we first present a longitudinal study of filtering behavior of transit providers in the Internet, and second we carry out a detailed study of the visibility of legitimate and illegitimate prefix announcements in the global routing table, contrasting prefixes registered in the RPKI with those not registered. We find that an increasing number of transit and access providers indeed do enforce RPKI filtering, which translates to a direct benefit for the networks using the RPKI in the case of illicit announcements of their address space. Our findings bode well for further RPKI adoption and for increasing routing security in the Internet.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Leopard: Understanding the Threat of Blockchain Domain Name Based Malware

next chapter A First Look at the Misuse and Abuse of the IPv4 Transfer Market

Available only for authorised users

Or the closest day for which validated historical RPKI data is available.

Note that a prefix can have multiple origins in the global routing table, in this case we extract multiple prefix-origin pairs.

For 0.37% IPv4 prefix-origin timelines, the RPKI state changed due to churn in the RPKI database caused by changes of RPKI entries during our measurement window. We remove these instances.

We tested different thresholds, finding that the modes of the distribution do not change much.

0.13% of IPv6 prefix-origin timelines whose RPKI state changed during our measurement window were removed.

AS286 Routing Policy. https://as286.net/AS286-routing-policy.html

AT&T/as7018 now drops invalid prefixes from peers. https://mailman.nanog.org/pipermail/nanog/2019-February/099501.html

Cymru BGP Bogon Refence. http://www.team-cymru.org/bogon-reference-bgp.html

PeeringDB. https://www.peeringdb.com

RIPE NCC RPKI Validator. https://rpki-validator.ripe.net/

RPKI Route Origin Validation - Africa. https://mailman.nanog.org/pipermail/nanog/2019-April/100445.html

Telia Carrier Takes Major Step to Improve the Integrity of the Internet Core. https://www.teliacarrier.com/Press-room/Press-releases/Telia-Carrier-Takes-Major-Step-to-Improve-the-Integrity-of-the-Internet-Core-.html

The hunt for 3ve: taking down a major ad fraud operation through industry collaboration. Technical report, November 2018. https://services.google.com/fh/files/blogs/3ve_google_whiteops_whitepaper_final_nov_2018.pdf?__hstc=&__hssc=&hsCtaTracking=c7b87c5c-1676-4d53-99fb-927a07720b17%7C9d63bf77-0926-4d08-b5ec-46b1a06846bc

Bush, R., Austein, R.: The Resource Public Key Infrastructure (RPKI) to Router Protocol. RFC 6810 (Proposed Standard), January 2013. https://www.rfc-editor.org/rfc/rfc6810.txt (updated by RFC 8210)

10.

Cartwright-Cox, B.: The year of RPKI on the control plane, September 2019. https://blog.benjojo.co.uk/post/the-year-of-rpki-on-the-control-plane

11.

Chung, T., et al.: RPKI is coming of age: a longitudinal study of RPKI deployment and invalid route origins. In: Proceedings of the Internet Measurement Conference (IMC 2019), pp. 406–419. Association for Computing Machinery, Amsterdam, Netherlands, October 2019. https://doi.org/10.1145/3355369.3355596

12.

Cisco: IP Routing: BGP Configuration Guide, Cisco IOS XE Release 3S. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-xe-3s-book/bgp-origin-as-validation.html

13.

Gilad, Y., Cohen, A., Herzberg, A., Schapira, M., Shulman, H.: Are we there yet? On RPKI’s deployment and security. In: Proceedings 2017 Network and Distributed System Security Symposium. Internet Society, San Diego (2017)

14.

Goodin, D.: Suspicious event hijacks Amazon traffic for 2 hours, steals cryptocurrency, April 2018. https://arstechnica.com/information-technology/2018/04/suspicious-event-hijacks-amazon-traffic-for-2-hours-steals-cryptocurrency/

15.

Huston, G., Michaelson, G., Loomans, R.: A Profile for X.509 PKIX Resource Certificates. RFC 6487 (Proposed Standard), February 2012. https://www.rfc-editor.org/rfc/rfc6487.txt (updated by RFCs 7318, 8209)

16.

Huston, G., Michaelson, G., Martinez, C., Bruijnzeels, T., Newton, A., Shaw, D.: Resource Public Key Infrastructure (RPKI) Validation Reconsidered. RFC 8360 (Proposed Standard), April 2018. https://www.rfc-editor.org/rfc/rfc8360.txt

17.

Huston, G., Michaelson, G.: RFC 6483: Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations (ROAs), February 2012. https://tools.ietf.org/html/rfc6483

18.

Iamartino, D., Pelsser, C., Bush, R.: Measuring BGP route origin registration and validation. In: Mirkovic, J., Liu, Y. (eds.) PAM 2015. LNCS, vol. 8995, pp. 28–40. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15509-8_3CrossRef

19.

Kent, S., Kong, D., Seo, K., Watro, R.: Certificate Policy (CP) for the Resource Public Key Infrastructure (RPKI). RFC 6484 (Best Current Practice), February 2012. https://www.rfc-editor.org/rfc/rfc6484.txt

20.

Lepinski, M., Kent, S.: An Infrastructure to Support Secure Internet Routing. RFC 6480 (Informational), February 2012. https://www.rfc-editor.org/rfc/rfc6480.txt

21.

Lepinski, M., Kent, S., Kong, D.: A Profile for Route Origin Authorizations (ROAs). RFC 6482 (Proposed Standard), February 2012. https://www.rfc-editor.org/rfc/rfc6482.txt

22.

Maddison, B.: RIPE Forum - Routing Working Group - RPKI Route Origin Validation - Africa, April 2019. https://www.ripe.net/participate/mail/forum/routing-wg/PDZlMzAzMzhhLWVhOTAtNzIxOC1lMzI0LTBjZjMyOGI1Y2NkM0BzZWFjb20ubXU+

23.

Newman, L.H.: Why Google Internet Traffic Rerouted Through China and Russia. Wired, November 2018. https://www.wired.com/story/google-internet-traffic-china-russia-rerouted/

24.

Newton, A., Huston, G.: Policy Qualifiers in Resource Public Key Infrastructure (RPKI) Certificates. RFC 7318 (Proposed Standard), July 2014. https://www.rfc-editor.org/rfc/rfc7318.txt

25.

Orsini, C., King, A., Giordano, D., Giotsas, V., Dainotti, A.: BGPStream: a software framework for live and historical BGP data analysis. In: Proceedings of the 2016 Internet Measurement Conference (IMC 2016), pp. 429–444. Association for Computing Machinery, Santa Monica, November 2016. https://doi.org/10.1145/2987443.2987482

26.

Reuter, A., Bush, R., Cunha, I., Katz-Bassett, E., Schmidt, T.C., Waehlisch, M.: Towards a rigorous methodology for measuring adoption of RPKI route validation and filtering. ACM SIGCOMM Comput. Commun. Rev. 48(1), 9 (2018)CrossRef

27.

Sermpezis, P., et al.: ARTEMIS: Neutralizing BGP Hijacking within a Minute. arXiv:1801.01085 [cs], January 2018. http://arxiv.org/abs/1801.01085

28.

Strickx, T.: How Verizon and a BGP Optimizer Knocked Large Parts of the Internet Offline Today, June 2019. https://blog.cloudflare.com/how-verizon-and-a-bgp-optimizer-knocked-large-parts-of-the-internet-offline-today/

29.

Testart, C., Richter, P., King, A., Dainotti, A., Clark, D.: Profiling BGP serial hijackers: capturing persistent misbehavior in the global routing table. In: Proceedings of the Internet Measurement Conference (IMC 2019), pp. 420–434. ACM Press, Amsterdam (2019). https://doi.org/10.1145/3355369.3355581

30.

Yoo, C., Wishnick, D.: Lowering legal barriers to RPKI adoption. Faculty Scholarship at Penn Law, January 2019. https://scholarship.law.upenn.edu/faculty_scholarship/2035

Title: To Filter or Not to Filter: Measuring the Benefits of Registering in the RPKI Today
Authors: Cecilia Testart
Philipp Richter
Alistair King
Alberto Dainotti
David Clark
Publisher: Springer International Publishing
Book: Passive and Active Measurement
Print ISBN: 978-3-030-44080-0

Electronic ISBN: 978-3-030-44081-7

Copyright Year: 2020
DOI: https://doi.org/10.1007/978-3-030-44081-7_5

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner