Advertisement

To Filter or Not to Filter: Measuring the Benefits of Registering in the RPKI Today

  • Cecilia TestartEmail author
  • Philipp Richter
  • Alistair King
  • Alberto Dainotti
  • David Clark
Conference paper
  • 28 Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12048)

Abstract

Securing the Internet’s inter-domain routing system against illicit prefix advertisements by third-party networks remains a great concern for the research, standardization, and operator communities. After many unsuccessful attempts to deploy additional security mechanisms for BGP, we now witness increasing adoption of the RPKI (Resource Public Key Infrastructure). Backed by strong cryptography, the RPKI allows network operators to register their BGP prefixes together with the legitimate Autonomous System (AS) number that may originate them via BGP. Recent research shows an encouraging trend: an increasing number of networks around the globe start to register their prefixes in the RPKI. While encouraging, the actual benefit of registering prefixes in the RPKI eventually depends on whether transit providers in the Internet enforce the RPKI’s content, i.e., configure their routers to validate prefix announcements and filter invalid BGP announcements. In this work, we present a broad empirical study tackling the question: To what degree does registration in the RPKI protect a network from illicit announcements of their prefixes, such as prefix hijacks? To this end, we first present a longitudinal study of filtering behavior of transit providers in the Internet, and second we carry out a detailed study of the visibility of legitimate and illegitimate prefix announcements in the global routing table, contrasting prefixes registered in the RPKI with those not registered. We find that an increasing number of transit and access providers indeed do enforce RPKI filtering, which translates to a direct benefit for the networks using the RPKI in the case of illicit announcements of their address space. Our findings bode well for further RPKI adoption and for increasing routing security in the Internet.

Keywords

Internet security Routing RPKI BGP 

Notes

Acknowledgments

We thank the anonymous reviewers for their thoughtful feedback. This work was partially supported by the MIT Internet Policy Research Initiative, William and Flora Hewlett Foundation grant 2014-1601. We acknowledge funding support from the NSF Grants CNS 1705024 and OAC 1724853. This material is based on research sponsored by Air Force Research Laboratory under agreement number FA8750-18-2-0049. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions in this paper are those of the authors and do not necessarily reflect the opinions of a sponsor, Air Force Research Laboratory or the U.S. Government.

References

  1. 1.
  2. 2.
    AT&T/as7018 now drops invalid prefixes from peers. https://mailman.nanog.org/pipermail/nanog/2019-February/099501.html
  3. 3.
  4. 4.
  5. 5.
    RIPE NCC RPKI Validator. https://rpki-validator.ripe.net/
  6. 6.
  7. 7.
  8. 8.
  9. 9.
    Bush, R., Austein, R.: The Resource Public Key Infrastructure (RPKI) to Router Protocol. RFC 6810 (Proposed Standard), January 2013. https://www.rfc-editor.org/rfc/rfc6810.txt (updated by RFC 8210)
  10. 10.
    Cartwright-Cox, B.: The year of RPKI on the control plane, September 2019. https://blog.benjojo.co.uk/post/the-year-of-rpki-on-the-control-plane
  11. 11.
    Chung, T., et al.: RPKI is coming of age: a longitudinal study of RPKI deployment and invalid route origins. In: Proceedings of the Internet Measurement Conference (IMC 2019), pp. 406–419. Association for Computing Machinery, Amsterdam, Netherlands, October 2019.  https://doi.org/10.1145/3355369.3355596
  12. 12.
  13. 13.
    Gilad, Y., Cohen, A., Herzberg, A., Schapira, M., Shulman, H.: Are we there yet? On RPKI’s deployment and security. In: Proceedings 2017 Network and Distributed System Security Symposium. Internet Society, San Diego (2017)Google Scholar
  14. 14.
    Goodin, D.: Suspicious event hijacks Amazon traffic for 2 hours, steals cryptocurrency, April 2018. https://arstechnica.com/information-technology/2018/04/suspicious-event-hijacks-amazon-traffic-for-2-hours-steals-cryptocurrency/
  15. 15.
    Huston, G., Michaelson, G., Loomans, R.: A Profile for X.509 PKIX Resource Certificates. RFC 6487 (Proposed Standard), February 2012. https://www.rfc-editor.org/rfc/rfc6487.txt (updated by RFCs 7318, 8209)
  16. 16.
    Huston, G., Michaelson, G., Martinez, C., Bruijnzeels, T., Newton, A., Shaw, D.: Resource Public Key Infrastructure (RPKI) Validation Reconsidered. RFC 8360 (Proposed Standard), April 2018. https://www.rfc-editor.org/rfc/rfc8360.txt
  17. 17.
    Huston, G., Michaelson, G.: RFC 6483: Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations (ROAs), February 2012. https://tools.ietf.org/html/rfc6483
  18. 18.
    Iamartino, D., Pelsser, C., Bush, R.: Measuring BGP route origin registration and validation. In: Mirkovic, J., Liu, Y. (eds.) PAM 2015. LNCS, vol. 8995, pp. 28–40. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-15509-8_3CrossRefGoogle Scholar
  19. 19.
    Kent, S., Kong, D., Seo, K., Watro, R.: Certificate Policy (CP) for the Resource Public Key Infrastructure (RPKI). RFC 6484 (Best Current Practice), February 2012. https://www.rfc-editor.org/rfc/rfc6484.txt
  20. 20.
    Lepinski, M., Kent, S.: An Infrastructure to Support Secure Internet Routing. RFC 6480 (Informational), February 2012. https://www.rfc-editor.org/rfc/rfc6480.txt
  21. 21.
    Lepinski, M., Kent, S., Kong, D.: A Profile for Route Origin Authorizations (ROAs). RFC 6482 (Proposed Standard), February 2012. https://www.rfc-editor.org/rfc/rfc6482.txt
  22. 22.
    Maddison, B.: RIPE Forum - Routing Working Group - RPKI Route Origin Validation - Africa, April 2019. https://www.ripe.net/participate/mail/forum/routing-wg/PDZlMzAzMzhhLWVhOTAtNzIxOC1lMzI0LTBjZjMyOGI1Y2NkM0BzZWFjb20ubXU+
  23. 23.
    Newman, L.H.: Why Google Internet Traffic Rerouted Through China and Russia. Wired, November 2018. https://www.wired.com/story/google-internet-traffic-china-russia-rerouted/
  24. 24.
    Newton, A., Huston, G.: Policy Qualifiers in Resource Public Key Infrastructure (RPKI) Certificates. RFC 7318 (Proposed Standard), July 2014. https://www.rfc-editor.org/rfc/rfc7318.txt
  25. 25.
    Orsini, C., King, A., Giordano, D., Giotsas, V., Dainotti, A.: BGPStream: a software framework for live and historical BGP data analysis. In: Proceedings of the 2016 Internet Measurement Conference (IMC 2016), pp. 429–444. Association for Computing Machinery, Santa Monica, November 2016.  https://doi.org/10.1145/2987443.2987482
  26. 26.
    Reuter, A., Bush, R., Cunha, I., Katz-Bassett, E., Schmidt, T.C., Waehlisch, M.: Towards a rigorous methodology for measuring adoption of RPKI route validation and filtering. ACM SIGCOMM Comput. Commun. Rev. 48(1), 9 (2018)CrossRefGoogle Scholar
  27. 27.
    Sermpezis, P., et al.: ARTEMIS: Neutralizing BGP Hijacking within a Minute. arXiv:1801.01085 [cs], January 2018. http://arxiv.org/abs/1801.01085
  28. 28.
    Strickx, T.: How Verizon and a BGP Optimizer Knocked Large Parts of the Internet Offline Today, June 2019. https://blog.cloudflare.com/how-verizon-and-a-bgp-optimizer-knocked-large-parts-of-the-internet-offline-today/
  29. 29.
    Testart, C., Richter, P., King, A., Dainotti, A., Clark, D.: Profiling BGP serial hijackers: capturing persistent misbehavior in the global routing table. In: Proceedings of the Internet Measurement Conference (IMC 2019), pp. 420–434. ACM Press, Amsterdam (2019).  https://doi.org/10.1145/3355369.3355581
  30. 30.
    Yoo, C., Wishnick, D.: Lowering legal barriers to RPKI adoption. Faculty Scholarship at Penn Law, January 2019. https://scholarship.law.upenn.edu/faculty_scholarship/2035

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Cecilia Testart
    • 1
    Email author
  • Philipp Richter
    • 1
  • Alistair King
    • 2
  • Alberto Dainotti
    • 2
  • David Clark
    • 1
  1. 1.MITCambridgeUSA
  2. 2.CAIDA, UC San DiegoSan DiegoUSA

Personalised recommendations