Randy's Work Blog

Romain Fontugne, Amreesh Phokeer, Cristel Pelsser, Kevin Vermeulen, and Randy Bush, RPKI Time-of-Flight: Tracking Delays in the Management, Control, and Data Planes; PAM March 2023

As RPKI is becoming part of ISPs’ daily operations and Route Origin Validation is getting widely deployed, one wonders how long it takes for the e?ect of RPKI changes to appear in the data plane. Does an operator that adds, fixes, or removes a Route Origin Authorization (ROA) have time to brew co?ee or rather enjoy a long meal before the Internet routing infrastructure integrates the new information and the operator can assess the changes and resume work? The chain of ROA publication, from creation at Certification Authorities all the way to the routers and the e?ect on the data plane involves a large number of players, is not instantaneous, and is often dominated by ad hoc administrative decisions. This is the first comprehensive study to measure the entire ecosystem of ROA manipulation by all five Regional Internet Registries (RIRs), propagation on the management plane to Relying Parties (RPs) and to routers; measure the e?ect on BGP as seen by global control plane monitors; and finally, measure the e?ects on data plane latency and reachability. We found that RIRs usually publish new RPKI information within five minutes, except APNIC which averages ten minutes slower. At least one national CA is said to publish daily. We observe significant disparities in ISPs’ reaction time to new RPKI information, ranging from a few minutes to one hour. The delay for ROA deletion is significantly longer than for ROA creation as RPs and BGP strive to maintain reachability. Incidentally, we found and reported significant issues in the management plane of two RIRs and a Tier1 network.

Victor-Alexandru Padurean, Oliver Gasser, Randy Bush, Anja Feldmann SRv6: Is There Anybody Out There?. 7th International Workshop on Traffic Measurements for Cybersecurity (WTMC June 2022).

Segment routing is a modern form of source- based routing, i.e., a routing technique where all or part of the routing decision is predetermined by the source or a hop on the path. Since initial standardization efforts in 2013, segment routing seems to have garnered substantial industry and operator support. Especially segment routing over IPv6 (SRv6) is advertised as having several advantages for easy deployment and flexibility in operations in networks. Many people, however, argue that the deployment of segment routing and SRv6 in particular poses a significant security threat if not done with the utmost care.

In this paper we conduct a first empirical analysis of SRv6 deployment in the Internet. First, we analyze SRv6 behavior in an emulation environment and find that different SRv6 implementations have the potential to leak information to the outside. Second, we search for signs of SRv6 deploy- ment in publicly available route collector data, but could not find any traces. Third, we run large-scale traceroute campaigns to investigate possible SRv6 deployments. In this first empirical study on SRv6 we were unable to find traces of SRv6 deployment even for companies that claim to have it deployed in their networks.

Nils Rodday, Italo Cunha, Randy Bush, Ethan Katz-Bassett, Gabi Dreo Rodosek, Thomas C. Schmidt, Matthias Wählisch; Revisiting RPKI Route Origin Validation on the Data Plane. TMA September 2021

The adoption of the Resource Public Key Infrastructure (RPKI) is increasing, as are measurement activities to identify RPKI-based route origin validation (ROV). Several proposals try to identify Autonomous Systems (ASes) that deploy ROV using control plane as well as data plane measurements. We show why simple end-to-end measurements may lead to incorrect identification of ROV. In this paper we evaluate data plane traceroute measurements as a mechanism to extend coverage and provide a reproducible method for ROV identification using RIPE Atlas. Moreover, we extend the current state-of-the-art by identifying ROV performed by route servers at Internet Exchange Point (IXP) and using an include list to differentiate between fully and partially ROV-enforcing ASes. Our measurements from 5537 vantage points in 3694 ASes infer ROV is deployed in 206 unique ASes: 10 with strong confidence, 12 with weak confidence, and 184 indirectly adopting ROV via filtering by IXP route servers.

Clemens Mosig, Randy Bush, Cristel Pelsser, Thomas C. Schmidt, Matthias Wählisch; Revisiting Recommended BGP Route Flap Damping Configurations. TMA September 2021.

BGP Route Flap Damping (RFD) is recommended to suppress BGP churn. Current configuration recommendations for RFD, however, are based on a study from 2010. Since then, BGP churn increased by one order of magnitude, which may lead to outdated RFD parameters and introduce more loss of reachability of stable networks. In this paper, we revisit current recommendations to configure RFD. First, we develop an accurate and scalable emulation of Cisco and Juniper RFD implemen- tations and make it publicly available. Second, we successfully reproduce the 2010 measurement study that justified the current RFD recommendations using current data. Third, we consider the RFD implementation of an additional major router vendor (Juniper), which penalizes BGP churn differently compared to the previously studied Cisco implementation. Fourth, we include IPv6 data from 2020. Our results show that the recommended RFD configuration parameters from 2010, though seemingly rarely used, still hold today in IPv4 and IPv6 and across vendors, even though BGP churn increased significantly. Our study revises metrics to assess the impact of incorrectly configured RFD, discusses collateral damage, and gives insights into sweet spots when damping routes.

Nils Rodday, Lukas Kaltenbach, Ítalo Cunha, Randy Bush, Ethan Katz-Bassett, Gabi Dreo Rodosek, Thomas C. Schmidt, Matthias Wählisch: On the Deployment of Default Routes in Inter-domain Routing. TAURIN@SIGCOMM August 2021: 14-20

In this paper, we argue that the design of a responsible Internet requires a clear understanding of the current state of deployment. This work sheds light on default routing in the Internet, a routing strategy that reduces control but may help to increase availabil- ity when forwarding packets. We revisit and extend two common methodologies based on active measurements to increase coverage and accuracy. Our results show larger differences in the results between the methodologies. We confirm that default route deploy- ment strongly correlates with the customer cone size of autonomous systems and that smaller networks are more likely to deploy a de- fault route. Our data will help to better assess the deployment of other protocols such as RPKI route origin filtering.

John Kristoff, Randy Bush, Chris Kanich, George Michaelson, Amreesh Phokeer, Thomas Schmidt, Matthias Wählisch. On Measuring RPKI Relying Parties, ACM IMC 2020

On Measuring RPKI Relying Parties

In this paper, we introduce a framework to observe RPKI relying parties (i.e., those that fetch RPKI data from the distributed repository) and present insights into this ecosystem for the first time. Our longitudinal study of data gathered from three RPKI certification authorities (AFRINIC, APNIC, and our own CA) identifies different deployment models of relying parties and (surprisingly) prevalent inconsistent fetching behavior that affects Internet routing robustness. Our results reveal nearly 90% of relying parties are unable to connect to delegated publication points under certain conditions, which leads to erroneous invalidation of IP prefixes and likely widespread loss of network reachability.

Caitlin Gray, Clemens Mosig, Randy Bush, Cristel Pelsser, Matthew
Roughan, Thomas Schmidt, Matthias Wählisch . BGP Beacons, Network Tomography, and Bayesian Computation to Locate Route Flap Damping, ACM IMC 2020

Pinpointing autonomous systems which deploy specific inter-domain techniques such as Route Flap Damping (RFD) or Route Origin Validation (ROV) remains a challenge today. Previous approaches to detect per-AS behavior often relied on heuristics derived from passive and active measurements. Those heuristics, however, often lacked accuracy or imposed tight restrictions on the measurement methods.

We introduce an algorithmic framework for network tomog- raphy, BeCAUSe, which implements Bayesian Computation for Autonomous Systems. Using our original combination of active probing and stochastic simulation, we present the first study to expose the deployment of RFD. In contrast to the expectation of the Internet community, we find that at least 9% of measured ASs enable RFD, most using deprecated vendor default configuration parameters. To illustrate the power of computational Bayesian methods we compare BeCAUSe with three RFD heuristics. Thereafter we successfully apply a generalization of the Bayesian method to a second challenge, measuring deployment of ROV.

Florian Streibelt, Franziska Lichtblau, Robert Beverly, Anja Feldmann, Cristel Pelsser, Georgios Smaragdakis, and Randy Bush. BGP Communities: Even more Worms in the Routing Can. Proc. Internet Measurement Conference 2018 (IMC ‘18).ACM, New York, NY, USA, 279-292.

Florian Streibelt, Franziska Lichtblau, Robert Beverly, Anja Feldmann, Cristel Pelsser, Georgios Smaragdakis, Randy Bush; BGP Communities: Even more Worms in the Routing Can; ACM Internet Measurement Conference 2018.

BGP communities are a mechanism widely used by operators to manage policy, mitigate attacks, and engineer traffic; e.g., to drop unwanted traffic, filter announcements, adjust local preference, and prepend paths to influence peer selection.

Unfortunately, we show that BGP communities can be exploited by remote parties to influence routing in unintended ways. The BGP community-based vulnerabilities we expose are enabled by a combination of complex policies, error-prone configurations, a lack of cryptographic integrity and authenticity over communities, and the wide extent of community propagation. Due in part to their ill-defined semantics, BGP communities are often propagated far further than a single routing hop, even though their intended scope is typically limited to nearby ASes. Indeed, we find 14% of transit ASes forward received BGP communities onward. Given the rich inter-connectivity of transit ASes, this means that communities effectively propagate globally. As a consequence, remote adversaries can use BGP communities to trigger remote blackholing, steer traffic, and manipulate routes even without prefix hijacking. We highlight examples of these attacks via scenarios that we tested and measured both in the lab as well as in the wild. While we suggest what can be done to mitigate such ill effects, it is up to the Internet operations community whether to take up the suggestions.

Andreas Reuter, Randy Bush, Italo Cunha, Ethan Katz-Bassett, Thomas C. Schmidt, Matthias Wählisch; Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and Filtering; SIGCOMM August 2018

A proposal to improve routing security—Route Origin Authorization (ROA)—has been standardized. A ROA specifies which network is allowed to announce a set of Internet destinations. While some networks now specify ROAs, little is known about whether other networks check routes they receive against these ROAs, a process known as Route Origin Validation (ROV). Which networks blindly accept invalid routes? Which reject them outright? Which de-preference them if alternatives exist?

Recent analysis attempts to use uncontrolled experiments to characterize ROV adoption by comparing valid routes and invalid routes. However, we argue that gaining a solid understanding of ROV adoption is impossible using currently available data sets and techniques. Instead, we devise a verifiable methodology of controlled experiments for measuring ROV. Our measurements suggest that, although some ISPs are not observed using invalid routes in uncontrolled experiments, they are actually using different routes for (non-security) traffic engineering purposes, without performing ROV. We conclude with presenting three AS that do implement ROV as confirmed by the operators.