Randy's Work Blog

Daniele Iamartino, Cristel Pelsser, Randy Bush. Measuring BGP Route Origin Registration and Validation, PAM 2015.

BGP, the de-facto inter-domain routing protocol, was designed without considering security. Recently, network operators have experienced hijacks of their network prefixes, often due to BGP misconfiguration by other operators, sometimes maliciously. In order to address this, prefix origin validation, based on a RPKI infrastructure, was proposed and developed. Today, many organizations are registering their data in the RPKI to protect their prefixes from accidental mis-origination. However, some organizations submit incorrect information to the RPKI repositories or announce prefixes that do not exactly match what they registered. Also, the RPKI repositories of Internet registries are not operationally reliable. The aim of this work is to reveal these problems via measurement. We show how important they are, try to understand the main causes of errors, and explore possible solutions. In this longitudinal study, we see the impact of a policy which discards route announcements with invalid origins would have on the routing table, and to a lesser extent on the traffic at the edge of a large research network.

Simon Knight presented our paper, An Automated System for Emulated Network Experimentation, at CoNEXT 2013 in Santa Barbara.

Emulated networks and systems, where router and server software are run in virtual environments, allow network op- erators and researchers to perform experiments at large scale more economically than in testbeds. Running real code pro- vides a greater level of realism than simulation.

However, large scale comes with a problem: running real software means each test needs at least as much configura- tion as a real network. To recognise the true value of emula- tion at scale, we need to reduce the complexity of building, configuring, deploying, and measuring emulated networks.

We present a system to facilitate emulation by provid- ing translation from a high-level network design into a con- crete set of configurations that are automatically deployed into one of several emulation platforms. Our system can be used to construct multi-domain networks in minutes, and is scalable to networks with over a thousand devices. It is modular, allowing support for different protocols, topology designs, and target platforms: Quagga, JunOS, IOS, etc. Users, from both the research community and industry, have already demonstrated its value in research and education.

At the ISP level, Japan is the most cooperative and communicative culture in the world. For example, a research study of BGP routing policy found all countries except Japan had 60-90% of ASs having some default routing. Japan had 36%. We believe this is due to coordination between Japanese ISPs and cooperation in sharing of technique.

JaNOG is a significant forum and a factor in coordination. Note that JaNOG meetings are as big, and sometimes bigger, as NANOG, the North American meeting.

I will never forget a JaNOG talk on hand tools, the tools we use when dealing with equipment in racks. Simple basic things such as powered screwdrivers, cable connectors, etc. This never happens outside of Japan, network operators in Europe and the United States are too self-important. Here, we share the techniques of our day-to-day lives. This attitude creates a harmony and consistency across the Japanese networking culture.

It is when we do not consult and coordinate openly that things go from amazingly good to varying shades of bad.

One example is the NTT NGN deployment, which was meant to encourage IPv6 deployment and to move the Internet forward technically. Unfortunately, though it was intended with very positive motives, it was done with insufficient technical consultation. It essentially made the *customer* IPv6 experience so bad, resulting in delays of one second, that Google, FaceBook, etc. have blacklisted Japan. This is unusually embarrassing as Japan was supposed to be a global leader in IPv6 deployment.

When it comes to coordination and cooperation above the engineering level, Japan is often a very negative point on the graph. When it comes to coordination with the government, it looks as if everything goes into a back room which accentuates all the disadvantages of the stereotyped Japanese isolation.

We have laws punishing Internet providers who host pornography which I am embarrassed to see as I walk down Book Street in Jimbocho. And it is right in front of children on the street. And it is right in front of me, and I am offended. At least on the Internet it can be avoided, since you have to hunt for it.

We now may put people in prison for downloading music. No other country in the world has such an extreme law. And who is being served by this? A back room deal between the media industry and the government with no public or Internet industry consultation.

The term “Internet Governance” is very dangerous. Our use of language constrains our thoughts. The Internet exploded and thrives because it is about cooperation and coordination, not hierarchy and control. And nowhere is this stronger than in the Japanese Internet technical community.

And we say that the Internet Wall of China is bad? We should look at ourselves first.

So there is the really good and the pretty bad. And of course it is not all black or white but has many colors in between. This leaves us with work to do. How do we create and maintain a more open dialog in the Japanese Internet culture

Debbie Perouli presented our first AutoNetKit / RPKI Emulation paper at CSET’12

Olaf Maennel, Iain Phillips, Debbie Perouli, Randy Bush, Rob Austein, and Askar Jaboldinov, Towards a Framework for Evaluating BGP Security, CSET’12, 5th Workshop on Cyber Security Experimentation and Test.

From the abstract:

In this paper, our abstractions are specifically designed to evaluate the BGP security framework currently being documented by the IETF SIDR working group. We capture the relevant aspects of the SIDR security proposals, and allow experimenters to evaluate the technology in topologies of real router and server code. We believe such methods are also useful for teaching newcomers and operators, as it allows them to gain experience in a sand-box before deployment. It allows security experts to set up controlled experiments at various levels of complexity, and concentrate on discovering weaknesses, instead of having to spend time on tedious configuration tasks. Finally, it allows router vendors and implementers to test their code and to perform scalability evaluation.

At the 6th Slovene IPv6 Summit, I did the lead preso to a panel with Mark Townsley and Dan Wing on translation vs. encapsulation where I managed a serious anti-CGN rant. See my presentation.

My presentation, with Kotikalapudi Sriram, given at Cisco NAG of the first results from modeling the signing and validation processor costs of BGPsec.

My take-away:

[ http://archive.psg.com/110904.broadside.html ]

Do Not Complicate Routing Security with Voodoo Economics
a broadside

A recent NANOG presentation and SIGCOMM paper by Gill, Schapira, and Goldberg[1] drew a lot of ‘discussion’ from the floor. But that discussion missed significant problems with this work. I raise this because of fear that uncritical acceptance of this work will be used as the basis for others’ work, or worse, misguided public policy.
o The ISP economic and incentive model is overly naive to the point of being misleading,
o The security threat model is unrealistic and misguided, and
o The simulations are questionable.

Basic ISP economics are quite different from those described by the authors. Above the tail links to paying customers, the expenses of inter-provider traffic are often higher than the income, thanks to the telcos’ race to the bottom. In this counter-intuitive world, transit can often be cheaper than peering. I.e. history shows that in the rare cases where providers have been inclined to such games, they usually shed traffic not stole it, the opposite of what the paper presumes. The paper also completely ignores the rise of the content providers as described so well in SIGCOMM 2010 by Labovitz et alia[2]

It is not clear how to ‘fix’ the economic model, especially as[3] says you can not do so with rigor. Once one starts, e.g. the paper may lack Tier-N peering richness which is believed to be at the edges, we have bought into the game for which there is no clear end.

But this is irrelevant, what will motivate deployment of BGP security is not provider traffic-shifting. BGP security is, as its name indicates, about security, preventing data stealing (think banking transactions[4]), keeping miscreants from originating address space of others (think YouTube incident) or as attack/spam sources, etc.

The largest obstacle to deployment of BGP security is that the technology being deployed, RPKI-based origin validation and later BGPsec, are based on an X.509 certificate hierarchy, the RPKI. This radically changes the current inter-ISP web of trust model to one having ISPs’ routing at the mercy of the Regional Internet Registries (RIRs). Will the benefits of security – no more YouTube incidents, etc. – be perceived as worth having one’s routing at the whim of an non-operational administrative monopoly? Perhaps this is the real economic game here, and will cause a change in the relationship between the operators and the RIR cartel.

The paper’s simulations really should be shown not to rely on the popular but highly problematic[3] Gao-Rexford model of inter-provider relationships, that providers prefer customers over peers (in fact, a number of global Tier-1 providers have preferred peers for decades), and that relationships are valley free, which also has significant exceptions. Yet these invalid assumptions may underpin the simulation results.

—

Randy Bush
Dubrovnik, 2011.9.4

[1] P. Gill, M. Schapira, and S. Goldberg, Let the Market Drive Deployment: A Strategy for Transitioning to BGP Security, SIGCOMM 2011, August 2011.
http://conferences.sigcomm.org/sigcomm/2011/papers/sigcomm/p14.pdf

[2] [1] C. Labovitz, S. Iekel-Johnson, D. McPherson, J. Oberheide, and F. Jahanian, “Internet inter-domain traffic,” in SIGCOMM ’10: Proceedings of the ACM SIGCOMM 2010 conference on SIGCOMM, 2010.

[3] M. Roughan, W. Willinger, O. Maennel, D. Perouli, and R. Bush, 10 Lessons from 10 Years of Measuring and Modeling the Internet’s
Autonomous Systems, IEEE Journal on Selected Areas in Communications, Vol. 29, No. 9, pp. 1-12, Oct. 2011.
https://archive.psg.com/111000.TenLessons.pdf

[4] A. Pilosov, T. Kapela. Stealing The Internet An Internet-Scale Man In The Middle Attack, Defcon 16, August, 2008.
http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf

Our PAM paper on RFD is out

Cristel Pelsser, Olaf Maennel, Pradosh Mohapatra, Randy Bush, and Keyur Patel, Route Flap Damping Made Usable, in PAM 2011, March 2011.

At the IETF IPv6/IPv4 coexistence interim meeting in Montréal, I gave a presentation of the A+P proposal.

APNIC 26 attempted to focus on IPv6. It was a major disaster from Layer 2 to Layer 9. The network failed both at Layer 2 in the 802.11 and, for the few who managed to connect for a few minutes, applications at Layer 7 which should have worked did not. And, despite demonstrating on Tuesday that the IPv6 network did not work, APNIC staff persisted in turning the IPv4 network off on Wednesday. And they were proud of it. All in all, it was an impressive demonstration of non-professionalism and operational lack of clue.

And the panel held Tuesday morning was a complete train wreck. People walked away saying they were going home and telling folk that their companies should wait some years for IPv6 and consider just NATting IPv4.

APNIC has set a high bar that future IPv6 train wrecks will find hard to beat.