Randy's Work Blog

Andreas Reuter, Randy Bush, Italo Cunha, Ethan Katz-Bassett, Thomas C. Schmidt, Matthias Wählisch; Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and Filtering; Applied Networking Research Workshop; Montréal July 2018

A proposal to improve routing security—Route Origin Authorization (ROA)—has been standardized. A ROA specifies which network is allowed to announce a set of Internet destinations. While some networks now specify ROAs, little is known about whether other networks check routes they receive against these ROAs, a process known as Route Origin Validation (ROV). Which networks blindly accept invalid routes? Which reject them outright? Which de-preference them if alternatives exist?

Recent analysis attempts to use uncontrolled experiments to characterize ROV adoption by comparing valid routes and invalid routes. However, we argue that gaining a solid understanding of ROV adoption is impossible using currently available data sets and techniques. Instead, we devise a verifiable methodology of controlled experiments for measuring ROV. Our measurements suggest that, although some ISPs are not observed using invalid routes in uncontrolled experiments, they are actually using different routes for (non-security) traffic engineering purposes, without performing ROV. We conclude with presenting three AS that do implement ROV as confirmed by the operators.

Andreas Reuter, Randy Bush, Italo Cunha, Ethan Katz-Bassett, Thomas C. Schmidt, Matthias Wählisch; Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and Filtering; CCR July 2018

A proposal to improve routing security—Route Origin Authorization (ROA)—has been standardized. A ROA specifies which network is allowed to announce a set of Internet destinations. While some networks now specify ROAs, little is known about whether other networks check routes they receive against these ROAs, a process known as Route Origin Validation (ROV). Which networks blindly accept invalid routes? Which reject them outright? Which de-preference them if alternatives exist?

Recent analysis attempts to use uncontrolled experiments to characterize ROV adoption by comparing valid routes and invalid routes. However, we argue that gaining a solid understanding of ROV adoption is impossible using currently available data sets and techniques. Instead, we devise a verifiable methodology of controlled experiments for measuring ROV. Our measurements suggest that, although some ISPs are not observed using invalid routes in uncontrolled experiments, they are actually using different routes for (non-security) traffic engineering purposes, without performing ROV. We conclude with presenting three AS that do implement ROV as confirmed by the operators.

        RFC 8210

        Title:      The Resource Public Key Infrastructure 
                    (RPKI) to Router Protocol, Version 1 
        Author:     R. Bush, 
                    R. Austein
        Status:     Standards Track
        Stream:     IETF
        Date:       September 2017
        Mailbox:    randy@psg.com, 
                    sra@hactrn.net
        Pages:      35
        Characters: 78467
        Updates:    RFC 6810

        I-D Tag:    draft-ietf-sidr-rpki-rtr-rfc6810-bis-09.txt

        URL:        https://www.rfc-editor.org/info/rfc8210

        DOI:        10.17487/RFC8210

In order to verifiably validate the origin Autonomous Systems and Autonomous System Paths of BGP announcements, routers need a simple but reliable mechanism to receive Resource Public Key Infrastructure (RFC 6480) prefix origin data and router keys from a trusted cache.  This document describes a protocol to deliver them.

        BCP 211        
        RFC 8207

        Title:      BGPsec Operational Considerations 
        Author:     R. Bush
        Status:     Best Current Practice
        Stream:     IETF
        Date:       September 2017
        Mailbox:    randy@psg.com
        Pages:      10
        Characters: 21086
        See Also:   BCP 211

        I-D Tag:    draft-ietf-sidr-bgpsec-ops-16.txt

        URL:        https://www.rfc-editor.org/info/rfc8207

        DOI:        10.17487/RFC8207

Deployment of the BGPsec architecture and protocols has many
operational considerations.  This document attempts to collect and
present the most critical and universal.  Operational practices are
expected to evolve as BGPsec is formalized and initially deployed.

        RFC 8097

        Title:      BGP Prefix Origin Validation State 
                    Extended Community 
        Author:     P. Mohapatra, 
                    K. Patel,
                    J. Scudder, 
                    D. Ward,
                    R. Bush
        Status:     Standards Track
        Stream:     IETF
        Date:       March 2017
        Mailbox:    mpradosh@yahoo.com, 
                    keyur@arrcus.com, 
                    jgs@juniper.net,  
                    dward@cisco.com, 
                    randy@psg.com
        Pages:      6
        Characters: 12287
        Updates/Obsoletes/SeeAlso:   None

        I-D Tag:    draft-ietf-sidr-origin-validation-signaling-11.txt

        URL:        https://www.rfc-editor.org/info/rfc8097

        DOI:        10.17487/RFC8097

This document defines a new BGP opaque extended community to carry
the origination Autonomous System (AS) validation state inside an
autonomous system.  Internal BGP (IBGP) speakers that receive this
validation state can configure local policies that allow it to
influence their decision process.

What do parrots and BGP routers have in common?
David Hauweele, Bruno Quoitin, Cristel Pelsser, Randy Bush
Computer Communication Review, July 2016
[ CCR’s first all-online-only issue ]

The Border Gateway Protocol propagates routing informa- tion accross the Internet in an incremental manner. It only advertises to its peers changes in routing. However, as early as 1998, observations have been made of BGP announcing the same route multiple times, causing router CPU load, memory usage and convergence time higher than expected.

In this paper, by performing controlled experiments, we pinpoint multiple causes of duplicates, ranging from the lack of full RIB-Outs to the discrete processing of update mes- sages. To mitigate these duplicates, we insert a cache at the output of the routers. We test it on public BGP traces and discuss the relation of the cache performance with the existence of bursts of updates in the trace.

The Origin of BGP Duplicates
D. Hauweele, B. Quoitin, C. Pelsser, R. Bush
CoRes 2016

The Border Gateway Protocol propagates routing information accross the Internet in an incremental manner. It only advertises to its peers changes in routing. However, as early as 1998, observations have been made of BGP announcing the same route multiple times, causing router CPU load, memory usage and convergence time higher than expected. In this paper, by performing controlled experiments, we pinpoint multiple causes of duplicates, ranging from the lack of full RIB-Outs to the discrete processing of update messages.

Codification of AS 0 Processing
W. Kumari, R. Bush, H. Schiller, K. Patel. August 2015

This document updates RFC 4271 and proscribes the use of Autonomous System (AS) 0 in the Border Gateway Protocol (BGP) OPEN, AS_PATH, AS4_PATH, AGGREGATOR, and AS4_AGGREGATOR attributes in the BGP UPDATE message.

Daniele Iamartino, Cristel Pelsser, Randy Bush. Measuring BGP Route Origin Registration and Validation, PAM 2015.

BGP, the de-facto inter-domain routing protocol, was designed without considering security. Recently, network operators have experienced hijacks of their network prefixes, often due to BGP misconfiguration by other operators, sometimes maliciously. In order to address this, prefix origin validation, based on a RPKI infrastructure, was proposed and developed. Today, many organizations are registering their data in the RPKI to protect their prefixes from accidental mis-origination. However, some organizations submit incorrect information to the RPKI repositories or announce prefixes that do not exactly match what they registered. Also, the RPKI repositories of Internet registries are not operationally reliable. The aim of this work is to reveal these problems via measurement. We show how important they are, try to understand the main causes of errors, and explore possible solutions. In this longitudinal study, we see the impact of a policy which discards route announcements with invalid origins would have on the routing table, and to a lesser extent on the traffic at the edge of a large research network.

Josh Bailey, Dean Pemberton, Andy Linton, Cristel Pelsser, Randy Bush. Enforcing RPKI-Based Routing Policy on the Data Plane at an Internet Exchange Poster at HotSDN 2014.

Over a decade of work has gone into securing the BGP routing control plane. Through all this, there has been an oft repeated refrain, ”It is acknowledged that rigorous control plane verification does not in any way guarantee that packets follow the control plane.” We describe what may be the first deployment of data plane enforcement of RPKI-based control plane validation. OpenFlow switches providing an exchange fabric and controlled by a Quagga BGP route server drop traffic for prefixes which have invalid origins without requiring any RPKI support by connected BGP peers.