Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

IRR Hygiene in the RPKI Era

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13210))

Included in the following conference series:

Abstract

The Internet Route Registry (IRR) and Resource Public Key Infrastructure (RPKI) both emerged as different solutions to improve routing security in the Border Gateway Protocol (BGP) by allowing networks to register information and develop route filters based on information other networks have registered. RPKI is a crypto system, with associated complexity and policy challenges; it has seen substantial but slowing adoption. IRR databases often contain inaccurate records due to lack of validation standards. Given the widespread use of IRR for routing security purposes, this inaccuracy merits further study. We study IRR accuracy by quantifying the consistency between IRR and RPKI records, analyze the causes of inconsistency, and examine which ASes are contributing correct IRR information. In October 2021, we found ROAs for around 20% of RADB IRR records, and a consistency of 38% and 60% in v4 and v6. For RIPE IRR, we found ROAs for 47% records and a consistency of 73% and 82% in v4 and v6. For APNIC IRR, we found ROAs for 76% records and a high consistency of 98% and 99% in v4 and v6. For AFRINIC IRR, we found ROAs for only 4% records and a consistency of 93% and 97% in v4 and v6.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. AFRINIC’s Internet Routing Registry (2021). https://afrinic.net/internet-routing-registry

  2. IRRd Version 4.2.0 (2021). https://irrd.readthedocs.io/en/stable/

  3. Mutually Agreed Norms for Routing Security (2021). https://www.manrs.org/

  4. Peering with Google (2021). https://peering.google.com/#/options/peering

  5. Routing Security (2021). https://www.teliacarrier.com/our-network/bgp-routing/routing-security.html

  6. APNIC Internet Routing Registry (2022). https://www.apnic.net/about-apnic/whois_search/about/what-is-in-whois/irr/

  7. Alaettinoglu, C., et al.: Routing policy specification language (RPSL). RFC 2622, RFC Editor, June 1999

    Google Scholar 

  8. Bates, T., et al.: Representation of IP routing policies in a routing registry (ripe-81++). RFC 1786, RFC Editor, March 1995

    Google Scholar 

  9. Battista, G.D., Refice, T., Rimondini, M.: How to extract BGP peering information from the internet routing registry. In: Proceedings of the 2006 SIGCOMM Workshop on Mining Network Data, MineNet 2006, pp. 317–322. Association for Computing Machinery, New York (2006). https://doi.org/10.1145/1162678.1162685

  10. CAIDA: AS Rank (2021). https://asrank.caida.org/

  11. CAIDA: AS Relationships (2021). https://www.caida.org/catalog/datasets/as-relationships/

  12. CAIDA: Inferred AS to Organization Mapping Dataset (2021). https://www.caida.org/catalog/datasets/as-organizations/

  13. CAIDA: Routeviews Prefix to AS mappings Dataset (pfx2as) for IPv4 and IPv6 (2021). https://www.caida.org/catalog/datasets/routeviews-prefix2as/

  14. Chung, T., et al.: RPKI is coming of age: a longitudinal study of RPKI deployment and invalid route origins. In: Proceedings of the Internet Measurement Conference, IMC 2019, pp. 406–419. Association for Computing Machinery, New York (2019). https://doi.org/10.1145/3355369.3355596

  15. Cloudflare: Is BGP Safe Yet? (2022). https://isbgpsafeyet.com/

  16. Cohen, A., Gilad, Y., Herzberg, A., Schapira, M.: One hop for RPKI, one giant leap for BGP security. In: Workshop on Hot Topics in Networks, 7 p., November 2015

    Google Scholar 

  17. Cooper, D., Heilman, E., Brogle, K., Reyzin, L., Goldberg, S.: On the risk of misbehaving RPKI authorities. In: Proceedings of the Twelfth ACM Workshop on Hot Topics in Networks. HotNets-XII, Association for Computing Machinery, New York (2013). https://doi.org/10.1145/2535771.2535787

  18. Durand, J., Pepelnjak, I., Doering, G.: BGP operations and security. BCP 194, RFC Editor, February 2015

    Google Scholar 

  19. Gilad, Y., Cohen, A., Herzberg, A., Schapira, M., Shulman, H.: Are we there yet? On RPKI’s deployment and security. In: Network and Distributed System Security Symposium (2017)

    Google Scholar 

  20. Gilad, Y., Goldberg, S., Sriram, K., Snijders, J., Maddison, B.: The use of maxLength in the RPKI. Internet-Draft draft-ietf-sidrops-rpkimaxlen-09, IETF Secretariat, November 2021. https://www.ietf.org/archive/id/draft-ietf-sidrops-rpkimaxlen-09.txt

  21. Gilad, Y., Sagga, O., Goldberg, S.: MaxLength considered harmful to the RPKI. In: Proceedings of the 13th International Conference on Emerging Networking EXperiments and Technologies, CoNEXT 2017, pp. 101–107. Association for Computing Machinery, New York (2017). https://doi.org/10.1145/3143361.3143363

  22. Goodell, G., Aiello, W., Griffin, T., Ioannidis, J., McDaniel, P.D., Rubin, A.D.: Working around BGP: an incremental approach to improving security and accuracy in interdomain routing. In: NDSS, vol. 23, p. 156. Citeseer (2003)

    Google Scholar 

  23. Heilman, E., Cooper, D., Reyzin, L., Goldberg, S.: From the consent of the routed: improving the transparency of the RPKI, SIGCOMM 2014, pp. 51–62. Association for Computing Machinery, New York (2014). https://doi.org/10.1145/2619239.2626293

  24. Huston, G., Michaelson, G.: Validation of route origination using the resource certificate public key infrastructure (PKI) and route origin authorizations (ROAs). RFC 6483, RFC Editor, February 2012

    Google Scholar 

  25. Huston, G., Rossi, M., Armitage, G.: Securing BGP - a literature survey. IEEE Commun. Surv. Tutor. 13(2), 199–222 (2011). https://doi.org/10.1109/SURV.2011.041010.00041

    Article  Google Scholar 

  26. Khan, A., Kim, H.C., Kwon, T., Choi, Y.: A comparative study on IP prefixes and their origin ASes in BGP and the IRR. SIGCOMM Comput. Commun. Rev. 43(3), 16–24 (2013). https://doi.org/10.1145/2500098.2500101

    Article  Google Scholar 

  27. Kim, E.Y., Xiao, L., Nahrstedt, K., Park, K.: Secure interdomain routing registry. IEEE Trans. Inf. Forensics Secur. 3(2), 304–316 (2008). https://doi.org/10.1109/TIFS.2008.922050

    Article  Google Scholar 

  28. Kristoff, J., et al.: On measuring RPKI relying parties. In: Proceedings of the ACM Internet Measurement Conference, IMC 2020, pp. 484–491. Association for Computing Machinery, New York (2020). https://doi.org/10.1145/3419394.3423622

  29. Ku, C.H.: 98% of Taiwan’s IP address holders have signed RPKI ROAs (2020). https://blog.apnic.net/2020/10/16/98-of-taiwans-ip-address-holders-have-signed-rpki-roas/

  30. Kuerbis, B., Mueller, M.: Internet routing registries, data governance, and security. J. Cyber Policy 2(1), 64–81 (2017)

    Article  Google Scholar 

  31. Lepinski, M., Kent, S.: An infrastructure to support secure internet routing. RFC 6480, RFC Editor, February 2012. http://www.rfc-editor.org/rfc/rfc6480.txt

  32. Merit Network: The Internet Routing Registry - RADb (2021). https://www.radb.net/

  33. Merit Network, Inc.: Internet Routing Registry (2018). http://www.irr.net

  34. Michaelson, G.: IRR and RPKI: a problem statement (2017). https://conference.apnic.net/44/assets/files/APCS549/Global-IRR-and-RPKI-a-problem-statement.pdf

  35. NLNOG: IRR explorer (2021). https://irrexplorer.nlnog.net/

  36. RIPE NCC: Managing Route Objects in the IRR (2019). https://www.ripe.net/manage-ips-and-asns/db/support/managing-route-objects-in-the-irr

  37. RIPE NCC: The RIPE NCC has run out of IPv4 Addresses (2019). https://www.ripe.net/publications/news/about-ripe-ncc-and-ripe/the-ripe-ncc-has-run-out-of-ipv4-addresses

  38. RIPE NCC: Ending Support for the RIPE NCC RPKI Validator (2021). https://www.ripe.net/publications/news/announcements/ending-support-for-the-ripe-ncc-rpki-validator

  39. RIPE NCC: RPKI Dataset (2021). https://ftp.ripe.net/ripe/rpki/

  40. RIPE NCC: RPKI Validator (2021). https://rpki-validator.ripe.net/

  41. Schlamp, J., Holz, R., Jacquemart, Q., Carle, G., Biersack, E.W.: HEAP: reliable assessment of BGP hijacking attacks. IEEE J. Sel. Areas Commun. 34(6), 1849–1861 (2016). https://doi.org/10.1109/JSAC.2016.2558978

    Article  Google Scholar 

  42. Shi, X., Xiang, Y., Wang, Z., Yin, X., Wu, J.: Detecting prefix hijackings in the internet with argus. In: Proceedings of the 2012 Internet Measurement Conference, IMC 2012, pp. 15–28. Association for Computing Machinery, New York (2012). https://doi.org/10.1145/2398776.2398779

  43. Shrishak, K., Shulman, H.: Limiting the power of RPKI authorities. In: Proceedings of the Applied Networking Research Workshop, ANRW 2020, pp. 12–18. Association for Computing Machinery, New York (2020). https://doi.org/10.1145/3404868.3406674

  44. Testart, C.: Reviewing a historical internet vulnerability: why isn’t BGP more secure and what can we do about it? TPRC (2018)

    Google Scholar 

  45. Testart, C., Richter, P., King, A., Dainotti, A., Clark, D.: To filter or not to filter: measuring the benefits of registering in the RPKI today. In: Sperotto, A., Dainotti, A., Stiller, B. (eds.) PAM 2020. LNCS, vol. 12048, pp. 71–87. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44081-7_5

    Chapter  Google Scholar 

  46. Wählisch, M., Schmidt, R., Schmidt, T.C., Maennel, O., Uhlig, S., Tyson, G.: RiPKI: the tragic story of RPKI deployment in the web ecosystem. In: Proceedings of Fourteenth ACM Workshop on Hot Topics in Networks (HotNets). ACM, New York (2015)

    Google Scholar 

  47. Wang, F., Gao, L.: On inferring and characterizing internet routing policies. In: IMC 2003, pp. 15–26. Association for Computing Machinery, New York (2003). https://doi.org/10.1145/948205.948208

  48. Yoo, C.S., Wishnick, D.A.: Lowering legal barriers to RPKI adoption. U of Penn Law School, Public Law Research Paper (19-02) (2019)

    Google Scholar 

Download references

Acknowledgment

This material is based on research sponsored by the National Science Foundation (NSF) grants CNS-1901517, OAC-2131987, CNS-2120399, and OAC-1724853. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of NSF. We appreciate network operators who gave us valuable insight. We also thank our shepherd for the helpful feedback.

Author information

Authors and Affiliations

  1. CAIDA/UC San Diego, San Diego, USA

    Ben Du, Gautam Akiwate, Thomas Krenc, Alexander Marder, Bradley Huffaker, Alex C. Snoeren & KC Claffy

  2. MIT, Cambridge, USA

    Cecilia Testart

Authors
  1. Ben Du
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gautam Akiwate
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thomas Krenc
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Cecilia Testart
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Alexander Marder
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Bradley Huffaker
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Alex C. Snoeren
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. KC Claffy
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ben Du .

Editor information

Editors and Affiliations

  1. Brandenburg University of Technology, Cottbus, Germany

    Oliver Hohlfeld

  2. SIDN Labs - TU Delft, Arnhem, The Netherlands

    Giovane Moura

  3. ICube - University of Strasbourg, Illkirch, France

    Cristel Pelsser

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Du, B. et al. (2022). IRR Hygiene in the RPKI Era. In: Hohlfeld, O., Moura, G., Pelsser, C. (eds) Passive and Active Measurement. PAM 2022. Lecture Notes in Computer Science, vol 13210. Springer, Cham. https://doi.org/10.1007/978-3-030-98785-5_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-98785-5_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-98784-8

  • Online ISBN: 978-3-030-98785-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation