Article

IRR Hygiene in the RPKI Era

Authors:

Gautam Akiwate,

Cecilia Testart,

Alexander Marder,

Bradley Huffaker,

Alex C. Snoeren,

KC ClaffyAuthors Info & Claims

Passive and Active Measurement: 23rd International Conference, PAM 2022, Virtual Event, March 28–30, 2022, Proceedings

Pages 321 - 337

https://doi.org/10.1007/978-3-030-98785-5_14

Published: 28 March 2022 Publication History

Abstract

The Internet Route Registry (IRR) and Resource Public Key Infrastructure (RPKI) both emerged as different solutions to improve routing security in the Border Gateway Protocol (BGP) by allowing networks to register information and develop route filters based on information other networks have registered. RPKI is a crypto system, with associated complexity and policy challenges; it has seen substantial but slowing adoption. IRR databases often contain inaccurate records due to lack of validation standards. Given the widespread use of IRR for routing security purposes, this inaccuracy merits further study. We study IRR accuracy by quantifying the consistency between IRR and RPKI records, analyze the causes of inconsistency, and examine which ASes are contributing correct IRR information. In October 2021, we found ROAs for around 20% of RADB IRR records, and a consistency of 38% and 60% in v4 and v6. For RIPE IRR, we found ROAs for 47% records and a consistency of 73% and 82% in v4 and v6. For APNIC IRR, we found ROAs for 76% records and a high consistency of 98% and 99% in v4 and v6. For AFRINIC IRR, we found ROAs for only 4% records and a consistency of 93% and 97% in v4 and v6.

References

[1]

AFRINIC’s Internet Routing Registry (2021). https://afrinic.net/internet-routing-registry

[2]

IRRd Version 4.2.0 (2021). https://irrd.readthedocs.io/en/stable/

[3]

Mutually Agreed Norms for Routing Security (2021). https://www.manrs.org/

[4]

Peering with Google (2021). https://peering.google.com/#/options/peering

[5]

Routing Security (2021). https://www.teliacarrier.com/our-network/bgp-routing/routing-security.html

[6]

APNIC Internet Routing Registry (2022). https://www.apnic.net/about-apnic/whois_search/about/what-is-in-whois/irr/

[7]

Alaettinoglu, C., et al.: Routing policy specification language (RPSL). RFC 2622, RFC Editor, June 1999

[8]

Bates, T., et al.: Representation of IP routing policies in a routing registry (ripe-81++). RFC 1786, RFC Editor, March 1995

[9]

Battista, G.D., Refice, T., Rimondini, M.: How to extract BGP peering information from the internet routing registry. In: Proceedings of the 2006 SIGCOMM Workshop on Mining Network Data, MineNet 2006, pp. 317–322. Association for Computing Machinery, New York (2006).

[10]

CAIDA: AS Rank (2021). https://asrank.caida.org/

[11]

CAIDA: AS Relationships (2021). https://www.caida.org/catalog/datasets/as-relationships/

[12]

CAIDA: Inferred AS to Organization Mapping Dataset (2021). https://www.caida.org/catalog/datasets/as-organizations/

[13]

CAIDA: Routeviews Prefix to AS mappings Dataset (pfx2as) for IPv4 and IPv6 (2021). https://www.caida.org/catalog/datasets/routeviews-prefix2as/

[14]

Chung, T., et al.: RPKI is coming of age: a longitudinal study of RPKI deployment and invalid route origins. In: Proceedings of the Internet Measurement Conference, IMC 2019, pp. 406–419. Association for Computing Machinery, New York (2019).

[15]

Cloudflare: Is BGP Safe Yet? (2022). https://isbgpsafeyet.com/

[16]

Cohen, A., Gilad, Y., Herzberg, A., Schapira, M.: One hop for RPKI, one giant leap for BGP security. In: Workshop on Hot Topics in Networks, 7 p., November 2015

[17]

Cooper, D., Heilman, E., Brogle, K., Reyzin, L., Goldberg, S.: On the risk of misbehaving RPKI authorities. In: Proceedings of the Twelfth ACM Workshop on Hot Topics in Networks. HotNets-XII, Association for Computing Machinery, New York (2013).

[18]

Durand, J., Pepelnjak, I., Doering, G.: BGP operations and security. BCP 194, RFC Editor, February 2015

[19]

Gilad, Y., Cohen, A., Herzberg, A., Schapira, M., Shulman, H.: Are we there yet? On RPKI’s deployment and security. In: Network and Distributed System Security Symposium (2017)

[20]

Gilad, Y., Goldberg, S., Sriram, K., Snijders, J., Maddison, B.: The use of maxLength in the RPKI. Internet-Draft draft-ietf-sidrops-rpkimaxlen-09, IETF Secretariat, November 2021. https://www.ietf.org/archive/id/draft-ietf-sidrops-rpkimaxlen-09.txt

[21]

Gilad, Y., Sagga, O., Goldberg, S.: MaxLength considered harmful to the RPKI. In: Proceedings of the 13th International Conference on Emerging Networking EXperiments and Technologies, CoNEXT 2017, pp. 101–107. Association for Computing Machinery, New York (2017).

[22]

Goodell, G., Aiello, W., Griffin, T., Ioannidis, J., McDaniel, P.D., Rubin, A.D.: Working around BGP: an incremental approach to improving security and accuracy in interdomain routing. In: NDSS, vol. 23, p. 156. Citeseer (2003)

[23]

Heilman, E., Cooper, D., Reyzin, L., Goldberg, S.: From the consent of the routed: improving the transparency of the RPKI, SIGCOMM 2014, pp. 51–62. Association for Computing Machinery, New York (2014).

[24]

Huston, G., Michaelson, G.: Validation of route origination using the resource certificate public key infrastructure (PKI) and route origin authorizations (ROAs). RFC 6483, RFC Editor, February 2012

[25]

Huston G, Rossi M, and Armitage G Securing BGP - a literature survey IEEE Commun. Surv. Tutor. 2011 13 2 199-222

[26]

Khan A, Kim HC, Kwon T, and Choi Y A comparative study on IP prefixes and their origin ASes in BGP and the IRR SIGCOMM Comput. Commun. Rev. 2013 43 3 16-24

[27]

Kim EY, Xiao L, Nahrstedt K, and Park K Secure interdomain routing registry IEEE Trans. Inf. Forensics Secur. 2008 3 2 304-316

[28]

Kristoff, J., et al.: On measuring RPKI relying parties. In: Proceedings of the ACM Internet Measurement Conference, IMC 2020, pp. 484–491. Association for Computing Machinery, New York (2020).

[29]

Ku, C.H.: 98% of Taiwan’s IP address holders have signed RPKI ROAs (2020). https://blog.apnic.net/2020/10/16/98-of-taiwans-ip-address-holders-have-signed-rpki-roas/

[30]

Kuerbis B and Mueller M Internet routing registries, data governance, and security J. Cyber Policy 2017 2 1 64-81

[31]

Lepinski, M., Kent, S.: An infrastructure to support secure internet routing. RFC 6480, RFC Editor, February 2012. http://www.rfc-editor.org/rfc/rfc6480.txt

[32]

Merit Network: The Internet Routing Registry - RADb (2021). https://www.radb.net/

[33]

Merit Network, Inc.: Internet Routing Registry (2018). http://www.irr.net

[34]

Michaelson, G.: IRR and RPKI: a problem statement (2017). https://conference.apnic.net/44/assets/files/APCS549/Global-IRR-and-RPKI-a-problem-statement.pdf

[35]

NLNOG: IRR explorer (2021). https://irrexplorer.nlnog.net/

[36]

RIPE NCC: Managing Route Objects in the IRR (2019). https://www.ripe.net/manage-ips-and-asns/db/support/managing-route-objects-in-the-irr

[37]

RIPE NCC: The RIPE NCC has run out of IPv4 Addresses (2019). https://www.ripe.net/publications/news/about-ripe-ncc-and-ripe/the-ripe-ncc-has-run-out-of-ipv4-addresses

[38]

RIPE NCC: Ending Support for the RIPE NCC RPKI Validator (2021). https://www.ripe.net/publications/news/announcements/ending-support-for-the-ripe-ncc-rpki-validator

[39]

RIPE NCC: RPKI Dataset (2021). https://ftp.ripe.net/ripe/rpki/

[40]

RIPE NCC: RPKI Validator (2021). https://rpki-validator.ripe.net/

[41]

Schlamp J, Holz R, Jacquemart Q, Carle G, and Biersack EW HEAP: reliable assessment of BGP hijacking attacks IEEE J. Sel. Areas Commun. 2016 34 6 1849-1861

[42]

Shi, X., Xiang, Y., Wang, Z., Yin, X., Wu, J.: Detecting prefix hijackings in the internet with argus. In: Proceedings of the 2012 Internet Measurement Conference, IMC 2012, pp. 15–28. Association for Computing Machinery, New York (2012).

[43]

Shrishak, K., Shulman, H.: Limiting the power of RPKI authorities. In: Proceedings of the Applied Networking Research Workshop, ANRW 2020, pp. 12–18. Association for Computing Machinery, New York (2020).

[44]

Testart, C.: Reviewing a historical internet vulnerability: why isn’t BGP more secure and what can we do about it? TPRC (2018)

[45]

Testart C, Richter P, King A, Dainotti A, and Clark D Sperotto A, Dainotti A, and Stiller B To filter or not to filter: measuring the benefits of registering in the RPKI today Passive and Active Measurement 2020 Cham Springer 71-87

[46]

Wählisch, M., Schmidt, R., Schmidt, T.C., Maennel, O., Uhlig, S., Tyson, G.: RiPKI: the tragic story of RPKI deployment in the web ecosystem. In: Proceedings of Fourteenth ACM Workshop on Hot Topics in Networks (HotNets). ACM, New York (2015)

[47]

Wang, F., Gao, L.: On inferring and characterizing internet routing policies. In: IMC 2003, pp. 15–26. Association for Computing Machinery, New York (2003).

[48]

Yoo, C.S., Wishnick, D.A.: Lowering legal barriers to RPKI adoption. U of Penn Law School, Public Law Research Paper (19-02) (2019)

Cited By

He SCunha IKatz-Bassett EVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)RPSLyzer: Characterization and Verification of Policies in Internet Routing RegistriesProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689018(365-374)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689018

Index Terms

IRR Hygiene in the RPKI Era

Index terms have been assigned to the content through auto-classification.

Recommendations

RPKI is Coming of Age: A Longitudinal Study of RPKI Deployment and Invalid Route Origins
IMC '19: Proceedings of the Internet Measurement Conference

Despite its critical role in Internet connectivity, the Border Gateway Protocol (BGP) remains highly vulnerable to attacks such as prefix hijacking, where an Autonomous System (AS) announces routes for IP space it does not control. To address this issue,...
The Rules and Models to Estimate IRR Conveniently and Effectively
ISDEA '13: Proceedings of the 2013 Third International Conference on Intelligent System Design and Engineering Applications

The internal rate of return (IRR) on a project is becoming a more popular and generally accepted criterion which is used to evaluate whether the project has any feasibility in finance, so it is desiderated to estimate the level of IRR as conveniently ...
RPKI vs ROVER: comparing the risks of BGP security solutions
SIGCOMM '14: Proceedings of the 2014 ACM conference on SIGCOMM

BGP, the Internet's interdomain routing protocol, is highly vulnerable to routing failures that result from unintentional misconfigurations or deliberate attacks. To defend against these failures, recent years have seen the adoption of the Resource ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

Passive and Active Measurement: 23rd International Conference, PAM 2022, Virtual Event, March 28–30, 2022, Proceedings

Mar 2022

690 pages

ISBN:978-3-030-98784-8

DOI:10.1007/978-3-030-98785-5

Editors:
Oliver Hohlfeld
Brandenburg University of Technology, Cottbus, Germany
,
Giovane Moura
SIDN Labs - TU Delft, Arnhem, The Netherlands
,
Cristel Pelsser
ICube - University of Strasbourg, Illkirch, France

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 28 March 2022

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

He SCunha IKatz-Bassett EVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)RPSLyzer: Characterization and Verification of Policies in Internet Routing RegistriesProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689018(365-374)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689018

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents