Tracing RPKI Invalid Propagation with Internet Yellow Pages & Scamper

Introduction

In this project we use Internet Yellow Pages and Scamper to traceroute hosts in RPKI invalid prefixes.

• 1.05% of routed IPv4 prefixes are RPKI Invalid 1
• 22.3% of Autonomous Systems are fully protected from invalid announcements 2
• Route Origin Validation - reject RPKI invalid announcements (actual routing decisions differ)
• RPKI invalid prefixes have lower visibility 3

Research Questions

RQ1: Verify if RPKI Invalid prefixes have more hops, higher RTT
RQ2: Do ASes in RoVista dataset drop all invalids?

Methodology

• Find RPKI Invalid prefixes on BGP (Internet Yellow Pages)
• Find active hosts in the prefix (Internet Yellow Pages)
• Perform traceroutes from multiple vantage points (Scamper)
  • Intermediate IPs
  • RTT
  • Hops

Control : Perform RTT measurement for RPKI valid prefixes originated from same AS

Results

• Percentage of Traceroutes reaching the destination
  • RPKI Invalid - 25.7%
  • RPKI Valid - 50.2%
• 70.6% RPKI invalids have higher number of intermediate hops
• 72.5% RPKI invalids have higher RTT

The traceroutes to Cloudflare had the following results:

• RPKI Invalid
  • Percentage of traceroutes reaching destination - 0.67%
  • Mean RTT - 27.5 ms
• RPKI Valid
  • Percentage of traceroutes reaching destination - 99.26%
  • Mean RTT - 8 ms

Testing ROVISTA

Note that traceroute to an RPKI invalid prefix can still reach the destination when intermediate ASes drop the invalid announcement. They can do so when the intermediate routers have the path to a less specific prefix which is RPKI Valid or NotFound.

To remove this artifact from the results we discard all RPKI Invalid prefixes with a covering prefix which is RPKI Valid or NotFound. Now we perform traceroutes to the remaining RPKI Invalid prefixes. If the traceroute reaches the destination, it means that none of the ASes in the path are dropping the invalid announcement.

We use RoVista dataset2 to check if an ASN is safe from RPKI invalids.

Observation: We can still traceroute successfully to 103.21.244.12 from UCSD and the traffic goes through CENIC(AS2152) and Cloudflare(AS13335) which are both partially protected from RPKI Invalids according to RoVista.

Cloudflare:

• RoVista : ROV Filtering Ratio - upto 100%
• They own the prefix, they originate it!
• So, perhasp they are using the IP for testing? Perhaps they are using this IP to run isbgpsafeyet.com service? (we got a confirmation that Cloudflare uses this IP for their tests on isbgpsafeyet.com)

CENIC:

• RoVista : ROV Filtering Ratio - 66%
• Our observation : Not dropping invalids

CENIC has Level3 as the upstream and since Level3 is dropping invalids, CENIC is partially protected from invalids. But they also have a peering relationship with Cloudflare and they do not drop invalids coming from Cloudflare. Thus, the traceroute to Cloudflare’s IP is successful. We cal also infer that UCSD has CENIC as the only upstream provider and they do not drop any invalids coming from CENIC.

Conclusion

We can use Internet Yellow Pages and Scamper to measure the visibility of RPKI Invalid prefixes and infer the ROV filtering behavior of ASes.

Appendix

Code Snippet to perform traceroutes

def get_traces(dest_ips, val_flag=False):
    for dest_ip in dest_ips:
        ctrl.do_trace(
            dest_ip,
            method="udp-paris",
            inst=ctrl.instances(),
            attempts=1,
            squeries=5,
            wait_timeout=timedelta(seconds=2),
        )

    trace_list = []
    for o in tqdm(ctrl.responses(timeout=timedelta(seconds=30))):
        trace_list.append(o)
    return trace_list

from scamper import ScamperCtrl

mux = "/run/ark/mux"

ctrl = ScamperCtrl(mux=mux)

vp_list = ctrl.vps()
_ = ctrl.add_vps(vp_list)