Tracing RPKI Invalid Propagation with Internet Yellow Pages & Scamper

Introduction

Prior research has shown that RPKI invalid prefixes have lower visibility [3] on the Internet. More than 50% of routed IPv4 and IPv6 prefixes are covered by RPKI Route Origin Authorization objects (ROAs) which protects them from a subset of BGP hijacks. Majority of the large networks validate BGP announcements using these ROA objects and drop RPKI invalid prefixes (22.3% of Autonomous Systems are fully protected from invalid announcements [2]). Although, the propagation of RPKI invalid prefixes hash degraded significantly, we still see 1.05% of routed IPv4 prefixes which are RPKI Invalid [1].

Hence, in this project we perform traceroutes to active hosts in these RPKI invalid prefixes to analyze their reachability and RTT. We use Internet Yellow Pages and Scamper in this study.

Performing traceroutes to the RPKI Invalid prefixes from a single vantage point would likely fail due to intermediate ASes dropping these invalid announcements. Thus, we use the Ark platform to perform traceroutes from multiple vantage points. Autonomous Systems performing Route Origin Validation (ROV) should ideally reject RPKI invalid announcements, but the actual routing decisions differ. In this exercise we discover that certain ASes do not drop all RPKI invalids.

Research Questions

RQ1: Verify if RPKI Invalid prefixes have more hops, higher RTT
RQ2: Do ASes in RoVista dataset drop all invalids?

Methodology

• Find RPKI Invalid prefixes on BGP (Internet Yellow Pages)
• Find active hosts in the prefix (Internet Yellow Pages)
• Perform traceroutes from multiple vantage points (Scamper)
  • Intermediate IPs
  • RTT
  • Hops

Control : Perform RTT measurement for RPKI valid prefixes originated from same AS

Results

• Percentage of Traceroutes reaching the destination
  • RPKI Invalid - 25.7%
  • RPKI Valid - 50.2%
• 70.6% RPKI invalids have higher number of intermediate hops
• 72.5% RPKI invalids have higher RTT

The traceroutes to Cloudflare had the following results:

• RPKI Invalid
  • Percentage of traceroutes reaching destination - 0.67%
  • Mean RTT - 27.5 ms
• RPKI Valid
  • Percentage of traceroutes reaching destination - 99.26%
  • Mean RTT - 8 ms

Testing ROVISTA

Note that traceroute to an RPKI invalid prefix can still reach the destination when intermediate ASes drop the invalid announcement. They can do so when the intermediate routers have the path to a less specific prefix which is RPKI Valid or NotFound.

To remove this artifact from the results we discard all RPKI Invalid prefixes with a covering prefix which is RPKI Valid or NotFound. Now we perform traceroutes to the remaining RPKI Invalid prefixes. If the traceroute reaches the destination, it means that none of the ASes in the path are dropping the invalid announcement.

We use RoVista dataset2 to check if an ASN is safe from RPKI invalids.

Observation: We can still traceroute successfully to 103.21.244.12 from UCSD and the traffic goes through CENIC(AS2152) and Cloudflare(AS13335) which are both partially protected from RPKI Invalids according to RoVista.

Cloudflare:

• RoVista : ROV Filtering Ratio - upto 100%
• They own the prefix, they originate it!
• So, perhasp they are using the IP for testing? Perhaps they are using this IP to run isbgpsafeyet.com service? (we got a confirmation that Cloudflare uses this IP for their tests on isbgpsafeyet.com)

CENIC:

• RoVista : ROV Filtering Ratio - 66%
• Our observation : Not dropping invalids

CENIC has Level3 as the upstream and since Level3 is dropping invalids, CENIC is partially protected from invalids. But they also have a peering relationship with Cloudflare and they do not drop invalids coming from Cloudflare. Thus, the traceroute to Cloudflare’s IP is successful. We cal also infer that UCSD has CENIC as the only upstream provider and they do not drop any invalids coming from CENIC.

Conclusion

We can use Internet Yellow Pages and Scamper to measure the visibility of RPKI Invalid prefixes and infer the ROV filtering behavior of ASes.

Appendix

Code Snippet to perform traceroutes

def get_traces(dest_ips, val_flag=False):
    for dest_ip in dest_ips:
        ctrl.do_trace(
            dest_ip,
            method="udp-paris",
            inst=ctrl.instances(),
            attempts=1,
            squeries=5,
            wait_timeout=timedelta(seconds=2),
        )

    trace_list = []
    for o in tqdm(ctrl.responses(timeout=timedelta(seconds=30))):
        trace_list.append(o)
    return trace_list

from scamper import ScamperCtrl

mux = "/run/ark/mux"

ctrl = ScamperCtrl(mux=mux)

vp_list = ctrl.vps()
_ = ctrl.add_vps(vp_list)