Towards cleaning up RPKI INVALIDs

Figure 1: An example of a ROA

Motivation

  • How does the distribution of INVALIDs look like across RIRs?
  • Which ROAs cause most INVALIDs?
  • Which IP holder could eliminate many INVALIDs by modifying just a few ROAs?
  • How many entities would we have to contact to solve all INVALIDs causing unreachable prefixes?

INVALIDs we do NOT care about

VALID/unknown Less-specific available

Figure 2: Less-specific covers for more-specific

VALID Equally-specific available

Figure 3: Equally-specific prefix-origin pair is availalbe

Multiple VALID more-specifics available

Figure 4: Multiple more-specific cover for INVALID less-specific (100% overlap)
Figure 5: Example of a partially (50%) reachable prefix

Distribution of INVALIDs by RIR

Break Down by Reason

Affected Prefix-Origin Pairs  Reason
1338 INVALID_ASN
1077 INVALID_LENGTH

Break Down by RIR and Reason

 693 LACNIC INVALID_ASN
509 LACNIC INVALID_LENGTH
404 RIPE INVALID_ASN
334 APNIC INVALID_LENGTH
203 RIPE INVALID_LENGTH
193 APNIC INVALID_ASN
47 ARIN INVALID_ASN
31 ARIN INVALID_LENGTH
1 AfriNIC INVALID_ASN

Break down by announcing AS (top 10)

 180 AS14080
128 AS23650
111 AS52308
79 AS22080
64 AS35104
59 AS43554
52 AS52228
51 AS10299
46 AS264797
38 AS45774

Which ROAs cause most INVALIDs?

  • number of affected prefix-origin pairs
  • RIR
  • ASN as seen in ROA
  • prefix as seen in ROA
  • maxLength as seen in ROA
 91 LACNIC  AS60458 181.214.0.0/15 24
78 LACNIC AS37692 191.96.0.0/16 24
62 LACNIC AS61440 191.101.0.0/16 24
59 APNIC AS23650 61.160.0.0/16 16
54 RIPE AS43554 5.105.0.0/16 16
52 LACNIC AS52228 152.231.128.0/17 17
41 APNIC AS4809 115.168.0.0/14 14
39 APNIC AS23650 61.155.0.0/16 16
37 LACNIC AS22080 200.112.128.0/19 19
35 APNIC AS23650 61.147.0.0/16 16
32 RIPE AS43343 78.158.160.0/19 19
30 LACNIC AS52308 190.108.32.0/19 19
30 LACNIC AS52308 181.114.192.0/19 19
30 LACNIC AS33182 179.61.128.0/17 24
30 APNIC AS45774 49.213.32.0/19 19
29 LACNIC AS22080 200.112.160.0/19 19
29 LACNIC AS10986 190.114.96.0/19 22
27 LACNIC AS52308 181.174.128.0/19 19
23 LACNIC AS10620 190.147.0.0/16 24
21 LACNIC AS7195 200.25.0.0/17 17

Notifying affected IP Holders

An approximation of how many members each RIR would have to contact to fix INVALIDs.

So here are a few questions for RIRs:

  • Are you currently monitoring the amount of INVALID prefixes resulting in actually unreachable IP space (in an ROV environment) in your region?
  • Would you be open to reach out to your affected members to inform them about their affected IP prefixes? (as has been suggested by Job Snijders before)
  • If that is not on your roadmap: Would you mind if others reach out to your affected members (in an automated way)? (single email per entity)

Future Steps

  • auto-generate results on a regular interval
  • add analysis based on IP space size (not just prefix-origin pair counts) — update (2018–09–25): done
  • reach out to NIST to suggest adding graphs about unreachable prefixes to their RPKI monitor

Acknowledgements and Disclaimers

  • We used RIPE NCC’s RPKI validator 3.0–313 software with ARIN’s TAL enabled.
  • Don’t take the numbers too serious, we made a few assumptions (RPKI validator 3 API documentation could be improved) and there might be some corner cases we didn’t take care of, but the results are sufficiently similar to other people’s results (Markus Weber from KPN is generating https://as286.net/data/ana-invalids.txt although there seems to be a disagreement on the prefix shown in Figure 4.) Update (2018–09–18): I’ve been in contact with Markus and he agrees with Figure 4 and plans to update his list accordingly.

Data

--

--

--

Tor, Routing Security and DNS Privacy related Topics. https://nusenu.github.io

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Thoughts about Microservices — Problem domain

MongoDB 4.0 A way forward for NoSQL DB

Killing PHP took a year and a half.

Kollect Testnet Maintenance Announcement

How to use the annotate gem

Prevent Key Hotspots in Bigtable After Scale-Up

Devfile v2 and IDE plug-ins in Eclipse Che

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
nusenu

nusenu

Tor, Routing Security and DNS Privacy related Topics. https://nusenu.github.io

More from Medium

Data pipeline automation

image

OKTA Architecture & Data Flows (External and Internal)

Using AWS CLI to scan your DynamoDB Table for fast results, and also to validate ReadOnlyAccess

Introduction to IoT, IIoT and Cloud computing

IoT