RPKI is Coming of Age:
A Longitudinal Study of RPKI Deployment and Invalid Route Origins

Taejoong Chung§, Emile Aben, Tim Bruijnzeels, Balakrishnan Chandrasekaran-,
David Choffnes*, Dave Levin+, Bruce Maggs°, Alan Mislove*,
Roland van Rijswijk-Deij‡±, John Rula, Nick Sullivan

§RIT, RIPE NCC, NLNetLabs, ±University of Twente, -Max Planck Institute for Informatics, *Northeastern University,
+University of Maryland, °Duke University, Akamai Technologies, Cloudflare

Paper Overview

Despite its critical role in Internet connectivity, BGP remains highly vulnerable to attacks such as prefix hijacking, where an Autonomous System (AS) announces routes for IP space it does not control. To address this issue, the Resource Public Key Infrastructure (RPKI) was developed starting in 2008, resulting in deployment in 2011. This paper performs the first comprehensive, longitudinal study of the deployment and quality of RPKI. We use a unique dataset containing all RPKI Route Origin Authorizations (ROAs) from the moment RPKI was first deployed, more than 8 years ago. We combine this dataset with BGP announcements from more than 3,300 BGP collectors worldwide. Our analysis shows the after a gradual start, RPKI has seen a rapid increase in adoption over the past two years. We also show that although misconfigurations were rampant when RPKI was first deployed (causing many announcements to appear as RPKI invalid) they are quite rare today. We develop a taxonomy of invalid RPKI announcements, then quantify their prevalence. We further identify suspicious announcements indicative of prefix hijacking and present case studies of likely hijacks. Overall, we conclude that while misconfigurations do occur, RPKI is “ready for the big screen,” and routing security can be increased by dropping invalid announcements.

This paper will be published at IMC'2019 (Internet Measurement Conference)

Datasets, Tools, and Source Codes

To foster reproducibility and stimulate further research into the RPKI ecosystem, we publicly release the followings:

  1. Historical RPKI Objects
  2. RPKI snapshot tool, Ziggy (a.k.a. RPKI Wayback Machine)
  3. BGP Updates (a link to external sources: RouteViews and RIPE-RIS)
  4. Analysis source codes
RPKI is a public key infrastructure designed as an out-of-band system to help prevent BGP address prefix (and sub-prefix) hijacking attacks. Briefly, RPKI employs cryptographic signatures to limit the set of entities who can announce IP prefixes. There are multiple types of supporting objects in the core RPKI system; the two we use in this paper were:

  1. CA certificate: an object binds a set of Internet Number Resources (INRs) such as Autonomous System Numbers (ASNs) and IP prefixes to a public key
  2. Route Origin Authorization (ROA): an object authorizes an AS to announce certain IP prefixes and is signed by a CA certificate.
Each of the five RIRs maintains an rsync repository with RPKI data that relying parties can query in order to perform RPKI validation. The RIPE NCC has maintained a daily archive of the repositories for all five RIRs since the beginning of 2011. We (Emile Aben, RIPE NCC) make this data available for analysis. You can download the entire RPKI dataset here.
Together with historical RPKI objects, we (Roland van Rijswijk-Deij and Tim Bruijnzeels, University of Twente and NLNetLabs) provide a RPKI wayback machine, Ziggy, which enables to complete a snapshot of the RPKI repository in a given time and validates RPKI objects in the repository using Routinator. The details of the description is also available here. Using this tool, you can also regenerate the following animation, which shows the RPKI deployment (for IPv4 address) rate per each country.
In order to understand how ROAs affect routing table construction, we need BGP announcements as well. For this study, we used three datasets:
  1. RouteViews: RouteViews.org, which is publicly available.
  2. RIPE-RIS: Ripe.net, which is publicly available.
  3. Akamai: This was provided under agreement with Akamai; we are not permitted to release this data.
Due to large size of datasets, we used Apache Spark to analyze BGP datasets by linking them to RPKI objects. The source codes are available here.

Contact

Do you have any questions, comments or concern? Feel free to send us an email to Taejoong Chung