We are launching a free online tool today to help network operators and researchers see the state of Resource Public Key Infrastructure (RPKI) around the world.
While it is encouraging to see the steadily growing use of RPKI – a cryptographic method of signing records that associate a Border Gateway Protocol (BGP) route announcement with the correct originating autonomous system number (ASN) – there is still much to be done to stop route leaks and hijacks.
In a nutshell, the ROA Stats Tool provides an overview of the Route Origin Authorizations (ROAs) and Valids and Invalids created by country or by ASN, with data updated every day. It gives us a snapshot of the current situation, but also a historical view of ROAs and validation.
The data helps network operators and researchers understand how BGP speakers in a particular country or region are doing regarding RPKI. This could also help them understand their own situation better. For instance, looking especially at the Invalids, operators can understand where their misconfigurations are and take action to fix them.
If you are a researcher who simply wants to understand more about RPKI adoption around the world, this may be a good starting point as well.
It can be seen from the screenshot that Validation is mostly unknown. That is because most operators have not created their ROAs yet. Ideally, we would only have either Valids or Invalids, and a very small percentage of Unknowns as these would be either networks that have just been assigned or that are under maintenance or being transferred to other entities, and being unknown would be just a temporary state.
If you have used Routinator or the now-unmaintained RIPE NCC Validator, you most likely have seen their graphic user interface, featuring a live view of ROAs and a BGP Preview, including a validation endpoint. These tools are useful, but ephemeral, as their data does not stay for later analysis.
Recently, Internet Initiative Japan (IIJ) launched a visualization tool, created by MANRS Fellow Romain Fontugne, that lets you look at, amongst other data, ROAs, valids and invalids. We will be sharing more information about that tool in the coming weeks.
Methodology
One of the main drivers for building this tool was to find out all of the invalid BGP announcements out there to uncover misconfiguration that could be fixed by applying all the MANRS principles and guidelines.
We take a daily snapshot of the networks assigned/allocated to each country by using data provided by RIPE Stat. We then go on to do two things:
- Check if they are announced or not
- Check if there are any more specific networks being announced
For each one of these announced entries, we run a route origin validation process to identify if they are valid, unknown, or invalid.
Using RIPE Stat and its view of the BGP table from Routing Information Service (RIS) lets us spot those invalids that would otherwise be filtered if we were just looking at a BGP table from a transit network or peering. This adds value to our data collection process because it helps us provide a more accurate view of the issues, misconfigurations, and wrong announcements. RIS, in fact, requires that no filters are applied on their BGP Sessions with operators. These filters would sometimes “mask” the issues we are looking into.
Your Feedback
We would like to hear from you: How can we improve this tool? Do you see any problems with it? Please let us know of any suggestions or issues by writing to [email protected].
We hope you enjoy this new ROA-Stats visualization!
Leave a Reply