By Romain Fontugne, MANRS Fellow and Senior Researcher at Internet Initiative Japan (IIJ) Research Lab
In the past few years we have seen a substantial increase in the number of registered Route Origin Authorization (ROA) objects. This shows that Resource Public Key Infrastructure (RPKI) is finally lifting off, thanks in part to initiatives like MANRS.
But this is not the end of the story, we still have to monitor and maintain this data to ensure quality data and the success of mechanisms that rely on it, such as Route Origin Validation (ROV).
IRR, ROA, and BGP inconsistencies
As part of the MANRS research fellowship program, we’ve designed a tool for monitoring discrepancies between operators’ disclosed intentions (IRR and ROA objects) and their actual actions in BGP.
For any route seen on BGP we report its RPKI and IRR status, as well as the status of the prefix and origin ASN in Regional Internet Registries Statistics files.
In addition, we also compute the visibility of the prefix, that is the percentage of BGP speakers in RIS and Routeviews that advertise the prefix, and the common transit networks found in AS paths.
For example, this is what it looks like for the two invalid beacon prefixes announced by the RIPE NCC:
As expected the origin AS for these prefixes is different from the one found in the ROA objects so these are flagged as ‘RPKI Invalid’. We also see that these prefixes have a low visibility as they may be dropped by ASes implementing ROV.
Keep an eye on the right prefixes
Whether you are a network operator, researcher, or policy maker, you may monitor a different set of networks. Therefore we present our results in three different views:
- The Internet-wide view lists all routing inconsistencies found for the last three days. This is probably the best place to go if you are unsure where to start from.
- The country page focuses only on prefixes originating from a selected country.
- The AS page shows all prefixes originating, or transiting via, a selected autonomous system.
All these views consist of a similar table that looks like this:
By default the table shows all ‘RPKI invalid’ prefixes. Using the above drop-down menu allows you to also list IRR invalids, bogon prefixes, and bogon ASNs.
The tabs ‘ORIGIN ASES’ and ‘MAIN TRANSITS’ summarize the number of routing inconsistencies per origin AS and transit network.
Hence one can quickly find ASes that require more attention. As of October 27 2021, we found 951 networks announcing RPKI invalid prefixes. Many of them are reported because the max prefix length is not properly set in ROAs.
We also found that Telecom Italia Sparkle, a Tier1 network that has not yet implemented ROV, appears in our results as the main transit network for RPKI invalids. We hope to monitor in the future how ROV in such a large transit network would help to inhibit the propagation of RPKI invalids.
Yes, these values are constantly changing as network operators update their ROAs and BGP announcements. Hence our results are daily updated. Feel free to check the latest results at: https://ihr.iijlab.net/ihr/en-us/rov
This is a work in progress and we are looking into making this more useful for the networking community. If you are using this tool, please let us know what you think about it. If you have suggestions on how to improve the tool further – please let us know, too! Drop us a note at [email protected], or post a question or suggestion on the MANRS community mailing list.