From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 27CEC3CB37 for ; Sat, 31 Dec 2022 12:59:42 -0500 (EST) Received: by mail-wm1-x335.google.com with SMTP id ay40so17605639wmb.2 for ; Sat, 31 Dec 2022 09:59:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=8F0Y7ugkAmSdOEo6zujGBTW3foM8b8gPbQNZqxBSaAw=; b=M3cxDljG1J1fSEEBx1w+WM+53aEivU9LPIUm+V04A+CHkbwo8D6bSAk3CapUJMWpGD UkgR07HR4vPvD2O5YJvxljZUxjG6OT8QqthfLNYGW+O/M4kcWF15cClhrr+AW/DKfO5B HjrwJuDxb5pofxiJ0m/9VcwUd+u4EW8dTYF/DBixgVjTgx7Y36gLuAhXq9HWKqDE3p9j 8dk0F4NccK4JQxFkBZbsu2BgT5jx0dCSVygPb+SueKXueacEe9eKGy8G3ZGSXA/pGINw Tj76DRl6AZfr576VhEvkG1OuW+On8F4u08yxKPYY0QeVsfSXPAZY5tUy0dSFnszVqvWw o6+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8F0Y7ugkAmSdOEo6zujGBTW3foM8b8gPbQNZqxBSaAw=; b=RHG1FhEx3OafKm0DWR58qxm3uQjBaquLhscudtKgMmfd+up+Uw9Nghm9nahJb6AANk 70R9oY0olKe2Imf9VlJolIClD9BQA8xZyhHB9CC7LVQ7a3q83n9Ta7J0xi7NSMIbIb+i FQMUf1iDeuSg8cFFNvKfF/ofX4zaqFE9eckKv7vWKeYOk14tu682N0XrtZx1AM5nF4TU AL9KSbZWc1CG6Qs54jb8sWAPaY2QdiGoUblBm9dpfxR+4t3C2yIVss34tIiy4P03M3D3 Po8Yp77MH6GEpavM0c+KhLPs3WNLwWeCrh6waZtynkyrRyVilguN2iRWbu63mPtWlMB/ sgyw== X-Gm-Message-State: AFqh2kqncP1oQMzBOtYcaZh5Zh+ukTUisaBBijk/LGLLki9jPCyWhd4w XciRo849CDvtBsWUnVoKdTs+EQRteZmwZlBnaakT+BXU X-Google-Smtp-Source: AMrXdXuj4yHaVFt4JLxzJIWp5D2s04YyldrtSBFvOLq4nlulHUB4AJEazQvHtP8aw87BGv48wmhCyEcsXnwwCHYTEKw= X-Received: by 2002:a05:600c:2309:b0:3d5:f77e:40b6 with SMTP id 9-20020a05600c230900b003d5f77e40b6mr1162591wmo.206.1672509580180; Sat, 31 Dec 2022 09:59:40 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Dave Taht Date: Sat, 31 Dec 2022 09:59:10 -0800 Message-ID: To: libreqos Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: [LibreQoS] Fwd: RPKI's 2022 Year in Review: growth & innovation X-BeenThere: libreqos@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Many ISPs need the kinds of quality shaping cake can do List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Dec 2022 17:59:42 -0000 ---------- Forwarded message --------- From: Job Snijders via NANOG Date: Sat, Dec 31, 2022 at 9:27 AM Subject: RPKI's 2022 Year in Review: growth & innovation To: Dear all, With 2023 at our doorstep, I'd like to share some perspective on how RPKI evolved in the year 2022. Impact on the Global Internet Routing System =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Decision makers might wonder: is investing time and resources worth it? What is the effectiveness of RPKI Route Origin Validation (RPKI-ROV)? In the last year a number of interesting reports were published. Even though less than half of BGP routes is covered by RPKI ROAs [6], based on flow data, Kentik estimates [2] nowadays the majority of IP traffic is destined towards RPKI-valid BGP routes. Their follow-up report [3] (analysing BGP control-plane data) suggests that evaluation of a BGP route as RPKI-invalid reduces its propagation by anywhere between one half to two thirds. Cloudflare [4] published a report analysing data-plane connectivity between a select number of ASes and RPKI-invalid destinations: they estimate 6.5% (lower-bound) of residential Internet users enjoy the benefits their ISP doing RPKI-ROV. Another experiment report [5] (focussed on data-plane connectivity between validators and RPKI-valid/RPKI-invalid destinations), concluded the existence of RPKI ROAs helped move 75% of test traffic towards the correct destination. The above metrics might appear all over the place (6.5% up to 75%), but keep in mind these analyses are not mutually exclusive. Observations of the Internet's topology are a function of the observer's vantage point. All the referenced reports agree on key points: * ROAs have a measurable & significant impact on global IP traffic delive= ry * RPKI-ROV helps reduce the "blast radius" of BGP routing incidents * They recommend to continue the global deployment of RPKI-ROV (rejecting RPKI-invalid BGP routes), and create ROAs for all IP address space. Year to Year Growth of the distributed RPKI database =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D In comparison to "effectiveness", the bare existence, size, contents, and number of Signed Objects in the globally distributed RPKI repository system is much easier to quantify. The below table was constructed by comparing two December 31st RPKIviews.org snapshots [1] of validated RPKI caches, primed with the ARIN, AFRINIC, APNIC, LACNIC, and RIPE Trust Anchors. 2021-12-31 2022-12-31 Total cache size (KiB): 996,216 1,240,572 (+24%) Total number of files (objects): 192,503 242,969 (+26%) Publication servers (FQDNs): 36 52 (+44%) Certification authorities: 28,328 34,901 (+23%) Route origin authorizations: 101,645 138,323 (+36%) Unique VRPs: 302,025 390,752 (+29%) IPv4 addresses covered: 1,139,561,719 1,354,270,410 (+19%) IPv6 addresses covered: 7,499,405,083 9,446,853,925 (+26%) *10^24 Unique origin ASNs in ROAs: 27,174 34,455 (+27%) A healthy growth rate across the board! With the ubiquitous availability of "Publication as a Service" hosted by RIRs, I expect (and hope!) the growth of the number of distinct publication servers to stall, or even drop in 2023. The number of Certification Authorities (CAs) closely corresponds to the number of RIR members (RIR customers) who opted to enable RPKI services for their Internet Number Resources, making it a useful proxy metric to understand how many organisations are creating RPKI ROAs. A single Route origin authorizations (ROA) can contain one or more Validated ROA Payloads (VRPs), and one or multiple ROAs can contain the exact same VRP information. "Unique" in the above table indicates the metric's underlaying data was deduplicated. Each ROA can only contain a single Origin ASN. Multiple ROAs can refer to the same Origin ASN value. Innovation through Standardisation =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D The IETF SIDROPS [7] working group (the designated forum in which volunteers collaborate to define and specify open standards for RPKI and RPKI-based technologies) was fairly productive in 2022 and managed to publish 5 RFCs: RFC 9286 - Manifests for the RPKI (revision) RFC 9255 - The 'I' in RPKI Does Not Stand for Identity (clarification) RFC 9319 - The Use of maxLength in the RPKI (clarification) RFC 9323 - A Profile for RPKI Signed Checklists (RSCs) (innovation) RFC 9324 - Policy Based on the RPKI without Route Refresh (innovation) The above body of work consists mostly of revisions of older work or clarifications on how to use the RPKI, to me this demonstrates a somewhat conservative approach (rather than innovation at breakneck speed), which I consider a good thing. Outlook & Conclusion =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Now that globally Route Origin Validation has advanced as far as it has, the next obvious target is BGP path validation, to mitigate two distinct problems: BGP route leaks and BGP AS_PATH spoofing. Both painful to network operators! While projects like OpenBSD's validator rpki-client and NLNetLabs' signer Krill made significant headway to support both BGPsec and ASPA, the industry as a whole still (especially the BGP implementations) have a decent chunk of work ahead. Once the freshly-created software runs on BGP routers and RIR portals offer BGPsec+ASPA functionality, operators need to investigate initial deployment strategies. RPKI clearly is the technology of choice to improve safety and security of the global Internet routing system. Adoption of RPKI continues to grow. I'm excited to learn how far we'll be at the end of 2023! Kind regards, Job Sources: [1]: RPKI Views - http://rpkiviews.org/ http://josephine.sobornost.net/josephine.sobornost.net/rpkidata/2021/1= 2/31/rpki-20211231T234655Z.tgz http://josephine.sobornost.net/josephine.sobornost.net/rpkidata/2022/1= 2/31/rpki-20221231T103540Z.tgz [2]: https://www.kentik.com/blog/measuring-rpki-rov-adoption-with-netflow/ Bias warning: source data compiled from Kentik customer data [3]: https://www.kentik.com/blog/how-much-does-rpki-rov-reduce-the-propagat= ion-of-invalid-routes/ Bias warning: source data compiled from the Route Views BGP collector project [4]: https://blog.cloudflare.com/rpki-updates-data/ Caveat: the methodology might arrive at a lower coverage adoption rating due to suspected erroneous classification of RPKI-ROV enabl= ed networks as 'non-validating', in case a default route (route of la= st resort) is present which facilitated data-plane conduit. The prese= nce of default routes does not in any way diminish the value of RPKI-R= OV, but does distort some types of measurement. [5]: https://labs.ripe.net/author/koen-van-hove/where-did-my-packet-go-meas= uring-the-impact-of-rpki-rov/ [6]: https://rpki-monitor.antd.nist.gov/ROV/20221231.00/All/All/4 [7]: https://datatracker.ietf.org/wg/sidrops/about/ --=20 This song goes out to all the folk that thought Stadia would work: https://www.linkedin.com/posts/dtaht_the-mushroom-song-activity-69813666656= 07352320-FXtz Dave T=C3=A4ht CEO, TekLibre, LLC