[LibreQoS] Fwd: RPKI's 2022 Year in Review: growth & innovation

Dave Taht dave.taht at gmail.com
Sat Dec 31 12:59:10 EST 2022


---------- Forwarded message ---------
From: Job Snijders via NANOG <nanog at nanog.org>
Date: Sat, Dec 31, 2022 at 9:27 AM
Subject: RPKI's 2022 Year in Review: growth & innovation
To: <nanog at nanog.org>


Dear all,

With 2023 at our doorstep, I'd like to share some perspective on how
RPKI evolved in the year 2022.

Impact on the Global Internet Routing System
============================================

Decision makers might wonder: is investing time and resources worth it?
What is the effectiveness of RPKI Route Origin Validation (RPKI-ROV)?
In the last year a number of interesting reports were published.

Even though less than half of BGP routes is covered by RPKI ROAs [6],
based on flow data, Kentik estimates [2] nowadays the majority of IP
traffic is destined towards RPKI-valid BGP routes. Their follow-up
report [3] (analysing BGP control-plane data) suggests that evaluation
of a BGP route as RPKI-invalid reduces its propagation by anywhere
between one half to two thirds. Cloudflare [4] published a report
analysing data-plane connectivity between a select number of ASes and
RPKI-invalid destinations: they estimate 6.5% (lower-bound) of
residential Internet users enjoy the benefits their ISP doing RPKI-ROV.
Another experiment report [5] (focussed on data-plane connectivity
between validators and RPKI-valid/RPKI-invalid destinations), concluded
the existence of RPKI ROAs helped move 75% of test traffic towards the
correct destination.

The above metrics might appear all over the place (6.5% up to 75%), but
keep in mind these analyses are not mutually exclusive. Observations of
the Internet's topology are a function of the observer's vantage point.

All the referenced reports agree on key points:

  * ROAs have a measurable & significant impact on global IP traffic delivery
  * RPKI-ROV helps reduce the "blast radius" of BGP routing incidents
  * They recommend to continue the global deployment of RPKI-ROV
    (rejecting RPKI-invalid BGP routes), and create ROAs for all IP
    address space.

Year to Year Growth of the distributed RPKI database
====================================================

In comparison to "effectiveness", the bare existence, size, contents,
and number of Signed Objects in the globally distributed RPKI repository
system is much easier to quantify.

The below table was constructed by comparing two December 31st
RPKIviews.org snapshots [1] of validated RPKI caches, primed with the
ARIN, AFRINIC, APNIC, LACNIC, and RIPE Trust Anchors.

                               2021-12-31     2022-12-31
Total cache size (KiB):           996,216      1,240,572  (+24%)
Total number of files (objects):  192,503        242,969  (+26%)
Publication servers (FQDNs):           36             52  (+44%)
Certification authorities:         28,328         34,901  (+23%)
Route origin authorizations:      101,645        138,323  (+36%)
Unique VRPs:                      302,025        390,752  (+29%)
IPv4 addresses covered:     1,139,561,719  1,354,270,410  (+19%)
IPv6 addresses covered:     7,499,405,083  9,446,853,925  (+26%) *10^24
Unique origin ASNs in ROAs:        27,174         34,455  (+27%)

A healthy growth rate across the board!

With the ubiquitous availability of "Publication as a Service" hosted by
RIRs, I expect (and hope!) the growth of the number of distinct
publication servers to stall, or even drop in 2023.

The number of Certification Authorities (CAs) closely corresponds to the
number of RIR members (RIR customers) who opted to enable RPKI services
for their Internet Number Resources, making it a useful proxy metric to
understand how many organisations are creating RPKI ROAs.

A single Route origin authorizations (ROA) can contain one or more
Validated ROA Payloads (VRPs), and one or multiple ROAs can contain the
exact same VRP information. "Unique" in the above table indicates the
metric's underlaying data was deduplicated.

Each ROA can only contain a single Origin ASN. Multiple ROAs can refer
to the same Origin ASN value.

Innovation through Standardisation
==================================

The IETF SIDROPS [7] working group (the designated forum in which
volunteers collaborate to define and specify open standards for RPKI and
RPKI-based technologies) was fairly productive in 2022 and managed to
publish 5 RFCs:

    RFC 9286 - Manifests for the RPKI                           (revision)
    RFC 9255 - The 'I' in RPKI Does Not Stand for Identity (clarification)
    RFC 9319 - The Use of maxLength in the RPKI            (clarification)
    RFC 9323 - A Profile for RPKI Signed Checklists (RSCs)    (innovation)
    RFC 9324 - Policy Based on the RPKI without Route Refresh (innovation)

The above body of work consists mostly of revisions of older work or
clarifications on how to use the RPKI, to me this demonstrates a
somewhat conservative approach (rather than innovation at breakneck
speed), which I consider a good thing.

Outlook & Conclusion
====================

Now that globally Route Origin Validation has advanced as far as it has,
the next obvious target is BGP path validation, to mitigate two distinct
problems: BGP route leaks and BGP AS_PATH spoofing. Both painful to
network operators!

While projects like OpenBSD's validator rpki-client and NLNetLabs'
signer Krill made significant headway to support both BGPsec and ASPA,
the industry as a whole still (especially the BGP implementations) have
a decent chunk of work ahead. Once the freshly-created software runs on
BGP routers and RIR portals offer BGPsec+ASPA functionality, operators
need to investigate initial deployment strategies.

RPKI clearly is the technology of choice to improve safety and security
of the global Internet routing system. Adoption of RPKI continues to
grow. I'm excited to learn how far we'll be at the end of 2023!

Kind regards,

Job

Sources:

[1]: RPKI Views - http://rpkiviews.org/
     http://josephine.sobornost.net/josephine.sobornost.net/rpkidata/2021/12/31/rpki-20211231T234655Z.tgz
     http://josephine.sobornost.net/josephine.sobornost.net/rpkidata/2022/12/31/rpki-20221231T103540Z.tgz
[2]: https://www.kentik.com/blog/measuring-rpki-rov-adoption-with-netflow/
     Bias warning: source data compiled from Kentik customer data
[3]: https://www.kentik.com/blog/how-much-does-rpki-rov-reduce-the-propagation-of-invalid-routes/
     Bias warning: source data compiled from the Route Views BGP
collector project
[4]: https://blog.cloudflare.com/rpki-updates-data/
     Caveat: the methodology might arrive at a lower coverage adoption
         rating due to suspected erroneous classification of RPKI-ROV enabled
         networks as 'non-validating', in case a default route (route of last
         resort) is present which facilitated data-plane conduit. The presence
         of default routes does not in any way diminish the value of RPKI-ROV,
         but does distort some types of measurement.
[5]: https://labs.ripe.net/author/koen-van-hove/where-did-my-packet-go-measuring-the-impact-of-rpki-rov/
[6]: https://rpki-monitor.antd.nist.gov/ROV/20221231.00/All/All/4
[7]: https://datatracker.ietf.org/wg/sidrops/about/


-- 
This song goes out to all the folk that thought Stadia would work:
https://www.linkedin.com/posts/dtaht_the-mushroom-song-activity-6981366665607352320-FXtz
Dave Täht CEO, TekLibre, LLC


More information about the LibreQoS mailing list