[AONOG] Fwd: RPKI's 2022 Year in Review: growth & innovation

dc at darwincosta.com dc at darwincosta.com
Sat Dec 31 20:10:43 CET 2022 

FYI! 

Begin forwarded message:

> From: Job Snijders via NANOG <nanog at nanog.org>
> Date: 31 December 2022 at 18:26:47 CET
> To: nanog at nanog.org
> Subject: RPKI's 2022 Year in Review: growth & innovation
> Reply-To: Job Snijders <job at fastly.com>
> 
> Dear all,
> 
> With 2023 at our doorstep, I'd like to share some perspective on how
> RPKI evolved in the year 2022.
> 
> Impact on the Global Internet Routing System
> ============================================
> 
> Decision makers might wonder: is investing time and resources worth it?
> What is the effectiveness of RPKI Route Origin Validation (RPKI-ROV)?
> In the last year a number of interesting reports were published.
> 
> Even though less than half of BGP routes is covered by RPKI ROAs [6],
> based on flow data, Kentik estimates [2] nowadays the majority of IP
> traffic is destined towards RPKI-valid BGP routes. Their follow-up
> report [3] (analysing BGP control-plane data) suggests that evaluation
> of a BGP route as RPKI-invalid reduces its propagation by anywhere
> between one half to two thirds. Cloudflare [4] published a report
> analysing data-plane connectivity between a select number of ASes and
> RPKI-invalid destinations: they estimate 6.5% (lower-bound) of
> residential Internet users enjoy the benefits their ISP doing RPKI-ROV.
> Another experiment report [5] (focussed on data-plane connectivity
> between validators and RPKI-valid/RPKI-invalid destinations), concluded
> the existence of RPKI ROAs helped move 75% of test traffic towards the
> correct destination.
> 
> The above metrics might appear all over the place (6.5% up to 75%), but
> keep in mind these analyses are not mutually exclusive. Observations of
> the Internet's topology are a function of the observer's vantage point.
> 
> All the referenced reports agree on key points:
> 
>  * ROAs have a measurable & significant impact on global IP traffic delivery
>  * RPKI-ROV helps reduce the "blast radius" of BGP routing incidents
>  * They recommend to continue the global deployment of RPKI-ROV
>    (rejecting RPKI-invalid BGP routes), and create ROAs for all IP
>    address space.
> 
> Year to Year Growth of the distributed RPKI database
> ====================================================
> 
> In comparison to "effectiveness", the bare existence, size, contents,
> and number of Signed Objects in the globally distributed RPKI repository
> system is much easier to quantify.
> 
> The below table was constructed by comparing two December 31st
> RPKIviews.org snapshots [1] of validated RPKI caches, primed with the
> ARIN, AFRINIC, APNIC, LACNIC, and RIPE Trust Anchors.
> 
>                               2021-12-31     2022-12-31
> Total cache size (KiB):           996,216      1,240,572  (+24%)
> Total number of files (objects):  192,503        242,969  (+26%)
> Publication servers (FQDNs):           36             52  (+44%)
> Certification authorities:         28,328         34,901  (+23%)
> Route origin authorizations:      101,645        138,323  (+36%)
> Unique VRPs:                      302,025        390,752  (+29%)
> IPv4 addresses covered:     1,139,561,719  1,354,270,410  (+19%)
> IPv6 addresses covered:     7,499,405,083  9,446,853,925  (+26%) *10^24
> Unique origin ASNs in ROAs:        27,174         34,455  (+27%)
> 
> A healthy growth rate across the board!
> 
> With the ubiquitous availability of "Publication as a Service" hosted by
> RIRs, I expect (and hope!) the growth of the number of distinct
> publication servers to stall, or even drop in 2023.
> 
> The number of Certification Authorities (CAs) closely corresponds to the
> number of RIR members (RIR customers) who opted to enable RPKI services
> for their Internet Number Resources, making it a useful proxy metric to
> understand how many organisations are creating RPKI ROAs.
> 
> A single Route origin authorizations (ROA) can contain one or more
> Validated ROA Payloads (VRPs), and one or multiple ROAs can contain the
> exact same VRP information. "Unique" in the above table indicates the
> metric's underlaying data was deduplicated.
> 
> Each ROA can only contain a single Origin ASN. Multiple ROAs can refer
> to the same Origin ASN value.
> 
> Innovation through Standardisation
> ==================================
> 
> The IETF SIDROPS [7] working group (the designated forum in which
> volunteers collaborate to define and specify open standards for RPKI and
> RPKI-based technologies) was fairly productive in 2022 and managed to
> publish 5 RFCs:
> 
>    RFC 9286 - Manifests for the RPKI                           (revision)
>    RFC 9255 - The 'I' in RPKI Does Not Stand for Identity (clarification)
>    RFC 9319 - The Use of maxLength in the RPKI            (clarification)
>    RFC 9323 - A Profile for RPKI Signed Checklists (RSCs)    (innovation)
>    RFC 9324 - Policy Based on the RPKI without Route Refresh (innovation)
> 
> The above body of work consists mostly of revisions of older work or
> clarifications on how to use the RPKI, to me this demonstrates a
> somewhat conservative approach (rather than innovation at breakneck
> speed), which I consider a good thing.
> 
> Outlook & Conclusion
> ====================
> 
> Now that globally Route Origin Validation has advanced as far as it has,
> the next obvious target is BGP path validation, to mitigate two distinct
> problems: BGP route leaks and BGP AS_PATH spoofing. Both painful to
> network operators!
> 
> While projects like OpenBSD's validator rpki-client and NLNetLabs'
> signer Krill made significant headway to support both BGPsec and ASPA,
> the industry as a whole still (especially the BGP implementations) have
> a decent chunk of work ahead. Once the freshly-created software runs on
> BGP routers and RIR portals offer BGPsec+ASPA functionality, operators
> need to investigate initial deployment strategies.
> 
> RPKI clearly is the technology of choice to improve safety and security
> of the global Internet routing system. Adoption of RPKI continues to
> grow. I'm excited to learn how far we'll be at the end of 2023!
> 
> Kind regards,
> 
> Job
> 
> Sources:
> 
> [1]: RPKI Views - http://rpkiviews.org/
>     http://josephine.sobornost.net/josephine.sobornost.net/rpkidata/2021/12/31/rpki-20211231T234655Z.tgz
>     http://josephine.sobornost.net/josephine.sobornost.net/rpkidata/2022/12/31/rpki-20221231T103540Z.tgz
> [2]: https://www.kentik.com/blog/measuring-rpki-rov-adoption-with-netflow/
>     Bias warning: source data compiled from Kentik customer data
> [3]: https://www.kentik.com/blog/how-much-does-rpki-rov-reduce-the-propagation-of-invalid-routes/
>     Bias warning: source data compiled from the Route Views BGP collector project
> [4]: https://blog.cloudflare.com/rpki-updates-data/
>     Caveat: the methodology might arrive at a lower coverage adoption
>         rating due to suspected erroneous classification of RPKI-ROV enabled
>         networks as 'non-validating', in case a default route (route of last
>         resort) is present which facilitated data-plane conduit. The presence
>         of default routes does not in any way diminish the value of RPKI-ROV,
>         but does distort some types of measurement.
> [5]: https://labs.ripe.net/author/koen-van-hove/where-did-my-packet-go-measuring-the-impact-of-rpki-rov/
> [6]: https://rpki-monitor.antd.nist.gov/ROV/20221231.00/All/All/4
> [7]: https://datatracker.ietf.org/wg/sidrops/about/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nogalliance.org/pipermail/aonog-members/attachments/20221231/6f51b572/attachment.htm>

More information about the AONOG-members mailing list