<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">FYI! <br><div dir="ltr"><br>Begin forwarded message:<br><br></div><blockquote type="cite"><div dir="ltr"><b>From:</b> Job Snijders via NANOG <nanog@nanog.org><br><b>Date:</b> 31 December 2022 at 18:26:47 CET<br><b>To:</b> nanog@nanog.org<br><b>Subject:</b> <b>RPKI's 2022 Year in Review: growth & innovation</b><br><b>Reply-To:</b> Job Snijders <job@fastly.com><br><br></div></blockquote><blockquote type="cite"><div dir="ltr"><span>Dear all,</span><br><span></span><br><span>With 2023 at our doorstep, I'd like to share some perspective on how</span><br><span>RPKI evolved in the year 2022.</span><br><span></span><br><span>Impact on the Global Internet Routing System</span><br><span>============================================</span><br><span></span><br><span>Decision makers might wonder: is investing time and resources worth it?</span><br><span>What is the effectiveness of RPKI Route Origin Validation (RPKI-ROV)?</span><br><span>In the last year a number of interesting reports were published.</span><br><span></span><br><span>Even though less than half of BGP routes is covered by RPKI ROAs [6],</span><br><span>based on flow data, Kentik estimates [2] nowadays the majority of IP</span><br><span>traffic is destined towards RPKI-valid BGP routes. Their follow-up</span><br><span>report [3] (analysing BGP control-plane data) suggests that evaluation</span><br><span>of a BGP route as RPKI-invalid reduces its propagation by anywhere</span><br><span>between one half to two thirds. Cloudflare [4] published a report</span><br><span>analysing data-plane connectivity between a select number of ASes and</span><br><span>RPKI-invalid destinations: they estimate 6.5% (lower-bound) of</span><br><span>residential Internet users enjoy the benefits their ISP doing RPKI-ROV.</span><br><span>Another experiment report [5] (focussed on data-plane connectivity</span><br><span>between validators and RPKI-valid/RPKI-invalid destinations), concluded</span><br><span>the existence of RPKI ROAs helped move 75% of test traffic towards the</span><br><span>correct destination.</span><br><span></span><br><span>The above metrics might appear all over the place (6.5% up to 75%), but</span><br><span>keep in mind these analyses are not mutually exclusive. Observations of</span><br><span>the Internet's topology are a function of the observer's vantage point.</span><br><span></span><br><span>All the referenced reports agree on key points:</span><br><span></span><br><span>  * ROAs have a measurable & significant impact on global IP traffic delivery</span><br><span>  * RPKI-ROV helps reduce the "blast radius" of BGP routing incidents</span><br><span>  * They recommend to continue the global deployment of RPKI-ROV</span><br><span>    (rejecting RPKI-invalid BGP routes), and create ROAs for all IP</span><br><span>    address space.</span><br><span></span><br><span>Year to Year Growth of the distributed RPKI database</span><br><span>====================================================</span><br><span></span><br><span>In comparison to "effectiveness", the bare existence, size, contents,</span><br><span>and number of Signed Objects in the globally distributed RPKI repository</span><br><span>system is much easier to quantify.</span><br><span></span><br><span>The below table was constructed by comparing two December 31st</span><br><span>RPKIviews.org snapshots [1] of validated RPKI caches, primed with the</span><br><span>ARIN, AFRINIC, APNIC, LACNIC, and RIPE Trust Anchors.</span><br><span></span><br><span>                               2021-12-31     2022-12-31</span><br><span>Total cache size (KiB):           996,216      1,240,572  (+24%)</span><br><span>Total number of files (objects):  192,503        242,969  (+26%)</span><br><span>Publication servers (FQDNs):           36             52  (+44%)</span><br><span>Certification authorities:         28,328         34,901  (+23%)</span><br><span>Route origin authorizations:      101,645        138,323  (+36%)</span><br><span>Unique VRPs:                      302,025        390,752  (+29%)</span><br><span>IPv4 addresses covered:     1,139,561,719  1,354,270,410  (+19%)</span><br><span>IPv6 addresses covered:     7,499,405,083  9,446,853,925  (+26%) *10^24</span><br><span>Unique origin ASNs in ROAs:        27,174         34,455  (+27%)</span><br><span></span><br><span>A healthy growth rate across the board!</span><br><span></span><br><span>With the ubiquitous availability of "Publication as a Service" hosted by</span><br><span>RIRs, I expect (and hope!) the growth of the number of distinct</span><br><span>publication servers to stall, or even drop in 2023.</span><br><span></span><br><span>The number of Certification Authorities (CAs) closely corresponds to the</span><br><span>number of RIR members (RIR customers) who opted to enable RPKI services</span><br><span>for their Internet Number Resources, making it a useful proxy metric to</span><br><span>understand how many organisations are creating RPKI ROAs.</span><br><span></span><br><span>A single Route origin authorizations (ROA) can contain one or more</span><br><span>Validated ROA Payloads (VRPs), and one or multiple ROAs can contain the</span><br><span>exact same VRP information. "Unique" in the above table indicates the</span><br><span>metric's underlaying data was deduplicated.</span><br><span></span><br><span>Each ROA can only contain a single Origin ASN. Multiple ROAs can refer</span><br><span>to the same Origin ASN value.</span><br><span></span><br><span>Innovation through Standardisation</span><br><span>==================================</span><br><span></span><br><span>The IETF SIDROPS [7] working group (the designated forum in which</span><br><span>volunteers collaborate to define and specify open standards for RPKI and</span><br><span>RPKI-based technologies) was fairly productive in 2022 and managed to</span><br><span>publish 5 RFCs:</span><br><span></span><br><span>    RFC 9286 - Manifests for the RPKI                           (revision)</span><br><span>    RFC 9255 - The 'I' in RPKI Does Not Stand for Identity (clarification)</span><br><span>    RFC 9319 - The Use of maxLength in the RPKI            (clarification)</span><br><span>    RFC 9323 - A Profile for RPKI Signed Checklists (RSCs)    (innovation)</span><br><span>    RFC 9324 - Policy Based on the RPKI without Route Refresh (innovation)</span><br><span></span><br><span>The above body of work consists mostly of revisions of older work or</span><br><span>clarifications on how to use the RPKI, to me this demonstrates a</span><br><span>somewhat conservative approach (rather than innovation at breakneck</span><br><span>speed), which I consider a good thing.</span><br><span></span><br><span>Outlook & Conclusion</span><br><span>====================</span><br><span></span><br><span>Now that globally Route Origin Validation has advanced as far as it has,</span><br><span>the next obvious target is BGP path validation, to mitigate two distinct</span><br><span>problems: BGP route leaks and BGP AS_PATH spoofing. Both painful to</span><br><span>network operators!</span><br><span></span><br><span>While projects like OpenBSD's validator rpki-client and NLNetLabs'</span><br><span>signer Krill made significant headway to support both BGPsec and ASPA,</span><br><span>the industry as a whole still (especially the BGP implementations) have</span><br><span>a decent chunk of work ahead. Once the freshly-created software runs on</span><br><span>BGP routers and RIR portals offer BGPsec+ASPA functionality, operators</span><br><span>need to investigate initial deployment strategies.</span><br><span></span><br><span>RPKI clearly is the technology of choice to improve safety and security</span><br><span>of the global Internet routing system. Adoption of RPKI continues to</span><br><span>grow. I'm excited to learn how far we'll be at the end of 2023!</span><br><span></span><br><span>Kind regards,</span><br><span></span><br><span>Job</span><br><span></span><br><span>Sources:</span><br><span></span><br><span>[1]: RPKI Views - http://rpkiviews.org/</span><br><span>     http://josephine.sobornost.net/josephine.sobornost.net/rpkidata/2021/12/31/rpki-20211231T234655Z.tgz</span><br><span>     http://josephine.sobornost.net/josephine.sobornost.net/rpkidata/2022/12/31/rpki-20221231T103540Z.tgz</span><br><span>[2]: https://www.kentik.com/blog/measuring-rpki-rov-adoption-with-netflow/</span><br><span>     Bias warning: source data compiled from Kentik customer data</span><br><span>[3]: https://www.kentik.com/blog/how-much-does-rpki-rov-reduce-the-propagation-of-invalid-routes/</span><br><span>     Bias warning: source data compiled from the Route Views BGP collector project</span><br><span>[4]: https://blog.cloudflare.com/rpki-updates-data/</span><br><span>     Caveat: the methodology might arrive at a lower coverage adoption</span><br><span>         rating due to suspected erroneous classification of RPKI-ROV enabled</span><br><span>         networks as 'non-validating', in case a default route (route of last</span><br><span>         resort) is present which facilitated data-plane conduit. The presence</span><br><span>         of default routes does not in any way diminish the value of RPKI-ROV,</span><br><span>         but does distort some types of measurement.</span><br><span>[5]: https://labs.ripe.net/author/koen-van-hove/where-did-my-packet-go-measuring-the-impact-of-rpki-rov/</span><br><span>[6]: https://rpki-monitor.antd.nist.gov/ROV/20221231.00/All/All/4</span><br><span>[7]: https://datatracker.ietf.org/wg/sidrops/about/</span><br></div></blockquote></body></html>