Measuring adoption of ROV is challenging without direct access to routers in the wild. My colleagues and I at Virginia Tech, IIJ, RIPE NCC, and MANRS have developed a new measurement platform (RoVISTA) to measure the current deployment status of ROV. You can help by taking our survey!
The short survey we're conducting asks network operators about their Resource Public Key Infrastructure (RPKI) deployment to help us validate our findings. The detailed methodology and analysis will be made publicly available.
Take the survey
What’s RoVISTA and how can it help you
RoVISTA is a new measurement platform developed by my colleagues and I at Virginia Tech, IIJ, RIPE NCC, and MANRS to measure the current deployment rate status of Route Origin Validation (ROV).
At a high level, our methodology leverages two techniques:
- Identifying the hosts which are reachable under RPKI-invalid prefixes
- Measuring the connectivity status between two end hosts using the IP-ID side-channel technique.
First, we use RouteViews BGP table datasets and validate each routing entry with all Route Origin Authorisations (ROAs). Interestingly, nearly 1% of RPKI-covered IP prefixes in the global BGP table are RPKI-invalid, which indicates that such IP prefixes cannot be reachable from the Autonomous Systems (ASes) that filter RPKI-invalid prefixes. For those RPKI-invalid prefixes, we try to find hosts that have TCP ports open so that we can initiate TCP handshakes; we call such hosts targets.
Now, we want to measure if an AS can reach the target — if so, it may suggest that the AS does not perform ROV. This methodology would be easily applicable if we can set up our measurement machines in the AS; however, it is not scalable.
To overcome this challenge, we use a technique called IP-ID side-channel, which has been used in many other areas for counting hosts behind NATs, estimating the traffic from, or detecting censorship. One of the nice applications of the IP-ID side-channel technique is conjecturing the connectivity between two remote end hosts. With this technique, we can measure the reachability from one host to a target to conjecture the ROV status of the AS of the host.
To mitigate client-side errors, such as transient connection failure, we try to find as many hosts as possible (at least 10 hosts) in a given AS and test their reachability to many targets to determine whether unreachability is possibly due to ROV with high certainty. After that, we calculate what fraction of the targets were unreachable by all hosts in a given AS, which we call the ROV ratio.
What we’ve found using RoVISTA
Our team has been running RoVISTA since December 2021 and we’ve found it works well. For example, Orange (AS 5511) announced its ROV deployment on 27 June 2022, though RoVISTA detected the ROV ratio of Orange jumping from 0% to 100% on 6 June 2022.
Among the so-called Tier-1 ASes, RoVista shows that Level 3 (AS 3356), Telia (AS 1299), GTT (AS 3257), NTT America (AS 2914), TATA Communications (AS 6453), PCCW Global (AS 3491), Orange (AS 5511), AT&T (AS 7018), Liberty Global (AS 6830), Sprint (AS 1239), and CenturyLink (AS 209) filter more than 95% of RPKI-invalid prefixes that we tested, confirming that they have all deployed ROV. So far we have measured more than 27,000 ASes ROV filtering ratios — see the results.
While our results are promising there are several challenges with validating the methodology. For example, even if we see many hosts in an AS always filtering RPKI-invalid prefixes, we cannot say for certain that the AS has deployed ROV because it could be due to one of their higher Tier providers who has deployed ROV making it unreachable to the target — this is called collateral benefit.
Some ASes may also perform ROV selectively depending on where they get announcements from. For example, AT&T (AS7018) was found to be dropping RPKI-invalid routes from peers, but not from their customers. As we find more targets from different prefixes, we can characterise the ROV policy of ASes, but it is not trivial.
This is why we need your help to give us insight into your RPKI deployment so we can validate what we are measuring and confidently report on ROV adoption.
If you have any questions or feedback please feel free to email us firstname.lastname@example.org and email@example.com. All results will be made publicly available via the RoVISTA website.
We would like to thank MANRS for this great opportunity to communicate with network operators and also the Commonwealth Cyber Initiative and Comcast Innovation Fund for their financial support for this research.
This article was originally published over on the MANRS blog.