NIST RPKI Deployment Monitor update

By on 14 May 2021

Category: Tech matters

Tags: , , ,

Blog home

The NIST RPKI Monitor is a test and measurement tool designed to monitor the dynamics of the global Resource Public Key Infrastructure (RPKI) and the impact of RPKI Route Origin Validation (ROV) on Internet routing. Its purpose is to provide measurement data and analyses to the research, standardization, and operations communities necessary to improve the trust and confidence in the underlying technologies.

This is the second version of the National Institute for Standards and Technology (NIST) RPKI Monitor — developed to add more analysis features for understanding completeness, correctness, and stability of the global RPKI-ROV infrastructure.

Most of the analysis features of the original NIST RPKI monitor have been migrated to this new platform, but if you are looking for information from the prior version that you can’t find here, the original monitor is available here.

NIST’s Robust Inter-Domain Routing project is part of a larger Trustworthy Networking program focused on the research and development of technologies necessary to increase the security, privacy, and robustness of networked systems.

Uses

The NIST RPKI Monitor is a test and measurement tool developed by NIST’s Internet Technologies Research Group for the purpose of supporting research, and standardization of technologies to improve the robustness and security of the Internet’s inter-domain routing infrastructure. The monitor attempts to quantitatively characterize the state of deployment of the emerging RPKI in terms of its completeness, correctness, and robustness.

This latest version of the monitor provides all the analyses from previous versions, while adding new forms of analysis and new means to interactively explore data. The section below provides some highlights of the monitor’s capabilities. For full details see the NIST RPKI Monitor Methodology and User’s Guide page.

The monitor continues to provide analysis of the application’s global RPKI data to global BGP trace data. Various views of the results of RPKI-ROV, both current snap shots and historical views (summarized by various criteria), are provided.

Figure 1 — NIST RPKI Monitor’s RPKI-ROV analysis of unique prefix-origin pairs (IPv4).
Figure 1 — NIST RPKI Monitor’s RPKI-ROV analysis of unique prefix-origin pairs (IPv4).
Figure 2 — NIST RPKI Monitor’s RPKI-ROV Analysis of Address Space (24s) in Unique Prefix-Origin Pairs (IPv4).
Figure 2 — NIST RPKI Monitor’s RPKI-ROV analysis of address space (/24s) in unique prefix-origin pairs (IPv4).
Figure 3 — NIST RPKI Monitor’s 25 Autonomous Systems with the most BGP Originated Prefixes VALID by RPKI-ROV (IPv4).
Figure 3 — NIST RPKI Monitor’s 25 Autonomous Systems with the most BGP originated prefixes VALID by RPKI-ROV (IPv4).
Figure 4 — NIST RPKI Monitor’s RPKI-ROV history of unique valid prefix-origin pairs (IPv4) — comparing RIR regions.
Figure 4 — NIST RPKI Monitor’s RPKI-ROV history of unique valid prefix-origin pairs (IPv4) — comparing RIR regions.

Many of the new analyses focus on understanding changes in the state of RPKI-ROV — both in terms of the volume of change and the details of individual validation changes. The monitor now allows one to see the details of the underlying RPKI changes that result in a change in RPKI-ROV for specific BGP originations.

Figure 5 — NIST RPKI Monitor’s RPKI-ROV State Changes (IPv4 Prefix-Origin Pairs)..png
Figure 5 — NIST RPKI Monitor’s RPKI-ROV state changes (IPv4 prefix-origin pairs).
Figure 6 — NIST RPKI Monitor’s detailed ROV changes.
Figure 6 — NIST RPKI Monitor’s detailed ROV changes.

This version of the monitor provides the ability to filter the data and visualizations to focus on a specific set of prefixes, ASNs, regions or protocols (IPv4 or IPv6). The monitor also provides the ability to look back at results from specific dates, or to interactively explore a range of dates.

Figure 7 — NIST RPKI Monitor’s prefix ROV history.
Figure 7 — NIST RPKI Monitor’s prefix ROV history.

New analyses have been added to further examine the implications of RPKI-ROV invalid routes. In particular, the monitor provides analysis of the ‘coverage’ of invalid announcements — by other routes that are not invalid.

Figure 8 — NIST RPKI Monitor’s coverage details of invalid IPv4 prefixes.
Figure 8 — NIST RPKI Monitor’s coverage details of invalid IPv4 prefixes.
Figure 9 — NIST RPKI Monitor’s history of invalid IPv4 prefixes and their coverage.
Figure 9 — NIST RPKI Monitor’s history of invalid IPv4 prefixes and their coverage.

The monitor creates periodic summary reports for all RPKI-ROV state changes. The monitor also produces summary reports when it detects anomalies in the RPKI-ROV system (for example, unusually large number of RPKI or RPKI-ROV state changes, and so forth). Users can subscribe to an email list to receive these reports in a daily summary or more frequently. See the NIST RPKI Monitor Methodology page for instructions for joining these mailing lists.

Figure 10 — NIST RPKI Monitor’s ROV summary bar.
Figure 10 — NIST RPKI Monitor’s ROV summary bar.
Figure 11 — NIST RPKI Monitor’s mailing lists.
Figure 11 — NIST RPKI Monitor’s mailing lists.

The monitor continues to provide analyses of global RPKI repositories, including various statistics on the size and shape of the RPKI infrastructure.

Figure 12 — NIST RPKI Monitor’s RPKI validation.
Figure 12 — NIST RPKI Monitor’s RPKI validation.
Figure 13 — NIST RPKI Monitor’s Certificates for each Certificate Path Depth Value (EE certs included)
Figure 13 — NIST RPKI Monitor’s certificates for each certificate path depth value (EE certs included)

NIST’s full RPKI Monitor is accessible here.

The NIST RPKI Monitor software system was designed and implemented by Lilia Hannachi, Oliver Borchert, Kotikalapudi Sriram and Doug Montgomery.

Doug Montgomery is the Manager of Internet and Scalable Systems Research within the Information Technology Laboratory and was recognized as an IPv6 World Leader in the New Internet IPv6 Hall of Fame 2020.

This post was originally published at NIST Blog.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Top