APNIC is pleased to announce the first release of a routing status service in the Dashboard for Autonomous System Health (DASH) system. DASH was initially released to monitor network health but has since widened its scope to help inform Internet number resource holders about the state of their resources.
Logging in to DASH is now part of the APNIC-wide single sign-on (SSO) initiative. Clicking ‘Log in’ will take you to an APNIC SSO screen that requires your APNIC username and password. Once connected, all resource holdings that you have access to will be available to view, and you can select by origin-AS.
DASH’s route status service allows you to see APNIC’s view of your BGP alignment with two other routing information systems:
- Resource Public Key Infrastructure (RPKI) — where you ‘certify’ your origin-AS in a Route Origin Authorization (ROA).
- Internet Routing Registry (IRR) — where you declare a Routing Policy Specification Language (RPSL) encoded route object for your origin-AS.
RPKI and ROAs form a cryptographically checkable basis for declaring your BGP origin-AS. IRR and a route object is a simpler declaration, backed (sometimes) by just a password. Normally, the RPKI record and the IRR record will be in alignment, but it is possible to manage both independently, and to choose which one you want in different circumstances. This, and the realities of BGP, mean your BGP announcements and statements made outside of BGP may not be in alignment from time to time, but it could also mean a bad actor is asserting a BGP state about your resource. Please note that while the DASH route information system (RIS) will continue to maintain your route object in APNIC’s IRR, APNIC encourages Members to use RPKI wherever possible.
How it works
APNIC has constructed an information model that combines three sources of data to represent the visible state of your prefixes in each system:
- BGP is taken from a view of RIPE NCC’s RIS data sourced from their Singapore collector.
- IRR is taken from a Near Real Time Mirroring (NRTM) feed of RPSL from the Regional Internet Registries (RIRs) and other routing registries.
- RPKI is taken from a locally-operated Routinator system.
All three information models are updated in real time but can be subject to update delays such as publication and republication times, and propagation delay. From this, APNIC combines the data to show states of mismatch between the routing models.
Limitations of mismatch information
Because each source of data is separate, APNIC’s RIS cannot predict which one of the three is incorrect for any given mismatch, only that there’s a mismatch. For example, it’s possible that:
- Both RPKI and IRR are correct and your BGP is misconfigured, or there’s an active hijack.
- Your RPKI is incorrectly signed and there’s a cryptographically valid, but incorrect, statement of your secure origination.
- There’s a mistake in your IRR route object.
Because all three problems could be present at the same time, APNIC’s RIS flags how they misalign, and shows a ‘mismatch’ outcome.
Aggregates in BGP
The DASH RIS accounts for aggregates and can show the more and less specific view of the data, to ensure APNIC can align its records with what you announce. For example, if we know you’ve been delegated a /23 and two /24s — but you’re not going to route these as three discrete prefixes in BGP all the time — you can (and should) show the covering /22 aggregate in your origination.
Users and accounts
Increasingly, individual users of APNIC services are managing multiple resource holding accounts. Therefore, DASH now recognizes that users may be logging in to review prefix behaviours of several different accounts and allows managing each account’s prefixes individually.
From informing to alerting, and more to come
As APNIC further develops its notifications platform, alerts will be deployed for RIS, so you’ll be able to create custom trigger events for your prefixes and be notified as soon as there’s a mismatch. Alerts are expected to be released later in 2022, and will complement and align with the suspicious traffic alerting mechanism released to DASH earlier this year.
Where DASH was previously focused on rapidly tracking suspicious traffic seen coming from your network, it now recognizes the centrality of prefixes to your routing. APNIC will redesign all DASH services to align with this information model for release in 2023.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.