RoVISTA is a new measurement platform developed by me and my colleagues at Virginia Tech, IIJ, RIPE NCC, and MANRS to measure the current deployment rate status of ROV.
At a high level, our methodology leverages two techniques:
- Identifying the hosts that are reachable under RPKI-invalid prefixes.
- Measuring the connectivity status between two end hosts using the IP-ID side-channel technique.
First, we use RouteViews BGP table datasets and validate each routing entry with all Route Origin Authorisations (ROAs). Interestingly, nearly 1% of RPKI-covered IP prefixes in the global BGP table are RPKI-invalid, which indicates that such IP prefixes cannot be reachable from the Autonomous Systems (ASes) that filter RPKI-invalid prefixes. For those RPKI-invalid prefixes, we try to find hosts with TCP ports open so that we can initiate TCP handshakes; we call such hosts targets.
Now, we want to measure if an AS can reach the target — if so, it may suggest that the AS does not perform ROV. This methodology would be easily applicable if we can set up our measurement machines in the AS; however, it is not scalable.
To overcome this challenge, we use a technique called IP-ID side-channel, which is used in many other areas for counting hosts behind NATs, estimating the traffic from, or detecting censorship. One of the nice applications of the IP-ID side-channel technique is inferring the connectivity between two remote end hosts. With this technique, we can measure the reachability from one host to a target to conjecture the ROV status of the AS of the host.
To mitigate client-side errors, such as transient connection failure, we try to find as many hosts as possible (at least 10 hosts) in a given AS and test their reachability to many targets to determine whether unreachability is possibly due to ROV with high certainty. After that, we calculate what fraction of the targets were unreachable by all hosts in a given AS which we call the ROV ratio.
What we’ve found using RoVISTA
Our team has been running RoVISTA since December 2021 and we’ve found it works well. For example, Orange (AS5511) announced its ROV deployment on 27 June 2022, though RoVISTA detected the ROV ratio of Orange jumping from 0% to 100% on 6 June 2022.
Among the so-called Tier-1 ASes, RoVista shows that Level 3 (AS3356), Telia (AS1299), GTT (AS3257), NTT America (AS2914), TATA Communications (AS6453), PCCW Global (AS3491), Orange (AS5511), AT&T (AS7018), Liberty Global (AS6830), Sprint (AS1239), and CenturyLink (AS209) filter more than 95% of RPKI-invalid prefixes that we tested, confirming that they have all deployed ROV. So far, we have measured more than 27,000 ASes ROV filtering ratios — see the results.
While our results are promising, there are several challenges with validating the methodology. For example, even if we see many hosts in an AS always filtering RPKI-invalid prefixes, we cannot say for certain that the AS has deployed ROV. It could be due to one of their higher Tier providers who has deployed ROV making it unreachable to the target — this is called collateral benefit.
Some ASes may also perform ROV selectively depending on where they get announcements from. For example, AT&T (AS7018) was found to be dropping RPKI-invalid routes from peers but not from their customers). As we find more targets from different prefixes, we can characterize the ROV policy of ASes, but it is not trivial.
This is why we need your help to give us insight into your RPKI deployment so we can validate what we are measuring and confidently report on ROV adoption.
We are conducting a short survey asking network operators about their Resource Public Key Infrastructure (RPKI) deployment to help us validate our findings. The detailed methodology and analysis will be made publicly available.
If you have any questions or feedback, please email email@example.com and firstname.lastname@example.org. All results will be made publicly available via the RoVISTA website.
Thanks to MANRS for this great opportunity to communicate with network operators and also the Commonwealth Cyber Initiative and Comcast Innovation Fund for their financial support for this research.
Taejoong (Tijay) Chung is an Assistant Professor at Virginia Tech whose research goal is to secure the Internet. He is also a 2022 MANRS Research Fellow.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.