Internet runs on BGP. Securing the BGP is the foundation for Internet routing security.

But it is not only the protocol we must take care of. BGP as an application is also vulnerable to various threats, like route manipulation and route hijacking. BGP will originate IP prefixes as it is being told to do. It is up to network administrators to mitigate the risk of BGP misusage or exploit attempts. Internet was ment to be a place for well-behaved, but, being enormous as it is today it can not be based on trust anymore. Internet resources, like autonomous system numbers (ASNs) and IP prefixes, must be given a validatable proof of holdership. This kind of proof can be given by Resource Certification systems. The resource certificates offers the basics for a secure Internet routing, particularly BGP route origin validation.

BGP route origin validation basically means answering the following question: “Is this route announcement authorised by the legitimate holder of the address space?””. The answer can be:

  • Yes, it is authorised and the route announcement is VALID.
  • No, the prefix is announced from an unauthorised autonomous system (AS) or it is more specific than the one authorised by an AS – therefore INVALID.
  • We don’t have a clue about that route – route announcement validity is UNKNOWN.

First, we issue certificates to create Route Origin Authorisation (or Attestation) objects called ROAa which certify from which Autonomous Systems certain prefixes will be originated and what is the maximum allowed prefix length for each originated prefix. With ROAs in place, routers can compare each route announcement to the ROA and adjust their routing preference according to the route’s validity state.

The following snippet from a Junos OS configuration shows how to enable validation process with two validators and the how to use the validity check within the policy statement (Please, take this as an example only. Here we are just marking the routes, nothing more.):

[edit routing-options validation]
group RouteOriginValidation {
    /* RIPE NCC rpki-validator */
    session a.c.d.e {
        refresh-time 300;
        hold-time 3600;
        preference 101;
        port 8282;
        local-address x.y.z.w;
    }
    /* RPKI Tools, rcynic/rtr-origin */
    session a.c.d.f {
        refresh-time 300;
        hold-time 3600;
        preference 99;
        port 8282;
        local-address x.y.z.w;
    }
}

[edit policy-options policy-statement RouteValidation]:
term Valid {
    from {
        protocol bgp;
        validation-database valid;
    }
    then {
        validation-state valid;
        community add RouteOriginValid;
    }
}
term Invalid {
    from {
        protocol bgp;
        validation-database invalid;
    }
    then {
        validation-state invalid;
        community add RouteOriginInvalid;
    }
}
term Unknown {
    from {
        protocol bgp;
        validation-database unknown;
    }
    then {
        validation-state unknown;
        community add RouteOriginUnknown;
    }
}

You can check the validation status, route validity etc with various show commands, for example:

matjaz@juniper.re0> show validation ?
Possible completions:
  database             Show contents of route validation database
  group                Show route validation redundancy groups
  replication          Show route validation replication information
  session              Show route validation session information
  statistics           Show route validation statistics
{master}

matjaz@juniper.re0> show route validation-state ?
Possible completions:
  invalid              Invalid route validation state
  unknown              Unknown route validation state
  unverified           Unverified route validation state
  valid                Valid route validation state
{master}

matjaz@juniper.re0> show route x.10.137.0/24
inet.0: 479678 destinations, 785050 routes (479668 active, 10 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

x.10.137.0/24      *[BGP/200] 3d 11:48:31, MED 174118, localpref 142, from a.b.c.d
                      AS path: <some as-path> I, validation-state: invalid
                    > to e.f.g.h via irb.x

To validate the routes, I would recommend to start with two validators: the one from RIPE NCC and rcynic from the rpki.net project. Here is how their dashboards look like:

ripe rpki validator
rcynic validator


Finally, let me show you how the current status of the RPKI-based BGP route origin validation looks like in the real Internet for IPv6 (2/2014). This graph shows (in grey) the number of all IPv6 prefixes in the DFZ (full IPv6 BGP routing table). The ones with ROAs (green and red) are minority and can be clearly shown only on a logarithmic scale. We have approximately 1,080 valid IPv6 prefixes our there compared with 16,000 in all.

graph_image-1

Among the ones with ROAs, about 1,000 are valid and 80 are invalid:

graph_image

We have no intention to look for the invalid reason in this post, maybe later on. However it is interesting to see, that the percentage of “invalids” is not decreasing, at least not as fast we are hoping for.


References:
RFC 6483, Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations (ROAs)
RIPE NCC Resource Certification (RPKI)
RIPE NCC RPKI Validator
rcynic RPKI validator (cynical rsync)

Advertisements