RPKI's 2022 Year in Review: growth & innovation
Dear all, With 2023 at our doorstep, I'd like to share some perspective on how RPKI evolved in the year 2022. Impact on the Global Internet Routing System ============================================ Decision makers might wonder: is investing time and resources worth it? What is the effectiveness of RPKI Route Origin Validation (RPKI-ROV)? In the last year a number of interesting reports were published. Even though less than half of BGP routes is covered by RPKI ROAs [6], based on flow data, Kentik estimates [2] nowadays the majority of IP traffic is destined towards RPKI-valid BGP routes. Their follow-up report [3] (analysing BGP control-plane data) suggests that evaluation of a BGP route as RPKI-invalid reduces its propagation by anywhere between one half to two thirds. Cloudflare [4] published a report analysing data-plane connectivity between a select number of ASes and RPKI-invalid destinations: they estimate 6.5% (lower-bound) of residential Internet users enjoy the benefits their ISP doing RPKI-ROV. Another experiment report [5] (focussed on data-plane connectivity between validators and RPKI-valid/RPKI-invalid destinations), concluded the existence of RPKI ROAs helped move 75% of test traffic towards the correct destination. The above metrics might appear all over the place (6.5% up to 75%), but keep in mind these analyses are not mutually exclusive. Observations of the Internet's topology are a function of the observer's vantage point. All the referenced reports agree on key points: * ROAs have a measurable & significant impact on global IP traffic delivery * RPKI-ROV helps reduce the "blast radius" of BGP routing incidents * They recommend to continue the global deployment of RPKI-ROV (rejecting RPKI-invalid BGP routes), and create ROAs for all IP address space. Year to Year Growth of the distributed RPKI database ==================================================== In comparison to "effectiveness", the bare existence, size, contents, and number of Signed Objects in the globally distributed RPKI repository system is much easier to quantify. The below table was constructed by comparing two December 31st RPKIviews.org snapshots [1] of validated RPKI caches, primed with the ARIN, AFRINIC, APNIC, LACNIC, and RIPE Trust Anchors. 2021-12-31 2022-12-31 Total cache size (KiB): 996,216 1,240,572 (+24%) Total number of files (objects): 192,503 242,969 (+26%) Publication servers (FQDNs): 36 52 (+44%) Certification authorities: 28,328 34,901 (+23%) Route origin authorizations: 101,645 138,323 (+36%) Unique VRPs: 302,025 390,752 (+29%) IPv4 addresses covered: 1,139,561,719 1,354,270,410 (+19%) IPv6 addresses covered: 7,499,405,083 9,446,853,925 (+26%) *10^24 Unique origin ASNs in ROAs: 27,174 34,455 (+27%) A healthy growth rate across the board! With the ubiquitous availability of "Publication as a Service" hosted by RIRs, I expect (and hope!) the growth of the number of distinct publication servers to stall, or even drop in 2023. The number of Certification Authorities (CAs) closely corresponds to the number of RIR members (RIR customers) who opted to enable RPKI services for their Internet Number Resources, making it a useful proxy metric to understand how many organisations are creating RPKI ROAs. A single Route origin authorizations (ROA) can contain one or more Validated ROA Payloads (VRPs), and one or multiple ROAs can contain the exact same VRP information. "Unique" in the above table indicates the metric's underlaying data was deduplicated. Each ROA can only contain a single Origin ASN. Multiple ROAs can refer to the same Origin ASN value. Innovation through Standardisation ================================== The IETF SIDROPS [7] working group (the designated forum in which volunteers collaborate to define and specify open standards for RPKI and RPKI-based technologies) was fairly productive in 2022 and managed to publish 5 RFCs: RFC 9286 - Manifests for the RPKI (revision) RFC 9255 - The 'I' in RPKI Does Not Stand for Identity (clarification) RFC 9319 - The Use of maxLength in the RPKI (clarification) RFC 9323 - A Profile for RPKI Signed Checklists (RSCs) (innovation) RFC 9324 - Policy Based on the RPKI without Route Refresh (innovation) The above body of work consists mostly of revisions of older work or clarifications on how to use the RPKI, to me this demonstrates a somewhat conservative approach (rather than innovation at breakneck speed), which I consider a good thing. Outlook & Conclusion ==================== Now that globally Route Origin Validation has advanced as far as it has, the next obvious target is BGP path validation, to mitigate two distinct problems: BGP route leaks and BGP AS_PATH spoofing. Both painful to network operators! While projects like OpenBSD's validator rpki-client and NLNetLabs' signer Krill made significant headway to support both BGPsec and ASPA, the industry as a whole still (especially the BGP implementations) have a decent chunk of work ahead. Once the freshly-created software runs on BGP routers and RIR portals offer BGPsec+ASPA functionality, operators need to investigate initial deployment strategies. RPKI clearly is the technology of choice to improve safety and security of the global Internet routing system. Adoption of RPKI continues to grow. I'm excited to learn how far we'll be at the end of 2023! Kind regards, Job Sources: [1]: RPKI Views - http://rpkiviews.org/ http://josephine.sobornost.net/josephine.sobornost.net/rpkidata/2021/12/31/r... http://josephine.sobornost.net/josephine.sobornost.net/rpkidata/2022/12/31/r... [2]: https://www.kentik.com/blog/measuring-rpki-rov-adoption-with-netflow/ Bias warning: source data compiled from Kentik customer data [3]: https://www.kentik.com/blog/how-much-does-rpki-rov-reduce-the-propagation-of... Bias warning: source data compiled from the Route Views BGP collector project [4]: https://blog.cloudflare.com/rpki-updates-data/ Caveat: the methodology might arrive at a lower coverage adoption rating due to suspected erroneous classification of RPKI-ROV enabled networks as 'non-validating', in case a default route (route of last resort) is present which facilitated data-plane conduit. The presence of default routes does not in any way diminish the value of RPKI-ROV, but does distort some types of measurement. [5]: https://labs.ripe.net/author/koen-van-hove/where-did-my-packet-go-measuring-... [6]: https://rpki-monitor.antd.nist.gov/ROV/20221231.00/All/All/4 [7]: https://datatracker.ietf.org/wg/sidrops/about/
participants (1)
-
Job Snijders