SlideShare a Scribd company logo

btNOG 7: Measuring RPKI

APNIC
APNIC

APNIC Chief Scientist Geoff Huston gives a keynote presentation on measuring Route Origin Validation (ROV) from the perspective of the end user at btNOG 7, held online on 16 October 2020.

Internet
1 of 44
Download to read offline
Measuring the Effectiveness of Route Origin Validation Filtering using Invalid Drops from the perspective of the End User by using a Technique of Broad Scale Reachability Measurement Geoff Huston APNIC Labs
Measuring RPKI Geoff Huston APNIC
Routing Security What’s “the objective” of routing security?
Routing Security What’s “the objective” of routing security? qProtect the routing system from all forms of operator mishaps? qProtect the routing system from some forms of operator mishaps? qProtect the routing system from all hostile attacks? qProtect the routing system from some hostile attacks? qPrevent the routing of bogus address prefixes? qPrevent the use of bogus AS’s in the routing system? qPrevent all forms of synthetic routes from being injected into the routing system? qPrevent unauthorised route withdrawal? qProtect users from being directed to bogus destinations?
Routing Security Enforcing rules to ensure that the routes carried in BGP are both protocol-wise accurate and policy-wise accurate is well beyond the capabilities of BGP and viable BGP control mechanisms * Route Origin Validation is designed to prevent BGP speakers from learning and preferring routes that are not authorised by the prefix holder The intent of not preferring unauthorised routes is to prevent users from being steered along these bogus routes * BGP is not a deterministic protocol, but more of a negotiation protocol that attempts to find meta-stable ‘solutions to importer / export policy preferences simultaneously. Where the policies are incompatible the BGP “solution” is not necessarily reached deterministically and different outcomes will be seen at different times – see “BGP Wedgies” for an illustration of this form of indeterminism
Routing Security What’s “the objective” of routing security? qProtect the routing system from all forms of operator mishaps? qProtect the routing system from some forms of operator mishaps? qProtect the routing system from all hostile attacks? qProtect the routing system from some hostile attacks? qPrevent the routing of bogus address prefixes? qPrevent the use of bogus AS’s in the routing system? qPrevent all forms of synthetic routes from being injected into the routing system? qPrevent unauthorised route withdrawal? qProtect users from being directed along bogus routing paths?
Routing Security What’s “the objective” of routing security? qProtect the routing system from all forms of operator mishaps? qProtect the routing system from some forms of operator mishaps? qProtect the routing system from all hostile attacks? qProtect the routing system from some hostile attacks? qPrevent the routing of bogus address prefixes? qPrevent the use of bogus AS’s in the routing system? qPrevent all forms of synthetic routes from being injected into the routing system? qPrevent unauthorised route withdrawal? qProtect users from being directed to bogus destinations? All these other objectives are fine, but the primary purpose of the routing system is to deliver packets to their intended destination
Our Objective • To measure the “impact” of invalid route filtering on users • The question we want to answer here is user-centric: • What proportion of users can’t reach a destination when the destination route is invalid according to ROV? • We’d like to continue this as a long term whole-of-Internet measurement to track the increasing deployment of RoV filtering over the coming months and years
Measurement Approach If we are looking at the effectiveness of the secure routing system in blocking the ability to direct users along bogus routing paths, then this suggests a measurement approach: • Set up a bogus (RPKI RoV-invalid) routing path as the only route to a prefix • Direct a very large set of users from across the Internet to try to reach a web server located at this prefix • Use a ‘control’ of a valid routing path to the same destination • Measure and compare
Methodology • Set up a prefix and AS in a delegated RPKI repository • We used the Krill package to achieve this • It Just Worked! tm https://www.nlnetlabs.nl/projects/rpki/krill/
Counting RPKI Clients Number of Unique IP addresses per day performing a fetch from our RPKI repository
Methodology • Set a prefix and AS in a delegated RPKI repository • Regularly revoke and re-issue ROAs that flip the validity state between valid and invalid states # Flip to "good" at 00:00 on Fri/Mon/Thu 0 0 * * 1,4,5 /home/krill/.cargo/bin/krillc roas update --delta ./delta-in.txt > /tmp/krillc-in.log 2>&1 # Flip to "bad" at 12:00 on sat/Tue/Thu 0 12 * * 2,4,6 /home/krill/.cargo/bin/krillc roas update --delta ./delta-out.txt > /tmp/krillc-out.log 2>&1 These two scripts flip the ROA valid state between ‘good’ and’bad’ origin ASNs for the prifix
Methodology • Set a prefix and AS in a delegated RPKI repository • Regularly revoke and re-issue ROAs that flip the validity state between valid and invalid states • Anycast the prefix and AS pair in a number of locations across the Internet • We are using 3 locations: US (LA), DE (FRA), SG with diverse transit providers • The server at this location delivers 1x1 blots • This is IPv4-only at this point
Methodology • Set a prefix and AS in a delegated RPKI repository • Regularly revoke and re-issue ROAs that flip the validity state between valid and invalid states • Anycast the prefix and AS pair in a number of locations across the Internet • Load a unique URL that maps to the destination into a measurement script • The DNS component uses HTTPS and a unique DNS label component to try and ensure that the HTTP FETCH is not intercepted by middleware proxies
Methodology • Set a prefix and AS in a delegated RPKI repository • Regularly revoke and re-issue ROAs that flip the validity state between valid and invalid states • Anycast the prefix and AS pair in a number of locations across the Internet • Load a unique URL that maps to the destination into a measurement script • Feed the script into the advertising systems • This is part of the larger APNIC Labs ad-based measurement system – this test is one URL in a larger collection of URLs
Methodology • Set a prefix and AS in a delegated RPKI repository • Regularly revoke and re-issue ROAs that flip the validity state between valid and invalid states • Anycast the prefix and AS pair in a number of locations across the Internet • Load a unique URL that maps to the destination into a measurement script • Feed the script into the advertising systems • Collect and analyse data • We use the user record of successful fetch to avoid zombies and stalkers
Flipping ROA states • What’s a good frequency to flip states? • How long does it take for the routing system as a whole to learn that a previously valid route is now invalid? And how long for the inverse invalid to valid transition • Validity / Invalidity is determined by what is published at the RPKI publication point • Each transition is marked by revocation of the previous ROA’s EE certificate and the issuing of a new ROA and EE certificate • What’s the re-query interval for clients of a RPKI publication point? • There is no standard-defined re-query interval so implementors have exercised their creativity!
120 seconds is popular 600 seconds is also well used as is one hour What’s this? RPKI Pub Point Re-Query Intervals We are looking here at the average elapsed time between successive visits to the RPKI publication point server (krill logs
Re-Query – Cumulative Distribution Within 2 hours we see 75% of clients perform a requery
Why the tail lag? https://grafana.wikimedia.org/d/UwUa77GZk/rpki?panelId=59 &fullscreen&orgId=1&from=now-30d&to=now Clients can take a significant amount of time to complete a pass through the entire RPKI distributed repository set, which makes the entire system sluggish to respond to changes
We used 12 and 36 hour held states The route object validity state cycles over a 7 day period in a set of 12 and 36 hour intervals
We used 12 and 36 hour held states view from stat.ripe.net
We used 12 and 36 hour held states BGP Play view of the routing changes
We used 12 and 36 hour states This shows the per-second fetch rate when the route is valid (green) and invalid (red) over a 7 day window The route validity switches are clearly visible ”invalid” route state ”valid” route state
Transition – Valid to Invalid It takes some 30 minutes for the valid to invalid transition to take effect in this measurement It appears that this is a combination of slow re-query rates at the RPKI publication point and some delays in making changes to the filters being fed into the routers This system is dependant on the last transit ISP to withdraw Time of ROA change at the RPKI repository
Transition – Invalid to Valid It takes some 5 minutes for the invalid to valid transition to take effect in this measurement This system is dependant on the first transit ISP to announce, so it tracks the fastest system to react Time of ROA change at the RPKI repository
RPKI “sweep” software • There is a mix of 2, 10 and 60 minute timers being used • 2 minutes seems like a lot of thrashing with little in the way of outcome – the responsiveness of the system is held back by those clients using longer re-query timers • 60 minutes seems too slow • I’d go with a 10 minute query timer as a compromise here
User impact of RPKI filtering At 17% of users that’s a surprisingly large impact for a very recent technology https://stats.labs.apnic.net/rpki/XA
Results: User Impact of RPKI filtering – Jul 2020
Results: User Impact of RPKI filtering – Oct 2020
Why? This map is a mix of two factors • Networks that perform invalid route filtering
Why? This map is a mix of two factors • Networks that perform invalid route filtering and • Network that do not filter themselves by are customers of transit providers who filter In either case the basic RPKI RoV objective is achieved, in that end users and their networks are not exposed to invalid route objects
Recent Deployment of RPKI Drop Invalids in AS1221
What about the Local Region?
Bhutan
Bhutan?
Next Steps for Measurement This is a work in progress and would benefit from more refinement, including: • Adding more anycast servers with more transit diversity
Next Steps for Measurement (2) • Attempting selective traceroute from the anycast servers to identify the networks that are performing the RoV invalid filter drop? • The measurement setup detects the user impact but not the individual networks who are performing drop invalid. Selective traceroute may allow a better way to identify the point of invalid drop
Next Steps for Measurement (3) • Further analysis of BGP route updates in route collectors to determine route withdrawal and announcement patterns when RPKI validity changes? • What is the difference between the primary point of route withdrawal / announcement and the consequent propagation in eBGP to the surrounding networks
Questions we might want to think about Stub vs Transit • Is it necessary for every AS to operate RPKI ROV infrastructure and filter invalid routes? • If not, what’s the minimal set of filtering networks that could provide similar levels of filtering for the Internet as a whole • What’s the marginal benefit of stub AS performing RPKI ROV filtering?
Questions we might want to think about (2) Ingress vs Egress • Should a stub AS RPKI only RoV filter its own announcements? • Should every AS filter their own announcements? • What’s more important: Protecting others who DON’T RoV filter from your operational mishaps or protecting yourself from the mishaps of others?
Questions we might want to think about (3) Prefix vs AS • Should an AS be able to enumerate ALL of its originations in a AS-signed attestation?
What are we trying to achieve here? • If this is a routing protection measure then what are you trying to protect? From whom? From what threat? • If this is a user protection measure then the issue of route filtering is potentially a more important issue for transits not stubs • A stub should generate ROAs for its routes, but there is far less of an incentive to perform RoV invalid filtering if all of the the stub’s upstreams / IXs are already performing this filtering
Thanks!

Recommended

HKNOG 9.0: Measuring RPKI
HKNOG 9.0: Measuring RPKIHKNOG 9.0: Measuring RPKI
HKNOG 9.0: Measuring RPKIAPNIC
 
mnNOG 2020: The Journey [100% ROA Coverage]
mnNOG 2020: The Journey [100% ROA Coverage]mnNOG 2020: The Journey [100% ROA Coverage]
mnNOG 2020: The Journey [100% ROA Coverage]APNIC
 
NANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessNANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessAPNIC
 
mnNOG 2: Measuring RPKI
mnNOG 2: Measuring RPKImnNOG 2: Measuring RPKI
mnNOG 2: Measuring RPKIAPNIC
 
Certification
CertificationCertification
CertificationRIPE NCC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateAPNIC
 
RPKI Trust Anchor
RPKI Trust AnchorRPKI Trust Anchor
RPKI Trust AnchorAPNIC
 

Recommended

HKNOG 9.0: Measuring RPKI
HKNOG 9.0: Measuring RPKIHKNOG 9.0: Measuring RPKI
HKNOG 9.0: Measuring RPKIAPNIC
 
mnNOG 2020: The Journey [100% ROA Coverage]
mnNOG 2020: The Journey [100% ROA Coverage]mnNOG 2020: The Journey [100% ROA Coverage]
mnNOG 2020: The Journey [100% ROA Coverage]APNIC
 
NANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessNANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessAPNIC
 
mnNOG 2: Measuring RPKI
mnNOG 2: Measuring RPKImnNOG 2: Measuring RPKI
mnNOG 2: Measuring RPKIAPNIC
 
Certification
CertificationCertification
CertificationRIPE NCC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateAPNIC
 
RPKI Trust Anchor
RPKI Trust AnchorRPKI Trust Anchor
RPKI Trust AnchorAPNIC
 
SANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingSANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingAPNIC
 
NZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityNZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityAPNIC
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringAPNIC
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIAPNIC
 
mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing APNIC
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
Resource Certification
Resource CertificationResource Certification
Resource CertificationRIPE NCC
 
IPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteIPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteAPNIC
 
IETF 79 - Diameter Over SCTP
IETF 79 - Diameter Over SCTPIETF 79 - Diameter Over SCTP
IETF 79 - Diameter Over SCTPVictor Pascual Ávila
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingAPNIC
 
APNIC RPKI Service Update: MyIX/MyNOG 2017
APNIC RPKI Service Update: MyIX/MyNOG 2017APNIC RPKI Service Update: MyIX/MyNOG 2017
APNIC RPKI Service Update: MyIX/MyNOG 2017APNIC
 
How Autodesk Delivers Seamless Customer Experience with Catchpoint
How Autodesk Delivers Seamless Customer Experience with CatchpointHow Autodesk Delivers Seamless Customer Experience with Catchpoint
How Autodesk Delivers Seamless Customer Experience with CatchpointDevOps.com
 
SANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generationSANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generationAPNIC
 
BKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingBKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingAPNIC
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...APNIC
 
Proof of Transit: Securely Verifying a Path or Service Chain
Proof of Transit: Securely Verifying a Path or Service ChainProof of Transit: Securely Verifying a Path or Service Chain
Proof of Transit: Securely Verifying a Path or Service ChainFrank Brockners
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!APNIC
 
EMEA Airheads- ArubaOS - High availability with AP Fast Failover
EMEA Airheads- ArubaOS - High availability with AP Fast FailoverEMEA Airheads- ArubaOS - High availability with AP Fast Failover
EMEA Airheads- ArubaOS - High availability with AP Fast FailoverAruba, a Hewlett Packard Enterprise company
 
Measuring the end user
Measuring the end userMeasuring the end user
Measuring the end userAPNIC
 
AusNOG 2022: Measuring RPKI use in BGP
AusNOG 2022: Measuring RPKI use in BGPAusNOG 2022: Measuring RPKI use in BGP
AusNOG 2022: Measuring RPKI use in BGPAPNIC
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachBangladesh Network Operators Group
 

More Related Content

What's hot

SANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingSANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingAPNIC
 
NZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityNZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityAPNIC
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringAPNIC
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIAPNIC
 
mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing APNIC
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
Resource Certification
Resource CertificationResource Certification
Resource CertificationRIPE NCC
 
IPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteIPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteAPNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingAPNIC
 
APNIC RPKI Service Update: MyIX/MyNOG 2017
APNIC RPKI Service Update: MyIX/MyNOG 2017APNIC RPKI Service Update: MyIX/MyNOG 2017
APNIC RPKI Service Update: MyIX/MyNOG 2017APNIC
 
How Autodesk Delivers Seamless Customer Experience with Catchpoint
How Autodesk Delivers Seamless Customer Experience with CatchpointHow Autodesk Delivers Seamless Customer Experience with Catchpoint
How Autodesk Delivers Seamless Customer Experience with CatchpointDevOps.com
 
SANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generationSANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generationAPNIC
 
BKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingBKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingAPNIC
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...APNIC
 
Proof of Transit: Securely Verifying a Path or Service Chain
Proof of Transit: Securely Verifying a Path or Service ChainProof of Transit: Securely Verifying a Path or Service Chain
Proof of Transit: Securely Verifying a Path or Service ChainFrank Brockners
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!APNIC
 
Measuring the end user
Measuring the end userMeasuring the end user
Measuring the end userAPNIC
 

What's hot (20)

SANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingSANOG 34: Securing Internet Routing
SANOG 34: Securing Internet Routing
 
NZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityNZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)Security
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKI
 
mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
Resource Certification
Resource CertificationResource Certification
Resource Certification
 
IPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteIPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental Website
 
IETF 79 - Diameter Over SCTP
IETF 79 - Diameter Over SCTPIETF 79 - Diameter Over SCTP
IETF 79 - Diameter Over SCTP
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet Routing
 
APNIC RPKI Service Update: MyIX/MyNOG 2017
APNIC RPKI Service Update: MyIX/MyNOG 2017APNIC RPKI Service Update: MyIX/MyNOG 2017
APNIC RPKI Service Update: MyIX/MyNOG 2017
 
How Autodesk Delivers Seamless Customer Experience with Catchpoint
How Autodesk Delivers Seamless Customer Experience with CatchpointHow Autodesk Delivers Seamless Customer Experience with Catchpoint
How Autodesk Delivers Seamless Customer Experience with Catchpoint
 
SANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generationSANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generation
 
BKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingBKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet Routing
 
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
ICANN APAC-TWNIC Engagement Forum: Internet Number Registry Services - The Ne...
 
Proof of Transit: Securely Verifying a Path or Service Chain
Proof of Transit: Securely Verifying a Path or Service ChainProof of Transit: Securely Verifying a Path or Service Chain
Proof of Transit: Securely Verifying a Path or Service Chain
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!
 
EMEA Airheads- ArubaOS - High availability with AP Fast Failover
EMEA Airheads- ArubaOS - High availability with AP Fast FailoverEMEA Airheads- ArubaOS - High availability with AP Fast Failover
EMEA Airheads- ArubaOS - High availability with AP Fast Failover
 
Measuring the end user
Measuring the end userMeasuring the end user
Measuring the end user
 

Similar to btNOG 7: Measuring RPKI

AusNOG 2022: Measuring RPKI use in BGP
AusNOG 2022: Measuring RPKI use in BGPAusNOG 2022: Measuring RPKI use in BGP
AusNOG 2022: Measuring RPKI use in BGPAPNIC
 
36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challenges36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challengesAPNIC
 
Adding Real-time Features to PHP Applications
Adding Real-time Features to PHP ApplicationsAdding Real-time Features to PHP Applications
Adding Real-time Features to PHP ApplicationsRonny López
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityAPNIC
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIAPNIC
 
haproxy-150423120602-conversion-gate01.pdf
haproxy-150423120602-conversion-gate01.pdfhaproxy-150423120602-conversion-gate01.pdf
haproxy-150423120602-conversion-gate01.pdfPawanVerma628806
 
Spirent SDN and NFV Solutions
Spirent SDN and NFV SolutionsSpirent SDN and NFV Solutions
Spirent SDN and NFV SolutionsMalathi Malla
 
Spirent Accelerating SDN and NFV Deployments
Spirent Accelerating SDN and NFV DeploymentsSpirent Accelerating SDN and NFV Deployments
Spirent Accelerating SDN and NFV DeploymentsSailaja Tennati
 
Role of Rest vs. Web Services and EI
Role of Rest vs. Web Services and EIRole of Rest vs. Web Services and EI
Role of Rest vs. Web Services and EIWSO2
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsAPNIC
 
Managing Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on KubernetesManaging Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on KubernetesIftach Schonbaum
 
Routing, Network Performance, and Role of Analytics
Routing, Network Performance, and Role of AnalyticsRouting, Network Performance, and Role of Analytics
Routing, Network Performance, and Role of AnalyticsAPNIC
 
End user-experience monitoring
End user-experience monitoring End user-experience monitoring
End user-experience monitoring Site24x7
 
Operating Kafka on AutoPilot mode @ DBS Bank (Arpit Dubey, DBS Bank) Kafka Su...
Operating Kafka on AutoPilot mode @ DBS Bank (Arpit Dubey, DBS Bank) Kafka Su...Operating Kafka on AutoPilot mode @ DBS Bank (Arpit Dubey, DBS Bank) Kafka Su...
Operating Kafka on AutoPilot mode @ DBS Bank (Arpit Dubey, DBS Bank) Kafka Su...confluent
 
Two Approaches You Must Consider when Architecting Radar Systems
Two Approaches You Must Consider when Architecting Radar SystemsTwo Approaches You Must Consider when Architecting Radar Systems
Two Approaches You Must Consider when Architecting Radar SystemsReal-Time Innovations (RTI)
 
Building Modern Digital Services on Scalable Private Government Infrastructur...
Building Modern Digital Services on Scalable Private Government Infrastructur...Building Modern Digital Services on Scalable Private Government Infrastructur...
Building Modern Digital Services on Scalable Private Government Infrastructur...Andrés Colón Pérez
 
Route service-pcf-techmeetup
Route service-pcf-techmeetupRoute service-pcf-techmeetup
Route service-pcf-techmeetupGwenn Etourneau
 

Similar to btNOG 7: Measuring RPKI (20)

AusNOG 2022: Measuring RPKI use in BGP
AusNOG 2022: Measuring RPKI use in BGPAusNOG 2022: Measuring RPKI use in BGP
AusNOG 2022: Measuring RPKI use in BGP
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
 
36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challenges36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challenges
 
Adding Real-time Features to PHP Applications
Adding Real-time Features to PHP ApplicationsAdding Real-time Features to PHP Applications
Adding Real-time Features to PHP Applications
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing Security
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKI
 
haproxy-150423120602-conversion-gate01.pdf
haproxy-150423120602-conversion-gate01.pdfhaproxy-150423120602-conversion-gate01.pdf
haproxy-150423120602-conversion-gate01.pdf
 
HAProxy
HAProxy HAProxy
HAProxy
 
Spirent SDN and NFV Solutions
Spirent SDN and NFV SolutionsSpirent SDN and NFV Solutions
Spirent SDN and NFV Solutions
 
Spirent Accelerating SDN and NFV Deployments
Spirent Accelerating SDN and NFV DeploymentsSpirent Accelerating SDN and NFV Deployments
Spirent Accelerating SDN and NFV Deployments
 
Role of Rest vs. Web Services and EI
Role of Rest vs. Web Services and EIRole of Rest vs. Web Services and EI
Role of Rest vs. Web Services and EI
 
RPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
 
Managing Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on KubernetesManaging Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on Kubernetes
 
Routing, Network Performance, and Role of Analytics
Routing, Network Performance, and Role of AnalyticsRouting, Network Performance, and Role of Analytics
Routing, Network Performance, and Role of Analytics
 
End user-experience monitoring
End user-experience monitoring End user-experience monitoring
End user-experience monitoring
 
Operating Kafka on AutoPilot mode @ DBS Bank (Arpit Dubey, DBS Bank) Kafka Su...
Operating Kafka on AutoPilot mode @ DBS Bank (Arpit Dubey, DBS Bank) Kafka Su...Operating Kafka on AutoPilot mode @ DBS Bank (Arpit Dubey, DBS Bank) Kafka Su...
Operating Kafka on AutoPilot mode @ DBS Bank (Arpit Dubey, DBS Bank) Kafka Su...
 
teste
testeteste
teste
 
Two Approaches You Must Consider when Architecting Radar Systems
Two Approaches You Must Consider when Architecting Radar SystemsTwo Approaches You Must Consider when Architecting Radar Systems
Two Approaches You Must Consider when Architecting Radar Systems
 
Building Modern Digital Services on Scalable Private Government Infrastructur...
Building Modern Digital Services on Scalable Private Government Infrastructur...Building Modern Digital Services on Scalable Private Government Infrastructur...
Building Modern Digital Services on Scalable Private Government Infrastructur...
 
Route service-pcf-techmeetup
Route service-pcf-techmeetupRoute service-pcf-techmeetup
Route service-pcf-techmeetup
 

More from APNIC

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 

More from APNIC (20)

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 

Recently uploaded

VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Standkumarajju5765
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 

Recently uploaded (20)

VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 

btNOG 7: Measuring RPKI

  • 1. Measuring the Effectiveness of Route Origin Validation Filtering using Invalid Drops from the perspective of the End User by using a Technique of Broad Scale Reachability Measurement Geoff Huston APNIC Labs
  • 3. Routing Security What’s “the objective” of routing security?
  • 4. Routing Security What’s “the objective” of routing security? qProtect the routing system from all forms of operator mishaps? qProtect the routing system from some forms of operator mishaps? qProtect the routing system from all hostile attacks? qProtect the routing system from some hostile attacks? qPrevent the routing of bogus address prefixes? qPrevent the use of bogus AS’s in the routing system? qPrevent all forms of synthetic routes from being injected into the routing system? qPrevent unauthorised route withdrawal? qProtect users from being directed to bogus destinations?
  • 5. Routing Security Enforcing rules to ensure that the routes carried in BGP are both protocol-wise accurate and policy-wise accurate is well beyond the capabilities of BGP and viable BGP control mechanisms * Route Origin Validation is designed to prevent BGP speakers from learning and preferring routes that are not authorised by the prefix holder The intent of not preferring unauthorised routes is to prevent users from being steered along these bogus routes * BGP is not a deterministic protocol, but more of a negotiation protocol that attempts to find meta-stable ‘solutions to importer / export policy preferences simultaneously. Where the policies are incompatible the BGP “solution” is not necessarily reached deterministically and different outcomes will be seen at different times – see “BGP Wedgies” for an illustration of this form of indeterminism
  • 6. Routing Security What’s “the objective” of routing security? qProtect the routing system from all forms of operator mishaps? qProtect the routing system from some forms of operator mishaps? qProtect the routing system from all hostile attacks? qProtect the routing system from some hostile attacks? qPrevent the routing of bogus address prefixes? qPrevent the use of bogus AS’s in the routing system? qPrevent all forms of synthetic routes from being injected into the routing system? qPrevent unauthorised route withdrawal? qProtect users from being directed along bogus routing paths?
  • 7. Routing Security What’s “the objective” of routing security? qProtect the routing system from all forms of operator mishaps? qProtect the routing system from some forms of operator mishaps? qProtect the routing system from all hostile attacks? qProtect the routing system from some hostile attacks? qPrevent the routing of bogus address prefixes? qPrevent the use of bogus AS’s in the routing system? qPrevent all forms of synthetic routes from being injected into the routing system? qPrevent unauthorised route withdrawal? qProtect users from being directed to bogus destinations? All these other objectives are fine, but the primary purpose of the routing system is to deliver packets to their intended destination
  • 8. Our Objective • To measure the “impact” of invalid route filtering on users • The question we want to answer here is user-centric: • What proportion of users can’t reach a destination when the destination route is invalid according to ROV? • We’d like to continue this as a long term whole-of-Internet measurement to track the increasing deployment of RoV filtering over the coming months and years
  • 9. Measurement Approach If we are looking at the effectiveness of the secure routing system in blocking the ability to direct users along bogus routing paths, then this suggests a measurement approach: • Set up a bogus (RPKI RoV-invalid) routing path as the only route to a prefix • Direct a very large set of users from across the Internet to try to reach a web server located at this prefix • Use a ‘control’ of a valid routing path to the same destination • Measure and compare
  • 10. Methodology • Set up a prefix and AS in a delegated RPKI repository • We used the Krill package to achieve this • It Just Worked! tm https://www.nlnetlabs.nl/projects/rpki/krill/
  • 11. Counting RPKI Clients Number of Unique IP addresses per day performing a fetch from our RPKI repository
  • 12. Methodology • Set a prefix and AS in a delegated RPKI repository • Regularly revoke and re-issue ROAs that flip the validity state between valid and invalid states # Flip to "good" at 00:00 on Fri/Mon/Thu 0 0 * * 1,4,5 /home/krill/.cargo/bin/krillc roas update --delta ./delta-in.txt > /tmp/krillc-in.log 2>&1 # Flip to "bad" at 12:00 on sat/Tue/Thu 0 12 * * 2,4,6 /home/krill/.cargo/bin/krillc roas update --delta ./delta-out.txt > /tmp/krillc-out.log 2>&1 These two scripts flip the ROA valid state between ‘good’ and’bad’ origin ASNs for the prifix
  • 13. Methodology • Set a prefix and AS in a delegated RPKI repository • Regularly revoke and re-issue ROAs that flip the validity state between valid and invalid states • Anycast the prefix and AS pair in a number of locations across the Internet • We are using 3 locations: US (LA), DE (FRA), SG with diverse transit providers • The server at this location delivers 1x1 blots • This is IPv4-only at this point
  • 14. Methodology • Set a prefix and AS in a delegated RPKI repository • Regularly revoke and re-issue ROAs that flip the validity state between valid and invalid states • Anycast the prefix and AS pair in a number of locations across the Internet • Load a unique URL that maps to the destination into a measurement script • The DNS component uses HTTPS and a unique DNS label component to try and ensure that the HTTP FETCH is not intercepted by middleware proxies
  • 15. Methodology • Set a prefix and AS in a delegated RPKI repository • Regularly revoke and re-issue ROAs that flip the validity state between valid and invalid states • Anycast the prefix and AS pair in a number of locations across the Internet • Load a unique URL that maps to the destination into a measurement script • Feed the script into the advertising systems • This is part of the larger APNIC Labs ad-based measurement system – this test is one URL in a larger collection of URLs
  • 16. Methodology • Set a prefix and AS in a delegated RPKI repository • Regularly revoke and re-issue ROAs that flip the validity state between valid and invalid states • Anycast the prefix and AS pair in a number of locations across the Internet • Load a unique URL that maps to the destination into a measurement script • Feed the script into the advertising systems • Collect and analyse data • We use the user record of successful fetch to avoid zombies and stalkers
  • 17. Flipping ROA states • What’s a good frequency to flip states? • How long does it take for the routing system as a whole to learn that a previously valid route is now invalid? And how long for the inverse invalid to valid transition • Validity / Invalidity is determined by what is published at the RPKI publication point • Each transition is marked by revocation of the previous ROA’s EE certificate and the issuing of a new ROA and EE certificate • What’s the re-query interval for clients of a RPKI publication point? • There is no standard-defined re-query interval so implementors have exercised their creativity!
  • 18. 120 seconds is popular 600 seconds is also well used as is one hour What’s this? RPKI Pub Point Re-Query Intervals We are looking here at the average elapsed time between successive visits to the RPKI publication point server (krill logs
  • 19. Re-Query – Cumulative Distribution Within 2 hours we see 75% of clients perform a requery
  • 20. Why the tail lag? https://grafana.wikimedia.org/d/UwUa77GZk/rpki?panelId=59 &fullscreen&orgId=1&from=now-30d&to=now Clients can take a significant amount of time to complete a pass through the entire RPKI distributed repository set, which makes the entire system sluggish to respond to changes
  • 21. We used 12 and 36 hour held states The route object validity state cycles over a 7 day period in a set of 12 and 36 hour intervals
  • 22. We used 12 and 36 hour held states view from stat.ripe.net
  • 23. We used 12 and 36 hour held states BGP Play view of the routing changes
  • 24. We used 12 and 36 hour states This shows the per-second fetch rate when the route is valid (green) and invalid (red) over a 7 day window The route validity switches are clearly visible ”invalid” route state ”valid” route state
  • 25. Transition – Valid to Invalid It takes some 30 minutes for the valid to invalid transition to take effect in this measurement It appears that this is a combination of slow re-query rates at the RPKI publication point and some delays in making changes to the filters being fed into the routers This system is dependant on the last transit ISP to withdraw Time of ROA change at the RPKI repository
  • 26. Transition – Invalid to Valid It takes some 5 minutes for the invalid to valid transition to take effect in this measurement This system is dependant on the first transit ISP to announce, so it tracks the fastest system to react Time of ROA change at the RPKI repository
  • 27. RPKI “sweep” software • There is a mix of 2, 10 and 60 minute timers being used • 2 minutes seems like a lot of thrashing with little in the way of outcome – the responsiveness of the system is held back by those clients using longer re-query timers • 60 minutes seems too slow • I’d go with a 10 minute query timer as a compromise here
  • 28. User impact of RPKI filtering At 17% of users that’s a surprisingly large impact for a very recent technology https://stats.labs.apnic.net/rpki/XA
  • 29. Results: User Impact of RPKI filtering – Jul 2020
  • 30. Results: User Impact of RPKI filtering – Oct 2020
  • 31. Why? This map is a mix of two factors • Networks that perform invalid route filtering
  • 32. Why? This map is a mix of two factors • Networks that perform invalid route filtering and • Network that do not filter themselves by are customers of transit providers who filter In either case the basic RPKI RoV objective is achieved, in that end users and their networks are not exposed to invalid route objects
  • 33. Recent Deployment of RPKI Drop Invalids in AS1221
  • 34. What about the Local Region?
  • 37. Next Steps for Measurement This is a work in progress and would benefit from more refinement, including: • Adding more anycast servers with more transit diversity
  • 38. Next Steps for Measurement (2) • Attempting selective traceroute from the anycast servers to identify the networks that are performing the RoV invalid filter drop? • The measurement setup detects the user impact but not the individual networks who are performing drop invalid. Selective traceroute may allow a better way to identify the point of invalid drop
  • 39. Next Steps for Measurement (3) • Further analysis of BGP route updates in route collectors to determine route withdrawal and announcement patterns when RPKI validity changes? • What is the difference between the primary point of route withdrawal / announcement and the consequent propagation in eBGP to the surrounding networks
  • 40. Questions we might want to think about Stub vs Transit • Is it necessary for every AS to operate RPKI ROV infrastructure and filter invalid routes? • If not, what’s the minimal set of filtering networks that could provide similar levels of filtering for the Internet as a whole • What’s the marginal benefit of stub AS performing RPKI ROV filtering?
  • 41. Questions we might want to think about (2) Ingress vs Egress • Should a stub AS RPKI only RoV filter its own announcements? • Should every AS filter their own announcements? • What’s more important: Protecting others who DON’T RoV filter from your operational mishaps or protecting yourself from the mishaps of others?
  • 42. Questions we might want to think about (3) Prefix vs AS • Should an AS be able to enumerate ALL of its originations in a AS-signed attestation?
  • 43. What are we trying to achieve here? • If this is a routing protection measure then what are you trying to protect? From whom? From what threat? • If this is a user protection measure then the issue of route filtering is potentially a more important issue for transits not stubs • A stub should generate ROAs for its routes, but there is far less of an incentive to perform RoV invalid filtering if all of the the stub’s upstreams / IXs are already performing this filtering