Minutes
SIG: Routing
Wednesday 7 September 2005, Melia Hotel, Hanoi, Vietnam
Meeting commenced: 2:00 pm
Chair: Philip Smith
Co-chair: Randy Bush
The Chair thanked the sponsors and introduced the SIG and explained the agenda.
Contents
- Open action items
- Auto-detecting hijacked prefixes
- AS consumption patterns
- APNIC resource certification
- Determining "Tier 1" status through ASPATH analysis
- Deployment of IRR in JP and routing security
- BGP flap damping: Where now?
- Allocation - announcement: How long before prefixes are used?
Open action items
- None.
Auto-detecting hijacked prefixes
- The presenter noted that the initial analysis did not seek to focus on prefixes considered to be obvious spammers.
- It was noted that some other research appears to indicate experiments by some military networks to hijack the address space of other countries.
- It was explained that the analysis did not examine the length of time an address was in production, but rather the time it was dormant.
- It was noted that this presentation focused on hijackers that are looking to get hold of space for a longer term. At University of Oregon there is work to examine announcements of much shorter periods, generally by spammers using addresses for minutes or even seconds. It was noted that there is an immense amount this happening. This raises questions of defining what constitutes "abuse".
- None.
AS consumption patterns
- It was noted that there are many ASNs that may appear on local routing tables but never appear globally. It was suggested that some may also be used as VPN IDs.
- It was suggested that the industry may now be entering a period of increased ASN usage. It was agreed that from time to time there appear to be events that prompt temporary spikes in AS number consumption.
- The presenter explained that introducing a major new protocol into networks takes a long time, which is why he recommends such a long transition period. To avoid disruption, it is better to move before you are forced to move.
- Vendors generally take the view that no new features will be introduced until the bigger customers demand it. The bigger players have their ASNs and the new players don't have sufficient weight to move the vendors.
- It was suggested that it is ill-advised to ascribe motives to ISPs. Rather, it is more likely the problems will come from actually rolling out the new protocol and getting people to try it and identify other complex features in vendor implementations that might break.
- None.
APNIC resource certification
- It was clarified that the serial numbers are not globally unique, only unique in the particular CA.
- There was a observation about the need to provide for a division of roles about the various uses of address resources within an organisation, without compromising the block on sub-dividing the resources.
- It was noted that resource management and DNS management may not necessarily be tied in this method.
- It was noted that it is good that APNIC is intending to return work to the open source community.
- It was noted that the issue of certificate renewal will be one of the most important ones to discuss. It was noted that it is fundamental to the model proposed that there must be a lifetime. It was also noted that X.509 objects should have finite life. It was suggested that there may need to be methods for automatic renewal and revocation.
- It was suggested that legacy address holder may now be forced into a continuing obligation with APNIC. This raises an issue of the viability of networks being tied to a relationship with APNIC. Currently the trust relationship is between ISPs, but the proposed model replaces this. It must be managed in a way that is not seen as threatening a business operation.
- It was suggested that the revocation date is less of an issue than the renewal process, especially for those with legacy resources.
- None.
Determining "Tier 1" status through ASPATH analysis
- It was suggested that not knowing details of the routes a Route Views peer is announcing provides a continuing problem for routing collectors.
- It was also suggested that it would also be interesting to perform this analysis in reverse, inferring the relationships from the routing data.
- There was a discussion of work by Sprint which involved referring relationships and which revealed that upstreams actually got leaked to upstreams and other peers. It was suggested that this presenter should consider running the Sprint algorithms over the data collected for this project.
- However, it was noted that the Sprint paper has been subject to considerable criticism.
- It was noted that the research presented here will continue and be expanded to look at other aspects of peering relationships, but that this will require more data.
- The presenter noted that performing this analysis on a global scale is more complex and so is looking to find ways to scale the logic down in a verifiable way.
- None.
Deployment of IRR in JP and routing security
- It was noted that there is a discussion ongoing with the CRISP Working Group on this topic. It was pointed out that there is a difference between referencing and mirroring information and there needs to be more debate about the best approach. CRISP allows for referencing, but other technologies are available for mirroring.
- It was explained that it is preferable to require registration in only one place.
- The presenter encouraged feedback and comment from the community on the ongoing work on this project.
- None.
BGP flap damping: Where now?
- There was a comment from the floor about an actual experience at having a route damped at a local exchange.
- It was noted that problems were caused by vendors implementing prefix damping rather than path damping.
- None.
Allocation - announcement: How long before prefixes are used?
- There was a discussion about the starting date of the available data and whether that would raise problems for the analysis. The presenter noted that he would take this into account for some future calculations.
- There was also an observation about the accuracy of the ARIN data. It was explained that most of the known issues relating to the ARIN data were cleaned up before the analysis.
- The presenter acknowledged the work of the ARIN engineering staff in helping to prepare the data.
- None.
Geoff Huston, APNIC
The presenter described this presentation as the account of a failed experiment to see if there were ways of auto-detecting hijacked address space. Unauthorised use of address space is a common practice, generally used for illegitimate purposes. Address hijacking is generally related to allocated address space rather than unallocated IANA space. The presenter sought to identify the prevalence of address hijacking.
The presenter described his attempt to describe a hijacked address "signature" and the methods he could use to detect that signature. He provided an overview of his use of Route Views from the University of Oregon to gather information about address prefixes in use.
The presenter noted that BGP update logs may not be helpful in this search, due to high frequency noise of BGP convergence and low frequency noise related to network connectivity. To overcome this problem, the presenter used BGP snapshots rather than logs.
The presenter examined the re-advertisement of prefixes with different origin and first hop ASNs, which showed that the probability of a withdrawn prefix reappearing is constant - there is a constant reappearance of old address prefixes in the routing system in new Autonomous Systems. This was unlikely to represent hijacking alone, so the presenter then narrowed his search to those prefixes that were re-announced for only very short periods. Again, this analysis failed to provide predictive information about hijacked prefixes.
The presenter concluded that this technique provides no real way of distinguishing a genuine routing request from an illegitimate one. This raises the question of routing security. He noted that today there is a relatively insecure routing system that is vulnerable to various forms of deliberate disruption and subversion.
The presenter suggested the need for a public key infrastructure for automated validation of authenticity of address objects, authenticity of the origin AS, and explicit authority to make a route announcement. He suggested that the certification should also refer to the address allocation path, that it was associated with the route advertisement, and that validation was treated as a route object preference indicator. Such a system would make address hijacking highly unlikely, as it would require people to steal private keys.
Questions and discussion
Action items
Geoff Huston, APNIC
This presentation described work to examine the depletion of the AS number pool. There are 64,510 ASNs available for use in total. So far, 39,934 have been used and it appears that the pool will become exhausted.
The presenter noted that there is an Internet draft describing 4-byte AS numbers and a transition mechanism, although this draft has been dormant for some time. There is a need for very careful testing of any new AS implementation so as to not disrupt the routing system. Existing AS holders will not be required to take action under the proposed system, but those adopting the new protocol will need to make appropriate arrangements. The presenter suggested the transition would require at least three to four years.
The presenter described the methodology for predicting the consumption of the AS pool. It is not clear whether current consumption is purely linear or slightly exponential. The analysis, therefore, was based on projecting in both ways, suggesting exhaustion of the IANA AS pool between 2001 and 2014. Projections based on the RIR data suggested exhaustion of the RIR pool between 2010 and 2014. The presenter noted that 13,000 ASNs are not announced in the BGP table. The ratio of the unadvertised to unadvertised ASNs appears to be slowly declining in a linear trend. The presenter combined the various methods of analysis and sought to find the best possible projection. The presenter concluded that the most likely date for exhaustion is around August 2010, assuming unused ASNs are not recovered.
If the transition will take three to four years, then it will be necessary to start within the next year to avoid problems in the transition.
Questions and discussion
Action items
George Michaelson, APNIC
The presenter provided an overview of the APNIC plans to establish a new resource certification service. He emphasised that at this stage he was making a purely informational presentation, but that it would, in time, produce more substantive outcomes, including possible policy implications.
The speaker noted that RFC 3799 has been created to address the need for AS and route validity checks, and that it used a hierarchical model following the chain of authority down from the top level registrar.
RFC 3779 defines X.509 certificate extensions, which can create a framework for providing information about the authority to use resources. Under the proposed framework, IANA will be able to certify APNIC's authority to allocate resources. The presenter described the format of the certificates that would be used. APNIC would use the ?CA bit? to create an ability to create and certify other certificates. In this way, certificates can, for example, be used to prevent address blocks from being split up in unauthorised ways.
The presenter described the expected timeline for this project, which would include a trial in the fourth quarter of 2005, a pilot in early 2006, and full service by later in 2006.
APNIC will develop some tools and facilities that may be made available as open source software, as well as some tools specific to MyAPNIC.
It was explained that the lifetime of the certificate should generally be bound by the life of the relationship between APNIC and the resource holder, although it may be longer than the one year membership cycle.
Questions and discussion
Action items
[Break 3:25 ? 4:00 pm]
Gaurab Raj Upadhaya, Lahai
Presentation [pdf]
The presenter noted that this presentation reports on a work in progress. The presenter noted that there is no single routing table, so the work takes data from multiple sources. The hypothesis being tested in this work is that no more than one Tier 1 ASN should appear in any ASPATH.
The researchers examined the 20 most frequently occurring ASNs in all observed AS paths. The data was taken from the third day of each month from January to September 2005.
The presenter noted that the tests revealed some peculiarities, including a customer that appeared to be between two ASNs on the Tier 1 list. The presenter also reviewed some other anomalies that appeared in the observations. In the Japanese data set, there was only one anomaly, observed in June. In the OIX dataset, there were many anomalies observed throughout the course of the observations. However, by removing AS4637 from the observed list, the number of anomalies dropped considerably. This tends to confirm the hypothesis that Reach may not actually be a Tier 1 provider.
The presenter noted that Tier 1 is a socio-economic concept, but a provider's claim to be a Tier 1 provider can be tested using the methods presented here.
The presenter reviewed the planned next steps in this project.
Questions and discussion
Action items
Tomoya Yoshida, OCN
This presentation was based on one given at the JANOG meeting. The presenter noted that when referring to routing security he is focussing on hijacking. He provided an overview of address hijacking and why it happens. The presenter described the use by ISPs of filter prefix and examination of origin AS and route paths.
The presenter noted that it is very important to quickly detect polluted routes. This can be very difficult. He suggested that maintenance of reliable assignment and allocation information in the IRR is necessary. JPNIC runs an experimental IRR, which mirrors to APNIC, RIPE NCC, and RADB. The number of objects registered in this service is steadily growing.
The presenter described the general operations of JPIRR and explained its attestation mechanism. However, he noted that having only a single national IRR does not solve the problem and that international cooperation is required. He suggested that operation should be based on the hierarchy of the registry structure. The presenter also noted the potential importance of CRISP to allowing a more efficient way of bringing together the information from the various IRRs.
The presenter noted that this approach has the same goal as the PKI structure in sBGP.
The presenter encouraged cooperation across this region and globally.
Questions and discussion
Action items
Philip Smith, Cisco
Presentation [pdf]
The presenter noted he is a co-author of the RIPE 229 route flap damping recommendations. It has been decided that this document does not appear to be very useful any more. Therefore, the presenter seeks feedback on some of the main issues.
The presenter explained that the Internet used to be very susceptible to routing storms, which were repeated announcements and withdrawals of /24 networks. As a result, recommendations were made on how to apply route flap damping procedures. There were some problems with the implementations, due to the degree of configurability, lack of operational experience, and overly aggressive application of the technique. The RIPE community then sought to document ideal configuration guidelines to solve the problem. However, other problems arose, primarily in relation to routing convergence. It was also noted that changing attributes in BGP could bring about flap damping.
This led to the RIPE 229 document, but it was never really taken up by the community. It was also observed that people were applying flap damping by default in their networks without really understanding the effects it could have. There have been calls to either modify the RIPE 229 recommendations or declare it obsolete.
The presenter encouraged feedback on this issue that he could refer to the upcoming RIPE meeting where this will be discussed in greater detail.
Questions and discussion
Action items
Randy Bush IIJ
Presentation [pdf]
This presentation investigated the delay between an RIR allocating space and its announcement in BGP. It also looked at differences between RIR allocations and sub-allocations by LIRs. The data for this analysis was drawn from ARIN. Route Views data was also run at University of Oregon.
The presenter summarised the data. Some prefixes were announced before they were actually allocated, others took many years to enter the routing system. He also noted that sub-allocations result in fragmentation of the routing data. The presenter noted that although LIRs tend to announce their prefixes very quickly once they get an allocation, most do not appear to be concerned about updating their data in whois until they are getting close to needing new address space. The presenter noted that more data will be needed from all RIRs to study these issues further.
Questions and discussion
Action items
Meeting closed: 5:25 pm
Minuted by: Gerard Ross
Open action items
- None.