An Analysis of ARIN NetHandles i h O i i AS Dra
m
with OriginAS Dataand Analysis of RIR/IRR Registry Data
kin
g P
rog
r
O. Kim, K. Sriram, O. Borchert, P. Gleichmann, and D. Montgomery
y N
etw
ork
Presentation at ARIN XXIII, San Antonio, TXA il 26 29 2009
g y
ust
wo
rth
y
April 26-29, 2009
Contacts: [email protected], [email protected], [email protected] Website: www.antd.nist.gov/bgp_security
Tru
s
OutlineOutlineOutline Outline
Problem statementProblem statementAnalysis of ARIN NetHandles with O i i ASOriginASAnalysis of Global Registriesy g(comparisons with what is announced in BGP)
2
What is the Problem?What is the Problem?Current registry data is considered inaccurate, incompleteDespite weaknesses, data is used for:p ,• Local route filtering• Debugging purposesDebugging purposes
No comprehensive investigations to dateImproving quality and completeness ofImproving quality and completeness of routing data could enable new BGP robustness mechanisms
3
robustness mechanisms
Registry Data Object Counts by Source Registry Data Object Counts by Source
route inetnum(ARIN NetHandle)
aut-num(ARIN ASHandle)
RIR/IRR 06/18/2007 10/18/2008 Incr 06/18/2007 10/18/2008 Incr 06/18/2007 10/18/2008 Incr
ARIN 7,330 8,201 12% 338(1,618,197)
434(1,924,454)
28%19%
758(18,050)
890(19,678)
17%9%
RIPENCC 71,569 89,957 26% 2,044,536 2,458,119 20% 14,106 16,969 20%
APNIC* 23,616 35,515 50% 822,891 1,080,999 31% 4,559 5,347 17%
AFRINIC 0 0 13,948 22,706 63% 342 445 30%
LACNIC** 0 0 45,346 83,036 83% 1,219 1,339 10%
Standalone IRRs+
345,129 497,124 44% 1 1 3,785 4,643 23%
Total: 447,644 630,797 41% 2,927,060(1,618,197)
3,645,295(1,924,454)
25%19%
24,769(18,050)
29,633(19,678)
20%9%
* Includes TWNIC, JPIRR, JPNIC and APNIC* Includes TWNIC, JPIRR, JPNIC and APNIC** RIR only** RIR only
4
RIR only RIR only+ Independent IRR databases that are mirrored via + Independent IRR databases that are mirrored via the RADB websitethe RADB website including RADB, but including RADB, but EXCLUDING ARIN, APNIC, JPIRR and RIPEEXCLUDING ARIN, APNIC, JPIRR and RIPENote that route objects can be registered at any IRR regardless of where the address spaces are allocated.
Distribution of Prefix Length of Distribution of Prefix Length of inetnum (RPSL) and NetHandle (SWIP) inetnum (RPSL) and NetHandle (SWIP)
Registry DataRegistry Data Date: 2008Date: 2008--1010--1818
10000000
100000
1000000
s
ARIN_RPSLRIPEAPNICAFRINIC
1000
10000
etnu
m O
bjec
ts LACNICARIN_SWIP
10
100
# in
e
1
10
0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32
Prefix Length
5Length 0 indicates that an address block cannot be represented by a single CIDRLength 4 specifies Multicast and Reserved Future Use blocksSome Legacy and ERX blocks may be included in one or more RIRs
Prefix Length
Distribution of Prefix Length of Distribution of Prefix Length of Route Objects in IRRRoute Objects in IRR
1000000Registry DataRegistry Data Date: 2008Date: 2008--1010--1818
10000
100000
refix
es)
1000
Obj
ects
(Pr
10
100
# R
oute
18 10 12 14 16 18 20 22 24 26 28 30 32
Log scale
Prefix Length
ARIN RPSL RIPE APNIC Standalone IRRs6
Distribution of Sources of Prefix Allocations Distribution of Sources of Prefix Allocations of Route Objects Registered to Standalone IRRsof Route Objects Registered to Standalone IRRsof Route Objects Registered to Standalone IRRsof Route Objects Registered to Standalone IRRs
43%
250000
33%
43%
200000
ts
100000
150000
Rout
e O
bjec
t
3%
7%
13%
50000
# of
0%3% 1% 0%
0ARIN AFRINIC APNIC RIPE LACNIC LEGACY ERX IANA
7All route objects registered in standalone IRRs on 2008All route objects registered in standalone IRRs on 2008--1010--18: 18: 497,124497,124
Growth of NetHandles with OriginAS100,000
n A
S
10,000
with
Orig
in
1,000
Han
dles
w
100
ber o
f Net
H
NetHandle with One or More Origin AS
Multihomed (>= 2 Origin ASes)
10
2007
2007
2007
2007
2007
2007
2007
2007
2008
2008
2008
2008
2008
2008
2008
2008
2008
2008
2008
2008
2009
2009
2009
Num
b Multihomed ( 2 Origin ASes)
8
5/30
/2
6/30
/2
7/30
/2
8/30
/2
9/30
/2
10/3
0/2
11/3
0/2
12/3
0/2
1/30
/2
2/29
/2
3/30
/2
4/30
/2
5/30
/2
6/30
/2
7/30
/2
8/30
/2
9/30
/2
10/3
0/2
11/3
0/2
12/3
0/2
1/30
/2
2/28
/2
3/30
/2
Date
ARIN NetHandle Stats ARIN NetHandle Stats in Comparison to BGP Updates and RIBsin Comparison to BGP Updates and RIBsin Comparison to BGP Updates and RIBsin Comparison to BGP Updates and RIBs
Raw data• ARIN Registry data on 2008-10-18g y
* All NetHandle objects: 1,924,454* Unique (NetHandle, OriginAS) pairs: 73,249 (4%)* Unique (NetRange, OriginAS) pairs: 73,062 q ( g , g ) p ,* Unique OriginASes: 2693
• BGP Updates & RIB data:* Collector: Oregon from RouteviewsCollector: Oregon from Routeviews* Updates (2008-06-01 to 2008-11-24)
– Unique (prefix,origin) pairs: 531,820* BGP RIBs on 2008-11-3: 283 035BGP RIBs on 2008-11-3: 283,035
– unique (prefix,origin) pairs other than those in Updates prefixes above: 1
• ALL Unique (prefix origin) pairs from both Updates and
9
ALL Unique (prefix,origin) pairs from both Updates and RIBs: 531,821
Some Observations on ARIN NetHandles Some Observations on ARIN NetHandles ith O i i ASith O i i AS
Multiple NetHandles that contain the exact same
with OriginASwith OriginAS
p(NetRange, OriginAS) pairs with different allocation types:• Allocation types: allocation / reallocation / assignment /
reassignment
# of instances with the following: count
3 NetHandles containing the same (NetRange,OriginAS) pair 2
2 NetHandles containing the same (NetRange,OriginAS) pair 183
N tH dl ith i (N tR O i i AS) i 72 877NetHandles with unique (NetRange,OriginAS) pair 72,877
10
Some Observations on ARIN NetHandles Some Observations on ARIN NetHandles ith O i i ASith O i i ASwith OriginASwith OriginAS
Two or more NetHandle objects contain the exact same (NetRange OriginAS) pairs but different NetType:(NetRange, OriginAS) pairs, but different NetType:• One Example: (66.97.96.0/20, 33125)
NetHandle Object 1 NetHandle Object 2NetHandle Object 1 NetHandle Object 2
NetHandle: NET-66-97-96-0-1 NET-66-97-96-0-2
OrgID: SNL-27 MCB-21
N tR 66 97 96 0 66 97 111 255 66 97 96 0 66 97 111 255NetRange: 66.97.96.0 - 66.97.111.255 66.97.96.0 – 66.97.111.255
NetType: Allocation Reassignment
OriginAS: AS33125 AS33125
P t NET 66 0 0 0 0 NET 66 97 96 0 1Parent: NET-66-0-0-0-0 NET-66-97-96-0-1
RegDate: 2006-10-10 2007-06-12
Updated: 2007-06-12 2007-06-12
11
ARIN NetHandles with OriginASARIN NetHandles with OriginASMultiple OriginAS (MOAS) DistributionMultiple OriginAS (MOAS) Distributionp g ( )p g ( )
Registry DataRegistry Data Date: 2008Date: 2008--1010--181880000
68753
60000
70000
30000
40000
50000
of N
etHa
ndle
s
10000
20000
30000
# o
779 196 75 349 9 2 1 1 1 1 60
10000
1 2 3 4 5 6 7 8 12 13 18 31
Multiple OriginASes
12
p g
• Some prefix owners register prefix with each of their ASes
• Some never remove old route registrations?
Distribution of NetHandles Associated with Distribution of NetHandles Associated with the Origin ASthe Origin ASgg
Registry DataRegistry Data Date: 2008Date: 2008--1010--1818
20000
14000
16000
18000
) Pai
rs
10000
12000
14000
e,O
rigin
AS)
A large percentage of A large percentage of (NetHandle,OriginAS) (NetHandle,OriginAS) pairs are associated pairs are associated with about 10 Originwith about 10 Origin
4000
6000
8000
(Net
Hand
le with about 10 Origin with about 10 Origin ASesASes
0
2000
1
# of
13
15001
1000115001
2000125001
3000135001
4000145001
5000155001
6000165001
Origin ASN
Distribution of Prefix Length of Distribution of Prefix Length of NetHandles w/ OriginAS vs BGP Trace DataNetHandles w/ OriginAS vs BGP Trace DataNetHandles w/ OriginAS vs. BGP Trace DataNetHandles w/ OriginAS vs. BGP Trace Data
Registry Data Date: 2008Registry Data Date: 2008--1010--1818BGP Trace DataBGP Trace Data
from 2008from 2008--0606--01 to 200801 to 2008--1111--2424
250000
300000
airs
35000
40000
45000
airs
150000
200000
Pre
fix,O
rigin
) P
20000
25000
30000
le,O
rigin
AS) P
50000
100000
# of
Uni
que
(P5000
10000
15000
# of
(Net
Hand
00 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32
Prefix LengthLength 0 indicates prefix 0.0.0.0/0
00 8 10 12 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Prefix LengthLength 0 indicates that NetRange cannot be represented by a single CIDR
14
• Prefix 0.0.0.0/0 is announced by 15 Origin ASes (12956, 3561, 19151, 513, 9829, 3130, 293, 5602, 8546, 174, 47797, 28968, 31261, 47819, 18747).
• There exist 27 (prefix, origin) pairs with prefix length less than 8, excluding length 0 above.
Distribution of ARIN NetRange Distribution of ARIN NetRange Address Block AllocationsAddress Block AllocationsAddress Block AllocationsAddress Block Allocations
80000
Registry DataRegistry Data Date: 2008Date: 2008--1010--1818
72069
60000
70000
Pai
rs
40000
50000
e,O
rigin
AS)
P
20000
30000
of (N
etH
andl
e
77 1100 30
10000
LEGACY ARIN ERX LACNIC
#
15
LEGACY ARIN ERX LACNIC
Note: Considering only NetHandles with Origin ASNote: Considering only NetHandles with Origin AS
Methodology for Consistency ChecksMethodology for Consistency Checksgy ygy y
Mntner, OrgID, Contact information (tech-g (c, admin-c, etc.) are compared across corresponding registered objectsp g g jOrigin Consistent: For {prefix, OriginAS} pair in NetHandle, ASHandle is consistentpair in NetHandle, ASHandle is consistentNot Registered: No ASHandle ExistsNC ASHandle is not consistentNC: ASHandle is not consistent
16
Consistency Checks for Consistency Checks for ARIN NetHandles with OriginASARIN NetHandles with OriginASARIN NetHandles with OriginASARIN NetHandles with OriginAS
Registry DataRegistry Data Date: 2008Date: 2008--1010--1818
Region OriginC NC NR Total
Legacy 3 73 1 77
60000
70000
80000
irs
ARIN 3519 68437 113 72069
ERX 391 697 12 1100
Lacnic 1 2 0 340000
50000
60000
,Orig
inA
S) P
a NRNCOriginC
Total 3914 69209 126 73249
Scores for Consistency Checks for ARIN NetHandle w/ OriginAS
20000
30000
# of
(Net
Hand
le
0
10000#
LEGACY ARIN ERX LACNIC
17
ARIN NetHandles w/ OriginAS and the Existence of ARIN NetHandles w/ OriginAS and the Existence of Corresponding Route Objects in RPSL Corresponding Route Objects in RPSL
70000
Registry DataRegistry Data Date: 2008Date: 2008--1010--1818
79%
50000
60000
Pai
rs
30000
40000
e,O
rigi
nAS)
P
17%20000
30000
of (N
etH
andl
e
3%1%
0
10000
N t bj t RO t t h RO ifi RO l ifi
#
18
No_route_object RO_exact_match RO_more_specific RO_less_specific
• For origin validation, ARIN RPSL route objects provide superior coverage than NetHandles with origin AS
ARIN NetHandles w/ OriginAS and Existence and ARIN NetHandles w/ OriginAS and Existence and Quality of Corresponding Route Objects in RPSLQuality of Corresponding Route Objects in RPSLQuality of Corresponding Route Objects in RPSLQuality of Corresponding Route Objects in RPSL
Registry DataRegistry Data Date: 2008Date: 2008--1010--1818
50000
60000
Pai
rs
30000
40000
dle,
Ori
ginA
S) P No_RO
NRNCOriginCPrefixC
10000
20000
# of
(Net
Han
d PrefixCFC
N RO N R t bj t i t
0No_route_object RO_exact_match RO_more_specific RO_less_specific
19
• No_RO: No Route objects exist• NR: No Referenced objects exist (ie., ASHandle or aut-num) • NC: (referenced objects exist, but) Not Consistent• FC: Fully (Prefix & Origin) Consistent• PrefixC: Only Prefix Consistent• OriginC: Only Origin Consistent
ARIN NetHandles w/ OriginAS that are ARIN NetHandles w/ OriginAS that are Observed in BGP Trace DataObserved in BGP Trace DataObserved in BGP Trace Data Observed in BGP Trace Data
87%
60000
70000
50000
60000
inAS
) Pai
rs
30000
40000
etHa
ndle
,Orig
i
5%7%10000
20000
# of
(Ne
1%%
0Unobserved Obs w/ exact match Obs w/ more specific Obs w/ less specific
20
•• About 6% of the NetHandles with origin AS are usable for direct verification of origin in BGP About 6% of the NetHandles with origin AS are usable for direct verification of origin in BGP update messages; that is less than 5K NetHandles (in Oct. 2008)update messages; that is less than 5K NetHandles (in Oct. 2008)
Comparison of ARIN NetHandles with Comparison of ARIN NetHandles with OriginAS vs. Announced (p, OAS) Pairs OriginAS vs. Announced (p, OAS) Pairs
for Prefix Length >= 25for Prefix Length >= 25
Prefix length >= 25
All ( OAS) # f ( OAS) tAll (p, OAS) # of (p, OAS) percentage
ARIN NetHandles with OriginAS 73k 60k 82.2%
Announced (p, OAS) that correspond to ARIN 186k 6.5 3.5%Address SpaceGlobally announced (p, OAS) 532k 29.3k 5.5%
21
ARIN ARIN NetHandleNetHandle w/ w/ OriginASOriginASConsolidation of (Consolidation of (NetHandleNetHandle, , OriginASOriginAS) Pairs) Pairs
On 2008-10-18 Total # sub-prefixes
All unique (NetRange,OriginAS) Pairs 73,062
Distinct NH OAS (NetHandle w/ OriginAS) with no super- 39,297_ ( g ) pprefixes
,
Of these (39,297):
# of NH_OAS with no sub-prefixes 38,693 0
# of NH_OAS with sub-prefixes (only one level below) 584 16828
# of NH_OAS with sub-prefixes (two levels below) 20 16937
• Note: 38,693 + 584 + 20 + 16828 + 16937 = 73,062Many of the consolidated 39 297 are also subprefixes of what are actually observed
22
• Many of the consolidated 39,297 are also subprefixes of what are actually observed
OutlineOutlineOutline Outline
Problem statementProblem statementAnalysis of ARIN NetHandles with O i i ASOriginASAnalysis of Global Registriesy g(comparisons with what is announced in BGP)
23
Registry SelfRegistry Self--Consistency CheckConsistency Check(Quality Analysis Algorithm)(Quality Analysis Algorithm)(Quality Analysis Algorithm)(Quality Analysis Algorithm)
Self-Consistency check criteria:• Check consistency between relevant objects by comparing the following attributes:
* ‘mntner’ related attributes: Used mainly for RPSL* ‘orgID’ attribute: U d i l f SWIP* ‘orgID’ attribute: Used mainly for SWIP* Contact information (i.e., tech-c / admin-c / TechHandle / AbuseHandle)
A route object is considered as fully consistent if, based on the above criteria, it matches with both of these:
the referenced aut-num for the origin; and the referenced inetnum for the prefix.
aut-numrouteinetnum
inetnum: 129.6.0.0 – route: 129.6.0.0/24 aut-num: AS49129.6.255.255descr: description stmttech-c: nist-tech-IDadmin-c: nist-admin-IDstatus: assigned PAmnt-by: MNT-NIST
descr: NIST/DOCorigin: AS49mnt-by: iip-bgp-mntsource: RIPE
org:import:export:default:tech-c: AS49-techmnt-by: MNT-NIST
mntner
A th ti ti
mnt-routes: iip-bgp-mntsource: RIPE
mnt-routes: iip-bgp-mntsource: RIPE
mntner: iip-bgp-mntdescr: description stmtauth: encryp
2424242424
Authentication
Consistency Check
auth: encrypmnt-by: MNT-NISTsource: RIPE
Characterization of IRR ConsistencyBased on Route Object Registrations j g
Registry Data
• FC: Fully (Prefix & Origin) Consistent
Registry DataRegistry Data Date: 2008Date: 2008--1010--1818
500000NRConsistent
• PrefixC: Only Prefix Consistent
• OriginC: Only Origin Consistent
• NC: (referenced objects
NCPrefixC
FC
NR250000
300000
350000
400000
450000NRNCOriginCPrefixCFC
NC: (referenced objects exist, but) Not Consistent
• NR: No Referenced Resource Objects Exist
OriginC
50000
100000
150000
200000
250000
90%
ARIN RPSL RIPE APNIC* Standalone IRRs
FC 169 2% 70057 78% 22981 65% 534 0%
0ARIN RPSL RIPE APNIC* Standalone IRRs
40%
50%
60%
70%
80%
Rou
te O
bjec
ts
PreifxC 27 1% 4458 5% 8364 23% 107 0%
OriginC 5845 71% 12627 14% 3562 10% 141323 29%
NC 2147 26% 2815 3% 608 2% 353598 71%
NR 13 0% 0 0 0 0 1534 0%0%
10%
20%
30%
40%
Perc
enta
ge o
f
25
NR 13 0% 0 0 0 0 1534 0%
Total 8201 89957 35515 497096FC PrefixC OriginC NC NR
ARIN RPSL RIPE APNIC* Standalone IRRs
Characterization of IRR ConsistencyBased on Route Object Registrations
80%
90%
tsj g
Registry DataRegistry Data Date: 2008Date: 2008--1010--1818
60%
70%
80%
te O
bjec
t
30%
40%
50%
e of
Rou
t
10%
20%
30%
erce
ntag
e
0%
10%
FC PrefixC OriginC NC NR
Pe
ARIN RPSL RIPE APNIC* Standalone IRRs 26
Stability of (p, OAS) in the Trace DataStability of (p, OAS) in the Trace Datay (p, )y (p, )
•If (p, OAS) pair remained in RIBs stably for 48 (p ) p yhours or more at least once during the observation period (6 months), then the (p, p ( ) (pOAS) pair is considered stable
•Otherwise the (p OAS) pair is considered•Otherwise, the (p, OAS) pair is considered unstable (transient)
27
Classification of Observed (p, OAS) Pairs Classification of Observed (p, OAS) Pairs According to Stability / Consistency Scores According to Stability / Consistency Scores g y yg y y
90%
100%
} Pai
rs RIPEGlobalAPNIC
70%
80%
x, O
rigin
AS} APNIC
ARIN
40%
50%
60%
erve
d {P
refix
20%
30%
40%
ntag
e of
Obs
0%
10%
Unstable Unstable Unstable Unstable Stable & Stable & Stable & Stable &
Perc
en
FC = Fully Consistent; PC = Partially Consistent; NC = Not Consistent; NR = Not Registered
Unstable& NR
Unstable& NC
Unstable& PC
Unstable& FC
Stable &NR
Stable &NC
Stable &PC
Stable &FC 28
Stability/Consistency Scores of Observed Stability/Consistency Scores of Observed (p, OAS) Pairs: ARIN Region Prefixes(p, OAS) Pairs: ARIN Region Prefixes(p, ) g(p, ) g
ARIN Region Prefixes90%
100%
s Validation using
60%
70%
80%
OA
S) P
airs Validation using
ARIN IRR Only
Validation using
40%
50%
60%
rved
(p, O
gRABD & ARIN IRR
20%
30%
40%
% o
f Obs
er
0%
10%
20%%
FC = Fully Consistent; PC = Partially Consistent; NC = Not Consistent; NR = Not Registered
290%
Unstable &NR
Unstable &NC
Unstable &PC
Unstable &FC
Stable &NR
Stable &NC
Stable &PC
Stable &FC
Analysis of Registered But Unobserved RoutesAnalysis of Registered But Unobserved Routes
L b f { fi
{prefix, origin} pairs registered but never announced: 110,956
ARIN PrefixesARIN Prefixes
• Large number of {prefix, origin} pairs registered but never announced
(A) At least one super‐prefix
announced with same origin but none
(B) Same prefix or at least one super‐prefix
announced with different origin but
Other possibilities:
• In most cases, super-prefixes are announced with the same origin AS
same origin but none with any other origin:
47,905
different origin but none with same origin: 58,384
4,667
(as in registered route) or a different origin AS
• Re-origination type of
Stable: 47,876
Unstable: 29
Stable: 57,798
Unstable: 3,374
Fully Consistent 43 Fully Consistent 133aggregation by a higher tier ISPs and/or stale Route registrations?
Fully Consistent: 43 Partially Consistent: 35,186
Not Consistent: 11,267 Not registered: 1,409
Fully Consistent: 133 Partially Consistent: 21,976
Not Consistent: 19,688 Not registered: 19,375
30
For the super-prefixes with their observed origin ASes
Analysis of Registered But Unobserved RoutesAnalysis of Registered But Unobserved Routes{prefix, origin} pairs registered but
never announced: 237,870
Global PrefixesGlobal Prefixes
L b f { fi (A) At least one super‐prefix
announced with same origin but none
(B) At least one super‐prefix
announced with different origin but
Other possibilities:
• Large number of {prefix, origin} pairs registered but never announced
same origin but none with any other origin:
130,901
different origin but none with same origin: 76,594
ities: 30,375
• In most cases, super-prefixes are announced with the same origin AS
Stable: 129,957
Unstable: 944
Stable: 69,519
Unstable: 10,315
Fully Consistent 24 227 Fully Consistent 4 422
(as in registered route) or a different origin AS
• Re-origination type of Fully Consistent: 24,227
Partially Consistent: 60,566Not Consistent: 38,639Not registered: 7,469
Fully Consistent: 4,422Partially Consistent: 24,806
Not Consistent: 29,534 Not registered: 21,072
aggregation by a higher tier ISPs and/or stale Route registrations?
For the super-prefixes with their observed origin ASes
31
Conclusions and Future WorkConclusions and Future WorkARIN NetHandles with Origin AS -- dominantly for prefix lengths > 25Announced prefixes are dominantly of length < 24As it stands, ARIN RPSL routes (~10K) more useful than NetHandles with origin AS (~100K)NetHandles with origin AS ( 100K) Routes exist in standalone RABD but not enough and lacking consistency (Verizon alone has about 60 different OrgIDs *)OrgIDs *)It would be immensely helpful whatever RIRs / ISPs can do to encourage/support:• Route registrations• Using consistent OrgIDs• SIDR RPKI trials and testing
32* Based on informal communication between NIST and Verizon