[170717] in North American Network Operators' Group
Re: BGPMON Alert Questions
daemon@ATHENA.MIT.EDU (Benno Overeinder)
Fri Apr 4 06:32:17 2014
Date: Fri, 04 Apr 2014 12:31:35 +0200
From: Benno Overeinder <benno@NLnetLabs.nl>
To: Sharon Goldberg <goldbe@cs.bu.edu>,
"North American Network Operators' Group" <nanog@nanog.org>
In-Reply-To: <CAJHGrrR1-Q=igV660B2WJM7rb0Zc4j5r8Ej4Die0wALAd68b=w@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 04/04/2014 05:06 AM, Sharon Goldberg wrote:
> Finally, like Randy says, RPKI deploys quite different from BGPSEC. My
> intuition says that (1) once the RPKI is fully populated with ROAs for all
> originated prefixes, then (2) a partial deployment of origin validation at
> a few large ISPs should be fairly effective. But I would have to validate
> this with experiments before I can be sure, or say exactly how many ISPs,
> etc.
Indeed. A MSc. project did a (limited) evaluation measuring the effects
of RPKI route origin validation of a Dutch ISP xs4all which prefixes
where incorrectly injected by another (larger according to CAIDA cone
ranking) European ISP.
With ROAs published and a small percentage (order of 5%) of the largest
ISPs doing route origin validation, this would filter the incorrect
announcement and result in about ~98% globally correct routes in the
35000 ASes (this work is done a couple years ago). With no route origin
validation (or any other filtering) the percentage of correct routes at
the ASes would be ~25% globally. Again, this was a specific scenario.
See for results and figures the slides at
http://www.caida.org/workshops/bgp-traceroute/slides/bgp-traceroute1108_rpki_deployment_study.pdf
(slide 18).
Best,
-- Benno
--
Benno J. Overeinder
NLnet Labs
http://www.nlnetlabs.nl/
