m An Analysis of ARIN NetHandles ing Prog with …...An Analysis of ARIN NetHandles r ihOiiASD a m with OriginAS Data and Analysis of RIR/IRR Registry Data k ing Prog O. Kim, K. Sriram,

An Analysis of ARIN NetHandles i h O i i AS Dra

m

with OriginAS Dataand Analysis of RIR/IRR Registry Data

kin

g P

rog

r

O. Kim, K. Sriram, O. Borchert, P. Gleichmann, and D. Montgomery

y N

etw

ork

Presentation at ARIN XXIII, San Antonio, TXA il 26 29 2009

g y

ust

wo

rth

y

April 26-29, 2009

Contacts: [email protected], [email protected], [email protected] Website: www.antd.nist.gov/bgp_security

Tru

s

OutlineOutlineOutline Outline

Problem statementProblem statementAnalysis of ARIN NetHandles with O i i ASOriginASAnalysis of Global Registriesy g(comparisons with what is announced in BGP)

2

What is the Problem?What is the Problem?Current registry data is considered inaccurate, incompleteDespite weaknesses, data is used for:p ,• Local route filtering• Debugging purposesDebugging purposes

No comprehensive investigations to dateImproving quality and completeness ofImproving quality and completeness of routing data could enable new BGP robustness mechanisms

3

robustness mechanisms

Registry Data Object Counts by Source Registry Data Object Counts by Source

route inetnum(ARIN NetHandle)

aut-num(ARIN ASHandle)

RIR/IRR 06/18/2007 10/18/2008 Incr 06/18/2007 10/18/2008 Incr 06/18/2007 10/18/2008 Incr

ARIN 7,330 8,201 12% 338(1,618,197)

434(1,924,454)

28%19%

758(18,050)

890(19,678)

17%9%

RIPENCC 71,569 89,957 26% 2,044,536 2,458,119 20% 14,106 16,969 20%

APNIC* 23,616 35,515 50% 822,891 1,080,999 31% 4,559 5,347 17%

AFRINIC 0 0 13,948 22,706 63% 342 445 30%

LACNIC** 0 0 45,346 83,036 83% 1,219 1,339 10%

Standalone IRRs+

345,129 497,124 44% 1 1 3,785 4,643 23%

Total: 447,644 630,797 41% 2,927,060(1,618,197)

3,645,295(1,924,454)

25%19%

24,769(18,050)

29,633(19,678)

20%9%

* Includes TWNIC, JPIRR, JPNIC and APNIC* Includes TWNIC, JPIRR, JPNIC and APNIC** RIR only** RIR only

4

RIR only RIR only+ Independent IRR databases that are mirrored via + Independent IRR databases that are mirrored via the RADB websitethe RADB website including RADB, but including RADB, but EXCLUDING ARIN, APNIC, JPIRR and RIPEEXCLUDING ARIN, APNIC, JPIRR and RIPENote that route objects can be registered at any IRR regardless of where the address spaces are allocated.

Distribution of Prefix Length of Distribution of Prefix Length of inetnum (RPSL) and NetHandle (SWIP) inetnum (RPSL) and NetHandle (SWIP)

Registry DataRegistry Data Date: 2008Date: 2008--1010--1818

10000000

100000

1000000

s

ARIN_RPSLRIPEAPNICAFRINIC

1000

10000

etnu

m O

bjec

ts LACNICARIN_SWIP

10

100

# in

e

1

10

0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32

Prefix Length

5Length 0 indicates that an address block cannot be represented by a single CIDRLength 4 specifies Multicast and Reserved Future Use blocksSome Legacy and ERX blocks may be included in one or more RIRs

Prefix Length

Distribution of Prefix Length of Distribution of Prefix Length of Route Objects in IRRRoute Objects in IRR

1000000Registry DataRegistry Data Date: 2008Date: 2008--1010--1818

10000

100000

refix

es)

1000

Obj

ects

(Pr

10

100

# R

oute

18 10 12 14 16 18 20 22 24 26 28 30 32

Log scale

Prefix Length

ARIN RPSL RIPE APNIC Standalone IRRs6

Distribution of Sources of Prefix Allocations Distribution of Sources of Prefix Allocations of Route Objects Registered to Standalone IRRsof Route Objects Registered to Standalone IRRsof Route Objects Registered to Standalone IRRsof Route Objects Registered to Standalone IRRs

43%

250000

33%

43%

200000

ts

100000

150000

Rout

e O

bjec

t

3%

7%

13%

50000

# of

0%3% 1% 0%

0ARIN AFRINIC APNIC RIPE LACNIC LEGACY ERX IANA

7All route objects registered in standalone IRRs on 2008All route objects registered in standalone IRRs on 2008--1010--18: 18: 497,124497,124

Growth of NetHandles with OriginAS100,000

n A

S

10,000

with

Orig

in

1,000

Han

dles

w

100

ber o

f Net

H

NetHandle with One or More Origin AS

Multihomed (>= 2 Origin ASes)

10

2007

2007

2007

2007

2007

2007

2007

2007

2008

2008

2008

2008

2008

2008

2008

2008

2008

2008

2008

2008

2009

2009

2009

Num

b Multihomed ( 2 Origin ASes)

8

5/30

/2

6/30

/2

7/30

/2

8/30

/2

9/30

/2

10/3

0/2

11/3

0/2

12/3

0/2

1/30

/2

2/29

/2

3/30

/2

4/30

/2

5/30

/2

6/30

/2

7/30

/2

8/30

/2

9/30

/2

10/3

0/2

11/3

0/2

12/3

0/2

1/30

/2

2/28

/2

3/30

/2

Date

ARIN NetHandle Stats ARIN NetHandle Stats in Comparison to BGP Updates and RIBsin Comparison to BGP Updates and RIBsin Comparison to BGP Updates and RIBsin Comparison to BGP Updates and RIBs

Raw data• ARIN Registry data on 2008-10-18g y

* All NetHandle objects: 1,924,454* Unique (NetHandle, OriginAS) pairs: 73,249 (4%)* Unique (NetRange, OriginAS) pairs: 73,062 q ( g , g ) p ,* Unique OriginASes: 2693

• BGP Updates & RIB data:* Collector: Oregon from RouteviewsCollector: Oregon from Routeviews* Updates (2008-06-01 to 2008-11-24)

– Unique (prefix,origin) pairs: 531,820* BGP RIBs on 2008-11-3: 283 035BGP RIBs on 2008-11-3: 283,035

– unique (prefix,origin) pairs other than those in Updates prefixes above: 1

• ALL Unique (prefix origin) pairs from both Updates and

9

ALL Unique (prefix,origin) pairs from both Updates and RIBs: 531,821

Some Observations on ARIN NetHandles Some Observations on ARIN NetHandles ith O i i ASith O i i AS

Multiple NetHandles that contain the exact same

with OriginASwith OriginAS

p(NetRange, OriginAS) pairs with different allocation types:• Allocation types: allocation / reallocation / assignment /

reassignment

# of instances with the following: count

3 NetHandles containing the same (NetRange,OriginAS) pair 2

2 NetHandles containing the same (NetRange,OriginAS) pair 183

N tH dl ith i (N tR O i i AS) i 72 877NetHandles with unique (NetRange,OriginAS) pair 72,877

10

Some Observations on ARIN NetHandles Some Observations on ARIN NetHandles ith O i i ASith O i i ASwith OriginASwith OriginAS

Two or more NetHandle objects contain the exact same (NetRange OriginAS) pairs but different NetType:(NetRange, OriginAS) pairs, but different NetType:• One Example: (66.97.96.0/20, 33125)

NetHandle Object 1 NetHandle Object 2NetHandle Object 1 NetHandle Object 2

NetHandle: NET-66-97-96-0-1 NET-66-97-96-0-2

OrgID: SNL-27 MCB-21

N tR 66 97 96 0 66 97 111 255 66 97 96 0 66 97 111 255NetRange: 66.97.96.0 - 66.97.111.255 66.97.96.0 – 66.97.111.255

NetType: Allocation Reassignment

OriginAS: AS33125 AS33125

P t NET 66 0 0 0 0 NET 66 97 96 0 1Parent: NET-66-0-0-0-0 NET-66-97-96-0-1

RegDate: 2006-10-10 2007-06-12

Updated: 2007-06-12 2007-06-12

11

ARIN NetHandles with OriginASARIN NetHandles with OriginASMultiple OriginAS (MOAS) DistributionMultiple OriginAS (MOAS) Distributionp g ( )p g ( )


68753

60000

70000

30000

40000

50000

of N

etHa

ndle

s

10000

20000

30000

# o

779 196 75 349 9 2 1 1 1 1 60

10000

1 2 3 4 5 6 7 8 12 13 18 31

Multiple OriginASes

12

p g

• Some prefix owners register prefix with each of their ASes

• Some never remove old route registrations?

Distribution of NetHandles Associated with Distribution of NetHandles Associated with the Origin ASthe Origin ASgg


20000

14000

16000

18000

) Pai

rs

10000

12000

14000

e,O

rigin

AS)

A large percentage of A large percentage of (NetHandle,OriginAS) (NetHandle,OriginAS) pairs are associated pairs are associated with about 10 Originwith about 10 Origin

4000

6000

8000

(Net

Hand

le with about 10 Origin with about 10 Origin ASesASes

0

2000

1

# of

13

15001

1000115001

2000125001

3000135001

4000145001

5000155001

6000165001

Origin ASN

Distribution of Prefix Length of Distribution of Prefix Length of NetHandles w/ OriginAS vs BGP Trace DataNetHandles w/ OriginAS vs BGP Trace DataNetHandles w/ OriginAS vs. BGP Trace DataNetHandles w/ OriginAS vs. BGP Trace Data

Registry Data Date: 2008Registry Data Date: 2008--1010--1818BGP Trace DataBGP Trace Data

from 2008from 2008--0606--01 to 200801 to 2008--1111--2424

250000

300000

airs

35000

40000

45000

airs

150000

200000

Pre

fix,O

rigin

) P

20000

25000

30000

le,O

rigin

AS) P

50000

100000

# of

Uni

que

(P5000

10000

15000

# of

(Net

Hand

00 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32

Prefix LengthLength 0 indicates prefix 0.0.0.0/0

00 8 10 12 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

Prefix LengthLength 0 indicates that NetRange cannot be represented by a single CIDR

14

• Prefix 0.0.0.0/0 is announced by 15 Origin ASes (12956, 3561, 19151, 513, 9829, 3130, 293, 5602, 8546, 174, 47797, 28968, 31261, 47819, 18747).

• There exist 27 (prefix, origin) pairs with prefix length less than 8, excluding length 0 above.

Distribution of ARIN NetRange Distribution of ARIN NetRange Address Block AllocationsAddress Block AllocationsAddress Block AllocationsAddress Block Allocations

80000


72069

60000

70000

Pai

rs

40000

50000

e,O

rigin

AS)

P

20000

30000

of (N

etH

andl

e

77 1100 30

10000

LEGACY ARIN ERX LACNIC

#

15


Note: Considering only NetHandles with Origin ASNote: Considering only NetHandles with Origin AS

Methodology for Consistency ChecksMethodology for Consistency Checksgy ygy y

Mntner, OrgID, Contact information (tech-g (c, admin-c, etc.) are compared across corresponding registered objectsp g g jOrigin Consistent: For {prefix, OriginAS} pair in NetHandle, ASHandle is consistentpair in NetHandle, ASHandle is consistentNot Registered: No ASHandle ExistsNC ASHandle is not consistentNC: ASHandle is not consistent

16

Consistency Checks for Consistency Checks for ARIN NetHandles with OriginASARIN NetHandles with OriginASARIN NetHandles with OriginASARIN NetHandles with OriginAS


Region OriginC NC NR Total

Legacy 3 73 1 77

60000

70000

80000

irs

ARIN 3519 68437 113 72069

ERX 391 697 12 1100

Lacnic 1 2 0 340000

50000

60000

,Orig

inA

S) P

a NRNCOriginC

Total 3914 69209 126 73249

Scores for Consistency Checks for ARIN NetHandle w/ OriginAS

20000

30000

# of

(Net

Hand

le

0

10000#


17

ARIN NetHandles w/ OriginAS and the Existence of ARIN NetHandles w/ OriginAS and the Existence of Corresponding Route Objects in RPSL Corresponding Route Objects in RPSL

70000


79%

50000

60000

Pai

rs

30000

40000

e,O

rigi

nAS)

P

17%20000

30000

of (N

etH

andl

e

3%1%

0

10000

N t bj t RO t t h RO ifi RO l ifi

#

18

No_route_object RO_exact_match RO_more_specific RO_less_specific

• For origin validation, ARIN RPSL route objects provide superior coverage than NetHandles with origin AS

ARIN NetHandles w/ OriginAS and Existence and ARIN NetHandles w/ OriginAS and Existence and Quality of Corresponding Route Objects in RPSLQuality of Corresponding Route Objects in RPSLQuality of Corresponding Route Objects in RPSLQuality of Corresponding Route Objects in RPSL


50000

60000

Pai

rs

30000

40000

dle,

Ori

ginA

S) P No_RO

NRNCOriginCPrefixC

10000

20000

# of

(Net

Han

d PrefixCFC

N RO N R t bj t i t

0No_route_object RO_exact_match RO_more_specific RO_less_specific

19

• No_RO: No Route objects exist• NR: No Referenced objects exist (ie., ASHandle or aut-num) • NC: (referenced objects exist, but) Not Consistent• FC: Fully (Prefix & Origin) Consistent• PrefixC: Only Prefix Consistent• OriginC: Only Origin Consistent

ARIN NetHandles w/ OriginAS that are ARIN NetHandles w/ OriginAS that are Observed in BGP Trace DataObserved in BGP Trace DataObserved in BGP Trace Data Observed in BGP Trace Data

87%

60000

70000

50000

60000

inAS

) Pai

rs

30000

40000

etHa

ndle

,Orig

i

5%7%10000

20000

# of

(Ne

1%%

0Unobserved Obs w/ exact match Obs w/ more specific Obs w/ less specific

20

•• About 6% of the NetHandles with origin AS are usable for direct verification of origin in BGP About 6% of the NetHandles with origin AS are usable for direct verification of origin in BGP update messages; that is less than 5K NetHandles (in Oct. 2008)update messages; that is less than 5K NetHandles (in Oct. 2008)

Comparison of ARIN NetHandles with Comparison of ARIN NetHandles with OriginAS vs. Announced (p, OAS) Pairs OriginAS vs. Announced (p, OAS) Pairs

for Prefix Length >= 25for Prefix Length >= 25

Prefix length >= 25

All ( OAS) # f ( OAS) tAll (p, OAS) # of (p, OAS) percentage

ARIN NetHandles with OriginAS 73k 60k 82.2%

Announced (p, OAS) that correspond to ARIN 186k 6.5 3.5%Address SpaceGlobally announced (p, OAS) 532k 29.3k 5.5%

21

ARIN ARIN NetHandleNetHandle w/ w/ OriginASOriginASConsolidation of (Consolidation of (NetHandleNetHandle, , OriginASOriginAS) Pairs) Pairs

On 2008-10-18 Total # sub-prefixes

All unique (NetRange,OriginAS) Pairs 73,062

Distinct NH OAS (NetHandle w/ OriginAS) with no super- 39,297_ ( g ) pprefixes

,

Of these (39,297):

# of NH_OAS with no sub-prefixes 38,693 0

# of NH_OAS with sub-prefixes (only one level below) 584 16828

# of NH_OAS with sub-prefixes (two levels below) 20 16937

• Note: 38,693 + 584 + 20 + 16828 + 16937 = 73,062Many of the consolidated 39 297 are also subprefixes of what are actually observed

22

• Many of the consolidated 39,297 are also subprefixes of what are actually observed

OutlineOutlineOutline Outline

Problem statementProblem statementAnalysis of ARIN NetHandles with O i i ASOriginASAnalysis of Global Registriesy g(comparisons with what is announced in BGP)

23

Registry SelfRegistry Self--Consistency CheckConsistency Check(Quality Analysis Algorithm)(Quality Analysis Algorithm)(Quality Analysis Algorithm)(Quality Analysis Algorithm)

Self-Consistency check criteria:• Check consistency between relevant objects by comparing the following attributes:

* ‘mntner’ related attributes: Used mainly for RPSL* ‘orgID’ attribute: U d i l f SWIP* ‘orgID’ attribute: Used mainly for SWIP* Contact information (i.e., tech-c / admin-c / TechHandle / AbuseHandle)

A route object is considered as fully consistent if, based on the above criteria, it matches with both of these:

the referenced aut-num for the origin; and the referenced inetnum for the prefix.

aut-numrouteinetnum

inetnum: 129.6.0.0 – route: 129.6.0.0/24 aut-num: AS49129.6.255.255descr: description stmttech-c: nist-tech-IDadmin-c: nist-admin-IDstatus: assigned PAmnt-by: MNT-NIST

descr: NIST/DOCorigin: AS49mnt-by: iip-bgp-mntsource: RIPE

org:import:export:default:tech-c: AS49-techmnt-by: MNT-NIST

mntner

A th ti ti

mnt-routes: iip-bgp-mntsource: RIPE

mnt-routes: iip-bgp-mntsource: RIPE

mntner: iip-bgp-mntdescr: description stmtauth: encryp

2424242424

Authentication

Consistency Check

auth: encrypmnt-by: MNT-NISTsource: RIPE

Characterization of IRR ConsistencyBased on Route Object Registrations j g

Registry Data

• FC: Fully (Prefix & Origin) Consistent


500000NRConsistent

• PrefixC: Only Prefix Consistent

• OriginC: Only Origin Consistent

• NC: (referenced objects

NCPrefixC

FC

NR250000

300000

350000

400000

450000NRNCOriginCPrefixCFC

NC: (referenced objects exist, but) Not Consistent

• NR: No Referenced Resource Objects Exist

OriginC

50000

100000

150000

200000

250000

90%

ARIN RPSL RIPE APNIC* Standalone IRRs

FC 169 2% 70057 78% 22981 65% 534 0%

0ARIN RPSL RIPE APNIC* Standalone IRRs

40%

50%

60%

70%

80%

Rou

te O

bjec

ts

PreifxC 27 1% 4458 5% 8364 23% 107 0%

OriginC 5845 71% 12627 14% 3562 10% 141323 29%

NC 2147 26% 2815 3% 608 2% 353598 71%

NR 13 0% 0 0 0 0 1534 0%0%

10%

20%

30%

40%

Perc

enta

ge o

f

25

NR 13 0% 0 0 0 0 1534 0%

Total 8201 89957 35515 497096FC PrefixC OriginC NC NR

ARIN RPSL RIPE APNIC* Standalone IRRs

Characterization of IRR ConsistencyBased on Route Object Registrations

80%

90%

tsj g


60%

70%

80%

te O

bjec

t

30%

40%

50%

e of

Rou

t

10%

20%

30%

erce

ntag

e

0%

10%

FC PrefixC OriginC NC NR

Pe

ARIN RPSL RIPE APNIC* Standalone IRRs 26

Stability of (p, OAS) in the Trace DataStability of (p, OAS) in the Trace Datay (p, )y (p, )

•If (p, OAS) pair remained in RIBs stably for 48 (p ) p yhours or more at least once during the observation period (6 months), then the (p, p ( ) (pOAS) pair is considered stable

•Otherwise the (p OAS) pair is considered•Otherwise, the (p, OAS) pair is considered unstable (transient)

27

Classification of Observed (p, OAS) Pairs Classification of Observed (p, OAS) Pairs According to Stability / Consistency Scores According to Stability / Consistency Scores g y yg y y

90%

100%

} Pai

rs RIPEGlobalAPNIC

70%

80%

x, O

rigin

AS} APNIC

ARIN

40%

50%

60%

erve

d {P

refix

20%

30%

40%

ntag

e of

Obs

0%

10%

Unstable Unstable Unstable Unstable Stable & Stable & Stable & Stable &

Perc

en

FC = Fully Consistent; PC = Partially Consistent; NC = Not Consistent; NR = Not Registered

Unstable& NR

Unstable& NC

Unstable& PC

Unstable& FC

Stable &NR

Stable &NC

Stable &PC

Stable &FC 28

Stability/Consistency Scores of Observed Stability/Consistency Scores of Observed (p, OAS) Pairs: ARIN Region Prefixes(p, OAS) Pairs: ARIN Region Prefixes(p, ) g(p, ) g

ARIN Region Prefixes90%

100%

s Validation using

60%

70%

80%

OA

S) P

airs Validation using

ARIN IRR Only

Validation using

40%

50%

60%

rved

(p, O

gRABD & ARIN IRR

20%

30%

40%

% o

f Obs

er

0%

10%

20%%

FC = Fully Consistent; PC = Partially Consistent; NC = Not Consistent; NR = Not Registered

290%

Unstable &NR

Unstable &NC

Unstable &PC

Unstable &FC

Stable &NR

Stable &NC

Stable &PC

Stable &FC

Analysis of Registered But Unobserved RoutesAnalysis of Registered But Unobserved Routes

L b f { fi

{prefix, origin} pairs registered but never announced: 110,956

ARIN PrefixesARIN Prefixes

• Large number of {prefix, origin} pairs registered but never announced

(A) At least one super‐prefix

announced with same origin but none

(B) Same prefix or at least one super‐prefix

announced with different origin but

Other possibilities:

• In most cases, super-prefixes are announced with the same origin AS

same origin but none with any other origin:

47,905

different origin but none with same origin: 58,384

4,667

(as in registered route) or a different origin AS

• Re-origination type of

Stable: 47,876

Unstable: 29

Stable: 57,798

Unstable: 3,374

Fully Consistent 43 Fully Consistent 133aggregation by a higher tier ISPs and/or stale Route registrations?

Fully Consistent: 43 Partially Consistent: 35,186

Not Consistent: 11,267 Not registered: 1,409

Fully Consistent: 133 Partially Consistent: 21,976


30

For the super-prefixes with their observed origin ASes

Analysis of Registered But Unobserved RoutesAnalysis of Registered But Unobserved Routes{prefix, origin} pairs registered but

never announced: 237,870

Global PrefixesGlobal Prefixes

L b f { fi (A) At least one super‐prefix

announced with same origin but none

(B) At least one super‐prefix

announced with different origin but

Other possibilities:

• Large number of {prefix, origin} pairs registered but never announced

same origin but none with any other origin:

130,901

different origin but none with same origin: 76,594

ities: 30,375

• In most cases, super-prefixes are announced with the same origin AS

Stable: 129,957

Unstable: 944

Stable: 69,519

Unstable: 10,315

Fully Consistent 24 227 Fully Consistent 4 422

(as in registered route) or a different origin AS

• Re-origination type of Fully Consistent: 24,227

Partially Consistent: 60,566Not Consistent: 38,639Not registered: 7,469

Fully Consistent: 4,422Partially Consistent: 24,806


aggregation by a higher tier ISPs and/or stale Route registrations?

For the super-prefixes with their observed origin ASes

31

Conclusions and Future WorkConclusions and Future WorkARIN NetHandles with Origin AS -- dominantly for prefix lengths > 25Announced prefixes are dominantly of length < 24As it stands, ARIN RPSL routes (~10K) more useful than NetHandles with origin AS (~100K)NetHandles with origin AS ( 100K) Routes exist in standalone RABD but not enough and lacking consistency (Verizon alone has about 60 different OrgIDs *)OrgIDs *)It would be immensely helpful whatever RIRs / ISPs can do to encourage/support:• Route registrations• Using consistent OrgIDs• SIDR RPKI trials and testing

32* Based on informal communication between NIST and Verizon

Documents

m An Analysis of ARIN NetHandles ing Prog with …...An Analysis of ARIN NetHandles r ihOiiASD a m with OriginAS Data and Analysis of RIR/IRR Registry Data k ing Prog O. Kim, K. Sriram,