throw0101c
5 days ago
This article leans more towards a general audience. For more a tech-leaning audience, perhaps see:
* https://arstechnica.com/tech-policy/2024/06/fcc-pushes-isps-...
* https://www.techspot.com/news/104590-white-house-declares-bg...
* https://www.securityweek.com/white-house-outlines-plan-for-a...
WH PR (linked to by Reuters):
> While there is no single solution to address all internet routing vulnerabilities, the roadmap advocates for the adoption of Resource Public Key Infrastructure (RPKI) as a mature, ready-to-implement approach to mitigate BGP’s vulnerabilities. RPKI consists of two primary components: Route Origin Authorizations (ROA) and Route Origin Validation (ROV). A ROA is a digitally-signed certificate that a network is authorized to announce a specific block of internet space (i.e., IP addresses). ROV is the process by which BGP routers use ROA data to filter BGP announcements flagged as invalid. Importantly, ROV can help protect an organization’s internet address resources only if that organization has created ROAs.
* https://www.whitehouse.gov/oncd/briefing-room/2024/09/03/fac...
Roadmap/whitepaper (PDF):
* https://www.whitehouse.gov/wp-content/uploads/2024/09/Roadma...
xyst
5 days ago
So ROA/ROV are for preventing prefix hijacking and IANA will personally issue a certificate to verify organization owns ASN.
But what impacts does this have on performance? Great we solved hijacking issue. But this other ASN which used to be a preferred route doesn’t use ROA/ROV (yet or refuses).
Now traffic reroutes to a less efficient path?
codebje
5 days ago
> But what impacts does this have on performance? Great we solved hijacking issue. But this other ASN which used to be a preferred route doesn’t use ROA/ROV (yet or refuses).
No performance impact: a routing table is a very (ahaha) binary thing, it takes a destination address and does a longest prefix match search in a table to find the next hop interface, to which it routes the packet.
Route validity is considered (alongside a bunch of other routing policy inputs) when constructing the table, not when a packet arrives.
vitus
5 days ago
I think you missed the parent commenter's point.
The purported performance hit wouldn't be from the propagation delay on any given router, but rather from shifts in traffic resulting in a longer path.
In practice, I suspect there will be very little impact for most traffic, since typical aspath lengths are, like, 2. (Mostly, direct peering between CDNs and ISPs if the data isn't cached within the ISP network to begin with)
edit for source:
> The average AS path length in a well-developed content network is about 1. Maybe 1.1.
codebje
5 days ago
> The purported performance hit wouldn't be from the propagation delay on any given router, but rather from shifts in traffic resulting in a longer path.
You are right, I neglected to point out that origin validation is (in the absence of shenanigans) not going to cause one path to be preferable to another: if the origin is the same AS, either both paths or neither is valid.
If the origin in two paths is two different ASes, either both are valid or shenanigans are afoot - perhaps there's a hijack being prevented, perhaps the network operator has screwed up their ROAs, perhaps the network operator is measuring sBGP uptake, perhaps the network operator is doing a rather bizarre and ineffectual form of traffic ingress management, or perhaps the network is in a transition from one AS to another, but those are all "shenanigans" in which routing efficiency is secondary to some other goal.
An alternative source for average BGP path length is https://blog.apnic.net/2024/01/10/bgp-in-2023-bgp-updates/ - where many other similar statistics can be found, and independently repeatable methodology is available. The average BGP path length for IPv4 is around 5.5 hops, and for IPv6 it is just shy of 5 hops. These numbers have been stable for a while with IPv4 slowly shrinking and IPv6 slowly growing, albeit in both cases by around 0.2 hops a decade.
And perhaps also relevant to the parent's question: path length itself is a pretty poor indicator of network performance by just about any measure you can name (excepting perhaps the TTL field), and is a last resort measure used only when all else is equal. The case of a prefix hijack being thwarted by origin validation is an extreme example in which the shorter (invalid) path represents 100% packet loss and the longer (valid) path given preference due to origin validation is infinitely more performant.
edit: oh, disclaimer - I am a co-author of one of the RPKI RFCs, and while I am personally not involved in secure BGP at present my employer definitely is. Opinions presented are mine.
vitus
3 days ago
You're certainly not wrong here -- it all depends what you're measuring and how. The 5-5.5 figure seems to be average length inside the internet routing tables, which is going to be skewed by smaller networks with relatively sparse connectivity and how IP space is carved up geographically.
> And perhaps also relevant to the parent's question: path length itself is a pretty poor indicator of network performance by just about any measure you can name (excepting perhaps the TTL field), and is a last resort measure used only when all else is equal.
Perhaps I focused the conversation in the wrong direction by mentioning AS path (and then further by describing the AS path between CDNs and end-users and framing that as "typical"). For a major CDN, most of the bytes served are originating from and destined to the same metro. Unless those CDNs have some serious problems with their RPKI setups, I expect that those bytes are going to continue flowing the same way they have been.
jabart
5 days ago
Average AS Path being about 1 isn't right. For direct peer CDN content sure Even AWS has their own path that's at least 2 from GTT, Areilon, NTT, etc from wherever you connect. if you are at a data center and use blended IP Transit that's another ASN to add to the path RIPE report had the average at 3-4 in 2012.
codebje
5 days ago
Path length is dependent on where you stand and look at it all, of course.
If anyone knows of a place in which a border router is only one (or 1.1 average) hop away from every other network on the planet, please let me know what real estate prices are like there, though.
(I suspect the 1.1 figure measures something quite different - the average path length inside a CDN or similar, which probably should be closer to one but might involve sneaky things like an overlay network).
vitus
3 days ago
I would wager the 1.1 figure is "average path length from CDN to end user", and quite possibly weighted by bytes served.
Most of the major players in the space (Netflix, Akamai, YouTube, Facebook, etc) have boxes inside ISP networks across major metros, so the path length to reach those ISPs' users is in fact 1 assuming a cache hit, and the RTT is certainly less than 20ms.
user
5 days ago
kortilla
5 days ago
RPKI unfortunately doesn’t prevent BGP hijacking though. You need every message to be signed.
fach
5 days ago
It solves a class of hijacks, where an autonomous system announces a prefix it is not authorized to announce. This is typically the operator error use case or uneducated bad actor use case. What it does not cover is if an autonomous system crafts an announcement containing the valid origin autonomous system in which case you would need a mechanism to validate the entire AS_PATH itself. ROA is only concerned about the origin in the AS_PATH.
Stevvo
5 days ago
The whole thing feels dishonest. BGP is working as intended, so should we really call hijacking a "vulnerability"? A failure to acknowledge that the protocol is fundamentally flawed and not fit for purpose.
hnuser123456
5 days ago
BGP is working as intended, according to how it was designed before we had the opportunity to have decades of observations about how it can be abused.
And BGP is not really fundamentally flawed, what is fundamentally flawed is trying to get everyone to build an authoritative database on who owns which IPs and how they connect to their upstreams/downstreams, without it being possible for someone to manipulate that database nefariously. As we are on hacker news, you are probably aware that there is no such thing as a hack-proof system. The old IRR system would have been perfect if every IRR hoster had a dedicated team of highly trained NOC engineers who are capable of making cross references using the RIR databases to the fullest and investigate any anomalies to prevent any malicious submissions. Unfortunately, that doesn't scale as well as rolling out something smarter like RPKI. Unfortunately, everything was already setup to use the IRRs and some people like it that way, so getting to 100% RPKI adoption has been slow, just like IPv4 addresses will probably always be worth more than IPv6 even though in principle, IP address space should have zero inherent value because it's just a number and should not have any limited supply.
Source: Former RADB admin.