Re: Re: Why do ROV-ASes announce some invalid route?

2022-11-10 Thread 
Hello Job,
  Thank you very much for your reply! I got that no AS can actually filter all 
the invalids. Yet I was trying to figure out why we couldn't see reasonable 
amount of withdrawals from AS6939 about invalid prefixes, as they explained how 
they implement ROV 
(https://mailman.nanog.org/pipermail/nanog/2020-June/108309.html). Perhaps we 
need to learn their detailed implementations.
  Thank you very much!

Best wishes,
Sun Letong

在2022-11-08 00:11:24,Job Snijders写道:
> Dear 孙乐童,
> 
> On Mon, Nov 07, 2022 at 08:40:57PM +0800, 孙乐童 wrote:
> > We learned from Cloudflare's https://isbgpsafeyet.com/ that some ASes
> > have deployed RPKI Origin Validation (ROV). However, we downloaded BGP
> > collection data from RouteViews and RipeRis platforms and found that
> > some ROV-ASes can announce some invalid routes. For example, from RIB
> > data at 2022-10-31 00:00:00, 13 out of 17 ASes which declared to
> > deploy ROV announced invalid routes, and we list the number of related
> > prefixes for each AS below.
> >
> > [snip]
> > 
> > As a comparison, we count the invalid routes the non-ROV ASes (also
> > declared in https://isbgpsafeyet.com/) announces, as below:
> > 
> > We can see that ROV ASes announced apparently fewer invalid routes
> > compared to the non-ROV ASes, though they did not filter all the
> > invalids. 
> >
> > [snip]
> > 
> > Can anyone help us to correctly interpret this case? Thank you very much.
> 
> You ask great questions! I hope an answer to your questions can be found
> in a message I sent a year ago:
> 
>   https://mailman.nanog.org/pipermail/nanog/2021-April/213346.html
> 
> The summary: in any sufficiently large network, chances are not 100% of
> all equipment supports RPKI-based BGP Route Origin Validation; in such
> cases a handful of invalid routes may still percolate through the
> system. Another contributing factor might be certain types of software
> upgrades; where ROV temporarily is disabled on one or more devices. Or
> perhaps an ISP made a handful of exceptions for test/beacon invalid
> routes to propagate.
> 
> Kind regards,
> 
> Job

Why do ROV-ASes announce some invalid route?

2022-11-07 Thread 
We learned from Cloudflare's https://isbgpsafeyet.com/ that some ASes have 
deployed RPKI Origin Validation (ROV). However, we downloaded BGP collection 
data from RouteViews and RipeRis platforms and found that some ROV-ASes can 
announce some invalid routes. For example, from RIB data at 2022-10-31 
00:00:00, 13 out of 17 ASes which declared to deploy ROV announced invalid 
routes, and we list the number of related prefixes for each AS below.
ASN  33561299174291469393257645334919002551179221333516509
pref#723314361152731625617105


As a comparison, we count the invalid routes the non-ROV ASes (also declared in 
https://isbgpsafeyet.com/) announces, as below:
ASN67626461127312956123892048570174739009
pref#59760358711161162559492380


We can see that ROV ASes announced apparently fewer invalid routes compared to 
the non-ROV ASes, though they did not filter all the invalids. 
AS6939 announced apparently more invalid routes compared with other ROV-ASes. 
We learned from the discussions two years ago 
(https://mailman.nanog.org/pipermail/nanog/2020-June/108309.html) that AS6939 
uses reactive ROV. I.e., route collectors identify invalid routes, write them 
into scripts and send to routers, who then send "withdrawals" of the invalids 
based on the scripts.
However, for the BGP collection time 2022-10-31 00:00:00, we downloaded the 
two-hour updates afterwards, and found very few withdrawals from AS6939 about 
those invalid routes in the first hour. In the second hour, AS6939 withdraws 
hundreds of invalid prefixes, but most of these withdraws are followed by 
another invalid announcement with the same prefix and same invalid origin AS.


Can anyone help us to correctly interpret this case? Thank you very much.