Re: BGPMON Alert Questions

[Benno Overeinder <benno () NLnetLabs nl>]

On 04/04/2014 05:06 AM, Sharon Goldberg wrote:
> Finally, like Randy says, RPKI deploys quite different from BGPSEC. My
> intuition says that (1) once the RPKI is fully populated with ROAs for all
> originated prefixes, then (2) a partial deployment of origin validation at
> a few large ISPs should be fairly effective. But I would have to validate
> this with experiments before I can be sure, or say exactly how many ISPs,
> etc.

Indeed.  A MSc. project did a (limited) evaluation measuring the effects
of RPKI route origin validation of a Dutch ISP xs4all which prefixes
where incorrectly injected by another (larger according to CAIDA cone
ranking) European ISP.

With ROAs published and a small percentage (order of 5%) of the largest
ISPs doing route origin validation, this would filter the incorrect
announcement and result in about ~98% globally correct routes in the
35000 ASes (this work is done a couple years ago).  With no route origin
validation (or any other filtering) the percentage of correct routes at
the ASes would be ~25% globally.  Again, this was a specific scenario.

See for results and figures the slides at
http://www.caida.org/workshops/bgp-traceroute/slides/bgp-traceroute1108_rpki_deployment_study.pdf
(slide 18).

Best,

-- Benno

-- 
Benno J. Overeinder
NLnet Labs
http://www.nlnetlabs.nl/