This document discusses routing incidents and invalid routes in Bangladesh and reasons they still exist. It suggests implementing route origin validation at internet exchange points and internet gateway operators to filter invalid routes and make the country's routing table free of invalid routes. This involves transit providers and internet exchanges dropping invalid routes according to RPKI rather than propagating them. Creating accurate route origin authorizations and only announcing authorized routes in BGP is also encouraged to address invalid routes at their source.

1. RPKI invalids aren’t gone yet
Md. Abdul Awal
awal@nsrc.org

2. Routing Incidents in Bangladesh
bdNOG12 2
Stats: observatory.manrs.org
0
5
10
15
20
25
Jul-19 Aug-19 Sep-19 Oct-19 Nov-19 Dec-19 Jan-20 Feb-20 Mar-20 Apr-20 May-20 Jun-20 Jul-20 Aug-20
Number of routing incidents in BD
Incidents haven’t
been reduced

3. RPKI Status of BGP Prefixes in Bangladesh
bdNOG12 3
Stats: observatory.manrs.org
0
10
20
30
40
50
60
70
80
90
100
Jul-19 Aug-19 Sep-19 Oct-19 Nov-19 Dec-19 Jan-20 Feb-20 Mar-20 Apr-20 May-20 Jun-20 Jul-20 Aug-20
RPKI status of BGP announcements in BD
Valid Not Found Invalid
Invalids are not
going away
1% of total BGP announcements in
BD are still invalid, that’s about
50 prefixes in global BGP table

4. Prefix/Route Hijack: The Common Routing Incident
bdNOG12
AS 65505
AS 64512
AS 64710
AS 65500
AS 64805
AS 64650
AS 65510
Prefix
Hijacker
192.168.0.0/24
192.168.0.0/24
AS 65500 owns 192.168.0.0/24
AS 65510 does NOT own 192.168.0.0/24 AS 64805 takes wrong path
to 192.168.0.0/24

5. RPKI could solve it
bdNOG12
Signing prefixes
a.k.a. creating ROA1
RIR CA
RIR Resource DB
Member Login
Authentication
2001:db8::/32
192.0.2.0/24
AS 65000
ROA
Validating ROAs
a.k.a doing ROV2
RPKI Repository RPKI Validator BGP Router
RTR Protocolrsync/RRDP

6. What makes a route RPKI Invalid?

7. Route Origin Authorization (ROA)
bdNOG12
192.168.0.0/22
65500
/23
Prefix
ASN
Max Length
192.168.0.0/22
192.168.0.0/23
192.168.0.0/24
192.168.1.0/24
192.168.2.0/23
192.168.2.0/24
192.168.3.0/24
Prefixes covered
by the ROA

8. Route Origin Validation (ROV)
bdNOG12
192.168.0.0/22
65500
/23
192.168.0.0/24 ...65500 192.168.0.0/24 ...65520
192.168.0.0/23 ...65520
Max Length
Invalid
Max Length+Origin
Invalid
Origin Invalid
VRP
R1
BGP Routes

9. Let’s see some examples

10. Example: RPKI Invalids
bdNOG12 10

11. Example: Invalid Origin
bdNOG12 11

12. Example: Invalid Prefix Length
bdNOG12 12

13. More Example: Invalid Prefix Length
bdNOG12 13

14. So, why invalids exist in BD’s
routing atmosphere?

15. Several reasons…
• Incorrect ROAs
§ Mostly because of misconfigured Max Length
§ Sometimes because of wrong ASN
§ Lack of awareness?
• Wrong BGP annoucements
§ Route advertised without checking its ROA
§ Old habit?
• Most importantly, no origin validation
§ Transit providers and IXPs are missing this bit, any reason?
bdNOG12 15

16. Fix it: Who and How
bdNOG12 16
192.168.0.0/22
65500
/23
Create appropriate
ROAs for your prefixes
Announce only the
correct prefix in BGP
Implement origin validation
i.e. drop RPKI Invalids

17. Route Origin Validation at NIX and IIG
bdNOG12 17
AS 65505 AS 64512 AS 64710
AS 65500
Route Server
NIX Switch
No invalid routes
towards peers
Invalid routes
droped by NIX
AS 65505 AS 64512 AS 64710
International
Transit
IIG Router
No invalid routes
towards cliets
Invalid routes
droped by IIG
AS 65530
AS 65500
Internet Exchange Point Transit Provider Network

18. Validation could make our routing table Invalid-free
bdNOG12 18
International Transits
Internet Routing Infrastructure of BD
Without Validation
International Transits
Internet Routing Infrastructure of BD
With Validation
IIG NIX ISP
IIGs can prevent Invalid route
propagation to and from BD

19. Thanks!
Questions?
awal@nsrc.org