IPv4 Market Improves
Internet Routing Security
by IPv4.Global Staff
Many organizations were assigned IPv4 addresses before ARIN was established in 1998. Those legacy organizations aren’t required to contract with ARIN for registration services. Others, who do so, pay for the operation of the registry, a public database, and policy development. But no-contract, legacy addresses don’t simply offer the holder a free ride without some cost. There are security sacrifices involved.
Transferring IPv4 addresses from a legacy holder to an organization with an RIR contract can improve internet routing security. The security improvement occurs because organizations whose addresses are under an ARIN contract can benefit from processes and services not available when ARIN was established. These services reduce the impact of various configuration errors on networks – among other benefits – and are only available to contracted members.
The RIRs’ transfer policies have been a success. Over 90 million IPv4 addresses have been transferred to specified recipients within the ARIN region. About 40 million IPv4 addresses have been transferred from ARIN to other RIR regions.
In most cases, the contract status of transferred resources changes. ARIN requires transfer recipients in its service region to sign a standard contract. When an organization signs a contract with ARIN, the registry is more accurately maintained. ARIN can check who signs the contract and know where the payment comes from.
Other RIRs require a contract with one exception. The RIPE NCC will allow legacy resources to retain that status and be uncontracted but will not provide RPKI services. RPKI requires a contract.
What Is the Problem?
ARIN recognized the contribution of the earliest internet pioneers by not requiring them to pay fees for basic services, like updating their contact details and reverse DNS delegation.
For those under contract, ARIN’s has 11 fee tiers. They start at $250 for organizations with an IPv4 /24, sometimes called a Class C, and up to three AS Numbers. The ‘Medium’ tier costs $4,000 for organizations with between 16 thousand and 65 thousand IPv4 addresses. Organizations with up to 16 million IPv4 addresses pay $64,000 a year. There are two higher tiers.
But legacy users don’t have access to ARIN’s official Internet Routing Registry (IRR) or RPKI services. RPKI gives IP addresses and AS Numbers digital certificates. These can be used to create statements that link the IP addresses and AS Number. The digital certificates allow computers to automatically validate them and use them in building filters.
An IRR is a database where networks share information about how their IP addresses are routed across the internet. Other networks use this registration to build filters. If a network accidentally breaks its routing configuration, filters in other networks won’t accept the accidental routing announcement.[1]
There are two classes of IRR. The official class is operated by the RIRs and NIRs. They get their status because they are the source of the authoritative information about who is responsible for IP addresses and AS Numbers. The second class of IRRs is operated by large networks. They need to use publicly available information about who manages IP addresses and AS Numbers when validating what people register in their databases.
Most of the unofficial IRRs started when ARIN did not offer an official IRR. At RIPE 88, Richard Jimmerson, its COO, explained that it is, “locked down by policy and the wishes of the community,” it cannot provide IRR services to organizations unless they sign a contract.
Routing Problems
Postal mail is routed starting with the most important information and ending with the most detailed. For international mail, the country is processed first, and the city and then street information come last.
Internet routing is similar. A sending network only needs to know the right direction to send traffic. It doesn’t need to know about the internal structure of other networks. But sometimes networks make configuration errors, or there are bugs in equipment.
Organizations who manage their own internet connectivity update equipment based on estimated growth over several years. The internet had seen linear growth in the number of routes between independently managed networks since 1989. But temporary changes in demand can throw those plans away.
1997 started with about 40,000 routes in the internet’s routing table. It ended it with about 50,000. But the number of routes grew from about 45,000 to almost 120,000 for a few hours in April 1997 AS7007 leaked 72,000 internal routes. Other networks did not need to see those internal routes. When they did, many found they did not have the capacity to cope with so much information, and shutdown.
But not everyone suffered equally. Those who used IRRs to filter suffered less. Building filters from IRRs is now an expected part of keeping the internet running.
But there’s a tension. IRRs began in the early 1990s when the internet wasn’t very important and trust was higher. Some networks built filters by creating IRR entries for their customers. These proxy registrations led to duplicate entries and some confusion.
Filters and Scale
Engineers presented on the impact of ignoring unofficial IRR at RIPE 88. It is part of work they are doing to develop a Best Common Practice (BCP) for building Route Server filters. They measured the potential for improvement. It varies between Internet Exchange Points. But thousands of network prefixes would benefit from improvements if their contract status changed.
Route servers help large IXPs scale. Every connected network shares routing information with the route server. The route servers just share information about the routes available. They don’t forward traffic themselves.
The alternative would be configuring an exchange of data with every other network. An IXP like IX.br, has over 1,700 members and 2,200 connections. Reducing the amount of configuration each network manages is an important function of the route server.
The route servers need to filter the routes shared with them. Otherwise, a configuration mistake could impact the whole IXP. The IXPs developing this BCP want to only use IRRs that have the most authoritative data.
So, they want to encourage everyone who can to use the RIRs and NIRs official IRR databases.
RADB, Customer Service, and the Future
The engineers found that about 70 percent of the prefixes shared at their IXPs have routes registered in RADB. This is an IRR run by MERIT, a US regional research and education network.
During the discussion at RIPE 88, RADB was praised. It is not just popular because its customers cannot use ARIN’s authenticated IRR. Remko van Mook, who serves on the RIPE NCC’s board noted that: “there’s a support phone number, an e‑mail address, which companies love and is that maybe something that [the RIRs] should be fixing?”
The customer service wins are balanced out by the less authoritative nature of what they publish. This research and the BCP that inspired it is part of an industry push to improve routing security.
The transfer market is giving more IP addresses access to authenticated IRRs. Addressing some of the customer service issues can help. But so can adjusting some of the automation that registers routes and builds filters from RADB and other unofficial IRRs.