IPv4 Exhaustion::Trading Routing Autonomy for Security

By: Danny McPherson -

To see who’s been paying attention, let’s kick this off with a quiz. What do the following three items have in common:

  1. Allocation authentication (i.e., titles) for Internet numbers (i.e., IPv4 & IPv6 addresses, AS Numbers)
  2. Inter-domain routing security on the Internet
  3. IPv4 exhaustion

If your answer was along the likes of:

  • 2 requires 1
  • 3 requires 1 if IP addresses become resources
  • 3 has implications on 2, in particular from a scalability perspective

Then you’re pretty close.

One of the big problems with securing inter-domain routing on the Internet is that no central authoritative verifiable source exists for who owns a particular routing domain identifier or set of IP addresses, and which routing domain(s) are authorized to advertise that address space. Now, I know you’re thinking, what about IANA, and Regional Internet Registries (RIRs) such as APNIC, ARIN and AfriNIC, and all that stuff? Well, true, IANA allocates blocks of addresses and AS numbers to RIRs, who subsequently allocate those numbers to Local Internet Registries (LIRs), National Internet Registries (NIRs), or directly to ISPs or other network operators.

However, that’s pretty much as far as it goes. That is, allocations from RIRs have no impact on what’s actually routed on the Internet, or who uses what IP address space. We’d all like to think it does, especially the RIRs, and a sort of MAD model suggests it to be the case, but it isn’t. To illustrate this point consider The CIDR Report, which suggests 317 potentially bogus AS numbers, and 392 potentially bogus route announcements that are being advertised in the global routing system today. Note that ‘bogus’ in this case refers to unallocated by IANA or an RIR, or no record of allocation exists.

Basically, if you’ve got an AS number and a BGP session with a willing peer or two, you could advertise into the routing system pretty much whatever IP space you’d like and start using that space – as illustrated with the YouTube and Africa Online Kenya route hijacks as of late. Heck, you could even register it in one of 50 or so Internet Routing Registries (IRRs) as yours, assuming they don’t verify actual RIR allocations (e.g., as RIPE does). It’s not something I’d recommend, but if there’s not contention for that advertisement and use of that address space (i.e., someone else is using it, either legitimately or not) then it’s all yours – until it’s legitimately allocated (or not) and someone else starts using it – then there’s contention.

Now, as you might suspect, if you’re an RIR and your whole reason for existence is management of Internet number resources, you might consider this a threat. Or, if you’re me, you might consider it something that’s been fundamentally broken and in need of attention for a long time now, but mostly ignored because the appropriate folks didn’t have the right incentive to invest in the egg part of this chicken/egg problem.

Enter the egg incentive::IPv4 exhaustion. Consider this:

Then one might surmise that the value of an IPv4 address is about to increase considerably. Not only is the value going to increase, a market for trading of IP numbers resources is about to emerge. Don’t believe me? Have a look at the last ten thousands or so emails on ARIN’s public policy mailing list (PPML) – which is full of network engineers turned economists. But wait, isn’t management of IP resources the responsibility of RIRs? But they don’t actually have any control over this today, and as such, how could they possibly maintain some semblance of control?

Ahh, enter Resource PKI and SIDR, with community and specifically RIR work on Resource Certification. In short, this work is aimed at providing an infrastructure that enables certification of “Right of Use” for IP addresses and AS numbers with X.509 Resource Certificates. If this infrastructure exists then it can be used by RIRs to maintain control of IP numbers resources. It could also be used by folks for informational purposes, or to define routing policies based on a verifiable source, or even directly employed by the routing system itself through protocols such as SBGP.

Upon full employment of such a system, the fundamental change here is that the IP resources allocation hierarchy that exists today, which is sort of an out of band function that has no direct consequence on what’s actually routed, now could have direct control over what’s routeable, what’s actually routed on the Internet, and perhaps most importantly, what’s not. So, if you don’t pay your RIR membership fees, your address allocations could actually be revoked, and this could trickle its way into the routing system, where filters might be augmented to discard your route announcements, or into a protocol like SBGP where it’s actually automated.

This to me represents a fundamental change – RIRs will be taking on an operational role they’ve never had. If their systems are compromised or unavailable, or have some policy mandated by government or other entities, it could have considerable consequences.

With that, let’s take a step up. With this RPKI thing who’d be the trust anchors (TAs) in the certificate hierarchy? Well, IANA gives address space to RIRs, so maybe they should be the root? Or should RIRs be the root TA for space they’ve been allocated from IANA? Or is it a multi-TA system with the RIRs and IANA? Surely IANA will need to be the root for at least the legacy space they allocated that pre-dates RIRs, as well as reserved IPv4 and IPv6 space, and all that space that has yet to be allocated to RIRs.

OK, so IANA and/or the RIRs “hold the keys”. But wait, doesn’t IANA fall under an ICANN umbrella? Doesn’t ICANN operate under an agreement from the US government, specifically, the Department of Commerce, something from which they’d prefer to become more independent? Wasn’t there some reluctance from the DNSSEC community because of perceived Internet governance by the US?

If this RPKI thing exists, and folks use it to secure the routing system, could sanctions or embargoes now include what essentially results in revocation of a country’s Internet address space and associated Internet connectivity privileges? That’s certainly a feature that does NOT exist in today’s Internet routing system. And such a capability is actually far more powerful than that of a DNS corollary, as you could have multiple root DNS systems on the same IP infrastructure (ask China), but you can’t have multiple disjoint IP allocation structures in the same routing system (which one might argue we have today).

I’ve been rambling for a bit, I should probably wrap this up. Takeaways:

  • SIDR and RPKI work are being driven by the RIRs for reasons well beyond that of simply enabling secure routing on the Internet
  • IPv6 is coming, IPv4 address space exhaustion is for real, and we’ll all likely be feeling some pain from this very soon
  • If you operate a network, you’d better be paying attention, as some fundamental changes to your world are on the horizon.

FWIW, I think the SIDR and related work is, as evidenced, necessary. It’s just that we need to be well aware of what we’re trading off.

Comments

  1. There is another option aside from the more heavyweight sBGP option:

    soBGP allows you to take the decision in a different direction, but still provides for some validation of the origin of the prefix/route-object… It’s an interesting idea and may alleviate some of the business and technical questions behind sBGP today.

    -Chris
    (nice write-up by the way)