./detector.out <old file> <new file> <outputfile>
optional flags:
--U2I - enables unknown to invalid downgrade reporting, beware generates large files.
The RPKI Downgrade Detector takes the state of RPKI at two points in time (called old and new) and computes the downgrades that have occurred when the earlier state transitioned to the newer state.
Our tool detects downgrades in the validity state of all possible routes, regardless of whether or not they are announced in BGP. It can therefore be used as an alert system for potentially-harmful changes to the RPKI, independent of information available from a specific BGP vantage point.
The main datastructure of the RPKI Downgrade Detector is interval trees. These interval trees are used to store the validity states of all possible routes and can be computed in O(n log n) time, where n is the number of (prefix, AS, maxlength)-tuples. This datastructure allow us to efficiently compute all downgrades from one state of the RPKI to another.
git clone [email protected]:BUSEC/RPKI_Downgrade_Detector.git
make all
The downgrade detector ingests the output of the scan_roas utility. Unfortunately scan_roas as distributed by the rcynic project is missing a field that we require. Therefore the next step to getting the downgrade detector setup is compiling a modified a version of scan_roas.
First we need to download rcynic and configure rcynic.
svn checkout http://subvert-rpki.hactrn.net/trunk/
cd trunk
svn up -r5064
./configure --disable-ca-tools
make all
Next we copy our modified scan_roas c file into the rcynic directory for scan_roas and compile it.
cp RPKI_Downgrade_Detector/scan_roas.c trunk/utils/scan_roas/
cd trunk/utils/scan_roas/
make all
For the rest of this documentation when we use the command './scan_roas', we will be referring to the modified scan_roas command in this directory. You may have to reference this command by exact path to avoid confusion the default scan_roas.
Follow the directions on the rcynic webpage to setup rcynic.
Once rcynic is up and running (a guide to getting rcynic running) it should create an authenticated directory with the current timestamp; this directory contains all valid RPKI objects rcynic was able to download at a given time. After two runs you should have two timestamped authenticated directories, one directory for each run. We can now use the detector to notice any downgrades between these two snapshots of RPKI state. We will refer to the older authenticated directory as 'authenticated-old' and the most recent authenticated directory as 'authenticated-new' in place of timestamps.
Use the modified scan_roas files to create two files 'old.sr' and 'new.sr' from the two authenticated directories.
cd trunk/utils/scan_roas/
./scan_roas /path/to/authenticated-old/ > old.sr
./scan_roas /path/to/authenticated-new/ > new.sr
The detector takes the files old.sr, new.sr (as generated by scan_roas above), and an output filename and outputs the downgrades between old and new in the output file.
./detector.out old.sr new.sr output.json
Note that due to the large number of unknown to invalid downgrades we ignore these downgrades unless the flag --U2I is supplied.
The downgrade detector writes each downgrade to the output file as a new line. Each of these lines are valid json. An example of this format can be found here The format is described as follows:
{"CHANGE":"-V2I", "ROA":{"AS":3, "PREFIX":"120.60.128.0/25-27", "PATH":"/var/rpki/data/authenticated-x/"}, "EFFECT":["[120.60.128.0-120.60.128.0] /25", "[120.60.128.0-120.60.128.64] /26", "[120.60.128.0-120.60.128.96] /27"]}
- CHANGE - The type of downgrade is that took place. Values can be: valid to invalid "-V2I", valid to unknown "-V2U", and unknown to invalid "+U2I".
- ROA - A hash describing the ROA that is responsible for this downgrade.
- EFFECT - A list of IP prefix ranges downgraded.
We have developed a javascript library for parsing and visualizing these tools. It is currently awaiting release.