17 Nov

Measuring latency to endpoints with blocked ICMP

And a blog post after a while. Last few months went busy with RPKI. After my last post about RPKI and the fact that India was lacking a little bit on RPKI ROA front, we started with a major push by a set of like-minded folks like us. For now, Indian signed table has jumped from 12% since Aug to 32% now in Oct. Detailed graphs and other data can be found here on the public Grafana instance.

In terms of absolute percentage, India now has the highest number of absolute signed prefixes in this region. 13972 Indian prefixes have a valid ROA and nearest to that is Taiwan at 6824. Though 13972 results in just 32% of the Indian table while 6824 results in 91% of Taiwanese table. So a long way to go for us.

If you are a network operator in India and reading this, consider joining our RPKI webinar which is planned at 3 pm (IST) on 18th Nov 2020. You can register for the event here. Or buzz me to talk about RPKI!


Catching Covid-19

Besides RPKI push I also caught up with Covid19 along with family members. Luckily for us, it went fine and wasn’t that painful. The impact was mild and everyone has recovered. Phew!
I hope readers of this blog post are well.

TraceroutePing in Smokeping

Coming to the topic for today’s blog post. I recently came across this excellent Smokeping plugin which solves a very interesting problem. There are often nodes we see in the traceroute/MTR which is either not routed or simply block ICMP/TCP/UDP packets which are addressed to them. This can include routers which have a pretty harsh firewall dropping everything addressed to them as well as cases where we have IX or any other non-routed IP in the traceroute. It becomes tricky to measure latency to those. Someone used the simple idea of incremental TTLs as used in traceroute to get a reply from these middle nodes of “TTL time exceeded error” and based on that a way to plot latency.

Let’s look at a real-world case: One of ISP serving my home is IAXN AS134316 and they peer with my ex-employers network Spectra AS10029 at Extreme IX in Delhi. Let’s see how traceroute to Spectra’s anycast DNS looks from my home.

traceroute -P icmp 180.151.151.151
traceroute to 180.151.151.151 (180.151.151.151), 64 hops max, 72 byte packets
 1  router01.rtk.anuragbhatia.com (172.16.0.1)  2.818 ms  1.876 ms  4.274 ms
 2  10.10.26.6 (10.10.26.6)  4.258 ms  4.301 ms  5.953 ms
 3  10.10.26.5 (10.10.26.5)  5.490 ms  5.916 ms  5.257 ms
 4  10.10.26.29 (10.10.26.29)  11.349 ms  9.246 ms  9.430 ms
 5  as10029.del.extreme-ix.net (45.120.248.51)  10.628 ms  8.802 ms  9.609 ms
 6  resolver1.anycast.spectranet.in (180.151.151.151)  8.446 ms  9.113 ms  10.699 ms

Now hop 5 here is likely Spectra’s Delhi router’s interface which has Extreme IX IP – 45.120.248.51. Let’s see what we get when we ping it.

ping -c 5 45.120.248.51
PING 45.120.248.51 (45.120.248.51): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3

--- 45.120.248.51 ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss

I cannot ping it. Let’s look at the trace to it to see where it drops.

traceroute -P icmp 45.120.248.51
traceroute to 45.120.248.51 (45.120.248.51), 64 hops max, 72 byte packets
 1  router01.rtk.anuragbhatia.com (172.16.0.1)  3.196 ms  1.790 ms  4.421 ms
 2  10.10.26.6 (10.10.26.6)  5.514 ms  3.624 ms  5.323 ms
 3  10.10.26.5 (10.10.26.5)  5.252 ms  4.043 ms  3.671 ms
 4  * * *
 5  * * *
 6  nsg-static-77.249.75.182-airtel.com (182.75.249.77)  14.221 ms  10.963 ms  11.574 ms
 7  116.119.68.58 (116.119.68.58)  146.531 ms  147.899 ms  146.065 ms
 8  * * *
 9  * * *
10  * * *

Now, this is an interesting and not very unexpected result. Basically, my ISP – IAXN AS134316 does not has any route in it’s routing table for 45.120.248.51 and hence passing it to default route towards it’s upstream Airtel. BGP wise IAXN is not supposed to have any route belonging to IX peering IP anyways and that’s expected. Likely their router which peers with Extreme IX is different from the router which serves me and is possibly missing sharing of connected routes via IGP and hence the unexpected path. As soon as traffic hits Airtel router with a full routing table & no default route, it drops it.

In this setup, I cannot reach Spectra’s interface connected to the Extreme IX (45.120.248.51) directly if I try to send packets to it. But I do know from the first trace that it comes in middle when I try to send packets to 180.151.151.151. This option can be used where packets can be sent with incremental TTL and latency can be measured and even graphed. This concept can be used even if there’s a use of private IPs before the destination.

So this goes to my Probe config

+ TraceroutePing

binary = /usr/bin/traceroute # mandatory
binaryv6 = /usr/bin/traceroute6
forks = 5
offset = 50%
step = 300
timeout = 15

and this goes to my Target’s config

++SpectraExtremeIXInterface
probe = TraceroutePing
menu = Spectra via Extreme IX
title = Spectra via Extreme IX
host = 45.120.248.51
desthost = 180.151.151.151
maxttl = 15
minttl = 5
pings = 5
wait = 3

How it works?

A reminder on working on traceroute!

Remember the concept of TTL in IP routing. TTL is time to live and basically whenever the router passes the packets, it decreases TTL by 1 and when TTL reaches 0, the router just drops it. This ensures loops aren’t as dangerous in layer 3 as we see in layer 2. Now when a router drops packets with TTL 0, it replies back to the source saying “TTL exceeded” and the reply packets have the router’s source IP address. That way traceroute can send 1st packet with TTL 1, 1st router in the chain gets it, reduces TTL by 1 and (now that TTL is 0) drops it with a reply from its source IP. Next, another packet is sent with TTL 2 and so on.

Note: Thanks to networking folks from OVH Cloud who replied me with this probe on Twitter. It wasn’t what I was looking for but quite fascinating and useful!
Time to go back into the routing world! 🙂

14 Jul

Tracking Indian RPKI data

So based on my friend – Abdul Awal’s tweet, I started looking at the latest RPKI ROA data for India. His Tweet came when I was in the middle of moving my blog from WordPress running over LXC containers to now WordPress over docker with bitnami’s image. Bit of optimisation is still pending.

Firstly I wanted to validate the claim. I have seen some data here and there but not comprehensive data to compare various countries across the region. So I thought to prepare it. As I started, I realised it makes more sense to write a tool and just automate it so that tool can lookup for data every day and keeps a webpage updated.

How can one compare RPKI ROAs across the region?

I thought of a few possible ways and settled for using APNIC’s delegation file to find ASNs and then looked for the announcement from those ASNs for selective countries. My code checked the data for Afghanistan, Pakistan, India, Nepal, Bhutan, Bangladesh, Sri Lanka, Myanmar, Thailand, China, Taiwan, Cambodia, Vietnam, Malaysia and Singapore.

Next step was to find prefixes. For this, I relied on RIPE RIS RRC01. It has got 27 full table feeds at the time of writing this blog post from its members.

Then to run validation, I relied on super fast RPKI API from my friend Louis. Results go into a database and next, Grafana to graphs this data.

And with only 12% valid signed prefixes (against total announcement) we are looking at pretty low levels of ROAs. 🙁
So Awal does indeed has a point. In comparison Bhutan is at 100% level, Nepal + Sri Lanka at a 90% level, Pakistan at 73% level, Myanmar at 79%. China seems to be doing equally bad at just 5% level. When I looked at data of unique ASNs visible in the routing table, it clearly seems like India, China and Japan are lagging.

Another noticeable thing here is that while India has 1873 unique ASNs and Japan has 3135 in comparison to only 629 in China but China has 427 million unique IPv4 addresses as visible in routing. India has only 47 million addresses announced by 1800+ ASNs.

I have published this and some more dedicated data on this page here which will be auto-updated every 24hrs (around 1 am IST). This also has a list of Indian invalids and I will try to use it to get active some cleanup done for the invalids.

Next logical steps for now…

  1. Contact 60 odd origin ASNs which are announcing 300 or so invalids in India and try to get those cleaned up.
  2. There seems to be zero documentation about RPKI on IRINN website. In fact, there’s not even a mention of RPKI on the IRINN website which is bad. I will try to reach out to friends at IRINN and will request them to put documentation about RPKI.
  3. Reaching out to telcos who hold a large set of IP blocks and will try to convince them for creating ROAs as the first logical step.

Limitation of this data

  1. I am looking at prefixes originated by Indian ASNs. Some of these prefixes might be originated outside of India. So a very small % of these numbers might be Indian prefixes which are used in the US or Europe by an Indian ASN (e.g a web hosting company).
  2. We miss a small % of prefixes in this data which are originated by non-Indian ASNs like Google, Cloudflare, Microsoft etc in India.
  3. I see what the collector gets. Thus hypothetically speaking if Tata, Airtel, Jio, Sify, BSNL and Vodafone/IDEA all start dropping invalids, I will not see any of these invalids while they may still exist. Though that’s the unlikely case because people will notice a drop in connectivity for all endpoints outside of India and that would anyway result in getting those fixed.

Finishing this at 5:24am. Time to get some sleep!