RPKI Adoption in the ARIN Region: Exploring Subregional Trends

RPKI Adoption in the ARIN Region: Exploring Subregional Trends

2022 ARIN Community Grant Program Recipient Report

The DNS Research Federation (DNSRF) received an ARIN Community Grant in 2022 to support its work promoting routing security in the ARIN region. The project’s goal was to showcase data on route hijacks and Resource Public Key Infrastructure (RPKI) adoption and encouraging greater academic and industry scrutiny over routing security practices. The project aimed to leverage the Data Analytics Platform of DNSRF to facilitate academic and industry data analysis on BGP routing, routing incidents, and RPKI adoption.

Internet routing is a key building block of the Internet’s infrastructure that remains vulnerable to attacks. RPKI has emerged as the leading strategy for securing BGP routing, though the technology has had a slow uptake worldwide, including in North America and the Caribbean. While multiple initiatives currently measure RPKI adoption and routing security, customized analysis and in-depth academic and industry studies remain challenging due to the complexity associated with data processing.

Learn more about all the 2022 ARIN Community Grant Program Recipients.

Recently, my colleagues and I completed a one-year piece of ARIN Community Grant-supported research on RPKI adoption and routing incidents in the ARIN region. By collecting, analyzing, and then providing open access to that data, we hoped to shed light on the current status of RPKI adoption in the ARIN region and encourage greater academic and industry engagement and discussion on current routing security practices.

Since we were not the first to gather and analyze data on routing security and RPKI, we sought to add greater detail to the discussion by providing a geographic analysis by looking individually at all the countries and geographical areas in the ARIN region. However, we started our research by examining what was happening globally.

For the purposes of our work, we considered that a prefix is protected when a Route Origin Authorization (ROA) — a certificate confirming an Autonomous System is authorized to originate a particular IP address prefix or set of prefixes — covers it. Our analysis indicates that for IPv4, 46.73 percent of prefix origin pairs are RPKI protected. For IPv6, we observed global RPKI protection at 54.11 percent.*

When we focused on the ARIN region by itself, we found that for IPv4, RPKI coverage stands at 28.12 percent. Thus, a little less than three-quarters (71.88 percent) of prefix origin pairs observed in the ARIN region are unprotected. An important story explains why that number is not closer to the global average.

Understanding the Disparity

To be eligible for publishing a ROA, the holder of address space from ARIN must have signed either a Registration Services Agreement (RSA) or Legacy Registration Services Agreement (LRSA). While ARIN continues to provide basic registry services to organizations issued address space prior to ARIN’s establishment, known as “legacy” resource holders, advanced services like RPKI are only available to customers who hold resources covered by an RSA/LRSA and pay standard registration services fees.

The amount of legacy address space not covered by an LRSA and therefore ineligible for ROAs makes up more than 32 percent of the total space in the ARIN service area. When that portion of space is removed from the calculation, the ARIN statistics for IPv4 come much closer to the global average.

For IPv6, ARIN region ROA coverage is in line with global levels. We found that 52.15 percent of prefix origin pairs observed are RPKI protected, compared to the global coverage level of 54.11 percent.

Considering Validity

Our research also looked at the validity of announcements. We see three types of announcements: those for which there are no ROAs published; those for which there are ROAs and the route is shown to be valid; and, finally, those for which there are ROAs but the announcements are invalid.

Let’s take a deep dive into IPv4. In the ARIN region, about 1.88 percent of all announcements were invalid. Closer study showed that the vast majority of those resulted from misconfiguration and disappeared in later examinations or real-time data.

One of the benefits of working with this data is that it can be queried in ways other RPKI-related data sources cannot. Part of our research made the data available for queries based on Autonomous System Number (ASN), on the actual prefix in use, or on the country of origin. A byproduct of our more granular approach to collecting the data is the capability to do analysis by Internet Service Provider (ISP).

Watch the video presentation of DNSRF’s project update on YouTube. 

That granularity also allows us to look at some subregional trends. We can analyze what is happening with RPKI in individual countries and group countries together in related collections. In the Caribbean region, we discovered four very distinct patterns of RPKI deployment. We see a group of countries with very significant deployment of RPKI (greater than 50 percent), a small set of countries with moderate deployment (20 to 50 percent), some countries with minimal amounts of deployment (1 to 19 percent), and finally a small number of countries with no deployment at all (less than 1 percent).

In the Caribbean region, the number of invalids is small (66 on 4 October 2023) because the number of routes being covered is very small. In looking more closely at the data, we discovered that the only invalids in the Caribbean are the result of misconfiguration, not hijacking or attacks.

Looking at a single country, Canada has nearly 40 percent of its routes protected, both for IPv4 and IPv6 (38.66 percent and 36.63 percent, respectively). While it lags behind the U.S. in IPv6 RPKI coverage, Canada’s number of invalids is tiny: less than 1 percent for both IPv4 and IPv6.

For IPv4, we guessed that the protected prefix lengths would range from a /24 to a /16 and that the number of protected prefixes would increase with the size of prefix. This turned out to be wrong. In Canada, the prefix size does not determine how many routes are protected. Instead, the most commonly covered prefix length is a /22. Looking more closely at the data, we found similar results in other countries.

Creating a Community Resource

There were many other interesting results from looking at the data our research produced, and these can be viewed in our live, online report. The ARIN community can consult: (a) global and ARIN-region RPKI coverage; (b) global and ARIN-region RPKI Validation results; and (c) RPKI coverage and validation results per ASN and prefix number. These resources are updated daily and offer statistics per country in the ARIN region. We are excited for the community to use the resources we have created. As part of the project, the DNSRF is available to provide members of the ARIN community with open access to our Data Analytics Platform to explore the datasets on RPKI adoption in greater detail. You can sign up by emailing us at support@dnsrf.org (Subject Line: RPKI Data). We hope you’ll explore and get in touch.

About the ARIN Community Grant Program

ARIN provides financial grants in support of initiatives that improve the overall Internet industry and Internet user environment. Are you working on a project that advances ARIN’s mission and broadly benefits the Internet community within the ARIN region through informational outreach, research, Internet technical improvements, or Registry processes and technology improvements? Visit the ARIN Community Grant Program page for more information and to find out how your organization can apply in 2024. For application tips and support, read this post on our blog.

*These, as well as all other figures cited in this blog post, are statistics as of 4 October 2023.

Post written by:

Mark McFadden
Chief Technology Officer, internet policy advisors, LLC

With more than 30 years of operational and policy experience with IP addressing and Internet Governance, Mark has extensive experience in large-scale internet-working. He is a senior associate with Oxford Information Labs specializing in cybersecurity. Previous roles include Director for Internet Governance, Infrastructure, and Cybersecurity at InterConnect Communications in the U.K., and Consulting Resource Manager for Addressing, Naming, and Protocol Issues at IANA. Since 2012, Mark has been a member of the U.K. delegation to the International Telecommunication Union (ITU), and he is an active contributor to work in the Internet Engineering Task Force (IETF). Mark supported the DNS Research Federation as an expert contributor to its RPKI grant project.

Any views, positions, statements, or opinions of a guest blog post are those of the author alone and do not represent those of ARIN. ARIN does not guarantee the accuracy, completeness, or validity of any claims or statements, nor shall ARIN be liable for any representations, omissions, or errors contained in a guest blog post.

Recent blogs categorized under: Grant Program


Sign up to receive the latest news about ARIN and the most pressing issues facing the Internet community.

SIGN ME UP →

Fellowship Program •  Updates •  Elections •  IPv6 •  Business Case for IPv6 •  ARIN Bits •  RPKI •  Caribbean •  Grant Program •  Public Policy •  IPv4 •  Security •  Data Accuracy •  Internet Governance •  Tips •  Customer Feedback •  Outreach •  Training •  IRR

 

Connect with us on LinkedIn!