Does training impact RPKI usage?

By on 14 Jul 2021

Categories: Tech matters Development

Tags: , , , ,

Blog home

Participants in APNIC's 2020 RPKI Deployathon

APNIC conducts a lot of Resource Public Key Infrastructure (RPKI) training. It’s a pretty important part of our mission to provide a global, open, stable, and secure Internet, with an emphasis here on the ‘secure’.

Given the time APNIC trainers dedicate to this, an obvious question emerges — does it help uptake?

In this post, we’ll examine the data to see how training affects RPKI usage. But first, a little background.

Over 10 years of RPKI

It is over a decade since the concept of RPKI was proposed. It started with a working group in 2008 based on an IETF draft.

After 13 iterations of the draft, RFC 6480 ‘An Infrastructure to Support Secure Internet Routing’ was published.

However, the deployment of RPKI was slow, and very little was done to encourage networks to secure Internet routing. This can be seen in Figure 1 below. It was not until the past few years that networks really started to create Route Origin Authorizations (ROAs).

A chart showing the number of distinct IPv4 prefixes in ROAs in different years.
Figure 1 — Distinct IPv4 prefixes in ROAs across different years. Image courtesy of RIPE.

As a result, APNIC decided to start to deliver training about RPKI, how to create ROAs, and to deploy validators to encourage networks to at least start a proof of concept of this technology.

Identifying training events for comparison

Using the data in the training wiki page, it became apparent there were 19 events with RPKI in the title since 2019.

It’s worth noting that other training sessions also include RPKI as one aspect, but for this analysis we’ll focus on the events specifically dedicated to RPKI.

Extracting the RPKI event data from the wiki.
Figure 2 — Extracting the relevant RPKI events since 2019.

The other side of the equation: The ROA data

To see if there was any impact from this training on historical RPKI data, using the dates for the above training, we gathered totals for the IPv4 ROA states:

  • IPv4 valid
  • IPv4 invalid
  • IPv4 Not found/unknown

If historical data was not available for the date, the closest date that historical data was available for was used. The historical data was gathered via the National Institute of Standards and Technology (NIST) RPKI monitor website.

To compare, historical data was then gathered for the same IPv4 ROA states seven days after the training was completed. Again, if historical data was not available for the date, the closest available date with historical data was used.

Day of training One week later
Wiki page Date Delivered RIR IPv4 valid IPv4 invalid IPv4 Not found IPv4 valid IPv4 invalid IPv4 Not found
routing-rpki-20210611-online 11/06/2021 APNIC 71,390 2,601 156,694 71,466 2,593 155,498
rpki-20210610-online 10/06/2021 APNIC 71,199 2,592 156,675 71,314 2,568 155,790
rpki-20210607-online 7/06/2021 APNIC 70,962 2,570 156,557 71,291 2,573 156,605
rpki20210519-online 19/05/2021 APNIC 70,361 2,381 156,806 70,671 2,364 156,730
rpki20210416-pcta 16/04/2021 APNIC 69,392 2,037 154,873 69,727 2,324 154,773
rpki-20210331-online 31/03/2021 APNIC 67,793 1,925 156,211 68,051 1,942 156,059
rpki20210330-online 30/03/2021 APNIC 67,699 1,914 156,345 68,051 1,942 156,059
rpki-20210222-online 22/02/2021 APNIC 65,446 1,892 154,167 65,881 2,000 154,057
rpki20200211-online 11/02/2021 APNIC 65,430 2,117 155,101 65,227 1,956 154,251
rpki20200209-online 9/02/2021 APNIC 65,410 2,115 155,031 65,148 2,056 154,551
rpki20210201-apan51 1/02/2021 APNIC 65,352 2,238 155,264 65,343 2,173 155,077
rpki20210119-online 19/01/2021 APNIC 58,820 1,998 143,285 64,412 2,133 155,278
rpki20201222-lknog 22/12/2020 APNIC 62,579 1,906 153,720 62,665 1,896 154,288
ir20201019-online 19/10/2020 APNIC 51,511 1,971 146,997 56,930 2,006 158,490
rpki20200227-ph 27/02/2020 APNIC 33,168 3,366 172,403 33,446 3,421 172,792
rpki20191106-au 6/11/2019 APNIC 28,145 4,036 176,554 28,703 3,939 174,805
rpki-lknog 4/10/2019 APNIC 26,267 4,227 178,697 26,862 4,084 182,156
rpki-ipv6-phnog2019-mnl 19/07/2019 APNIC 21,060 3,645 191,462 21,674 3,263 183,268
rpki20190508-th 8/05/2019 APNIC 18,853 3,868 194,246 18,961 3,961 193,438

Table 1 — The data being used for comparison.

If training had a positive impact on the community, then it would be correct to assume that the ROA states would change in the following way:

  • IPv4 valid — should increase
  • IPv4 invalid — should decrease
  • IPv4 Not found/unknown — should decrease

Looking at the figure for the first training in 2019 and comparing it with the last training delivered in 2021 before this blog post was written, it is easy to see the positive impact. For example, ‘IPv4 valid’ increased by over 50,000 ROAs from 18,853 to 72,151. So at first glance, we can say “yes, the training improved the situation.” But is it that simple?

A chart showing valid IPv4 prefixes and the valid prefixes one week later.
Figure 3 — A chart showing valid IPv4 prefixes and the valid prefixes one week later.

Other factors?

Unfortunately, things aren’t always that simple. It can’t just be assumed that it was just the training that caused this positive impact.

Looking at the statistics a little more closely for the ‘IPv4 valid’ ROA state, it looks like almost all of them have an increase, except that early in 2021 three trainings had a decrease one week later. We’ll need to do more research to understand why.

It’s also difficult to conclusively separate overall global improvements in RPKI uptake and those that were specifically attributable to training, but it’s worth noting the trend overall coincides with the greater push for training.

Wiki page Date delivered IPv4 valid IPv4 valid - 1 week later Increase
rpki20190508-th 8/05/2019 18,853 18,961 108
rpki-ipv6-phnog2019-mnl 19/07/2019 21,060 21,674 614
rpki-lknog 4/10/2019 26,267 26,862 595
rpki20191106-au 6/11/2019 28,145 28,703 558
rpki20200227-ph 27/02/2020 33,168 33,446 278
ir20201019-online 19/10/2020 51,511 56,930 5,419
rpki20201222-lknog 22/12/2020 62,579 62,665 86
rpki20210119-online 19/01/2021 58,820 64,412 5,592
rpki20210201-apan51 1/02/2021 65,352 65,343 -9
rpki20200209-online 9/02/2021 65,410 65,148 -262
rpki20200211-online 11/02/2021 65,430 65,227 -203
rpki-20210222-online 22/02/2021 65,446 65,881 435
rpki20210330-online 30/03/2021 67,699 68,051 352
rpki-20210331-online 31/03/2021 67,793 68,051 258
rpki20210416-pcta 16/04/2021 69,392 69,727 335
rpki20210519-online 19/05/2021 70,361 70,671 310
rpki-20210607-online 7/06/2021 70,962 71,291 329
rpki-20210610-online 10/06/2021 71,199 71,314 115
routing-rpki-20210611-online 11/06/2021 71,390 71,466 76

Table 2 — The IPv4 valid figures for the dates of training and one week later.

What was interesting was the ‘IPv4 invalid’ state seems to fluctuate. In the case of 9 out of the 19 training sessions, this actually increased rather than decreased. This is possibly a result of ‘ironing out the kinks’ in a new ROA that’s been set up. This has been an ongoing struggle with networks. When a ROA is created, it should match the BGP announcements, otherwise it will be deemed as invalid.

Wiki page Date delivered IPv4 invalid IPv4 invalid - 1 week later Decrease
rpki20190508-th 8/05/2019 3,868 3,961 -93
rpki-ipv6-phnog2019-mnl 19/07/2019 3,645 3,263 382
rpki-lknog 4/10/2019 4,227 4,084 143
rpki20191106-au 6/11/2019 4,036 3,939 97
rpki20200227-ph 27/02/2020 3,366 3,421 -55
ir20201019-online 19/10/2020 1,971 2,006 -35
rpki20201222-lknog 22/12/2020 1,906 1,896 10
rpki20210119-online 19/01/2021 1,998 2,133 -135
rpki20210201-apan51 1/02/2021 2,238 2,173 65
rpki20200209-online 9/02/2021 2,115 2,056 59
rpki20200211-online 11/02/2021 2,117 1,956 161
rpki-20210222-online 22/02/2021 1,892 2,000 -108
rpki20210330-online 30/03/2021 1,914 1,942 -28
rpki-20210331-online 31/03/2021 1,925 1,942 -17
rpki20210416-pcta 16/04/2021 2,037 2,324 -287
rpki20210519-online 19/05/2021 2,381 2,364 17
rpki-20210607-online 7/06/2021 2,570 2,573 -3
rpki-20210610-online 10/06/2021 2,592 2,568 24
routing-rpki-20210611-online 11/06/2021 2,601 2,593 8

Table 3 — The IPv4 invalid figures for the dates of training and one week later.

Based on this summary data, it could be assumed that training does have a positive impact.

So, if your organization or network has not started to deploy RPKI you may want to attend some of the upcoming training events that APNIC is offering.

Or have a read of this resource by ICANN [PDF].

And, as always, check out the RPKI posts on the APNIC Blog.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Top