APNIC conducts a lot of Resource Public Key Infrastructure (RPKI) training. It’s a pretty important part of our mission to provide a global, open, stable, and secure Internet, with an emphasis here on the ‘secure’.
Given the time APNIC trainers dedicate to this, an obvious question emerges — does it help uptake?
In this post, we’ll examine the data to see how training affects RPKI usage. But first, a little background.
Over 10 years of RPKI
It is over a decade since the concept of RPKI was proposed. It started with a working group in 2008 based on an IETF draft.
After 13 iterations of the draft, RFC 6480 ‘An Infrastructure to Support Secure Internet Routing’ was published.
However, the deployment of RPKI was slow, and very little was done to encourage networks to secure Internet routing. This can be seen in Figure 1 below. It was not until the past few years that networks really started to create Route Origin Authorizations (ROAs).
As a result, APNIC decided to start to deliver training about RPKI, how to create ROAs, and to deploy validators to encourage networks to at least start a proof of concept of this technology.
Identifying training events for comparison
Using the data in the training wiki page, it became apparent there were 19 events with RPKI in the title since 2019.
It’s worth noting that other training sessions also include RPKI as one aspect, but for this analysis we’ll focus on the events specifically dedicated to RPKI.
The other side of the equation: The ROA data
To see if there was any impact from this training on historical RPKI data, using the dates for the above training, we gathered totals for the IPv4 ROA states:
- IPv4 valid
- IPv4 invalid
- IPv4 Not found/unknown
If historical data was not available for the date, the closest date that historical data was available for was used. The historical data was gathered via the National Institute of Standards and Technology (NIST) RPKI monitor website.
To compare, historical data was then gathered for the same IPv4 ROA states seven days after the training was completed. Again, if historical data was not available for the date, the closest available date with historical data was used.
|Day of training||One week later|
|Wiki page||Date Delivered||RIR||IPv4 valid||IPv4 invalid||IPv4 Not found||IPv4 valid||IPv4 invalid||IPv4 Not found|
Table 1 — The data being used for comparison.
If training had a positive impact on the community, then it would be correct to assume that the ROA states would change in the following way:
- IPv4 valid — should increase
- IPv4 invalid — should decrease
- IPv4 Not found/unknown — should decrease
Looking at the figure for the first training in 2019 and comparing it with the last training delivered in 2021 before this blog post was written, it is easy to see the positive impact. For example, ‘IPv4 valid’ increased by over 50,000 ROAs from 18,853 to 72,151. So at first glance, we can say “yes, the training improved the situation.” But is it that simple?
Unfortunately, things aren’t always that simple. It can’t just be assumed that it was just the training that caused this positive impact.
Looking at the statistics a little more closely for the ‘IPv4 valid’ ROA state, it looks like almost all of them have an increase, except that early in 2021 three trainings had a decrease one week later. We’ll need to do more research to understand why.
It’s also difficult to conclusively separate overall global improvements in RPKI uptake and those that were specifically attributable to training, but it’s worth noting the trend overall coincides with the greater push for training.
|Wiki page||Date delivered||IPv4 valid||IPv4 valid - 1 week later||Increase|
Table 2 — The IPv4 valid figures for the dates of training and one week later.
What was interesting was the ‘IPv4 invalid’ state seems to fluctuate. In the case of 9 out of the 19 training sessions, this actually increased rather than decreased. This is possibly a result of ‘ironing out the kinks’ in a new ROA that’s been set up. This has been an ongoing struggle with networks. When a ROA is created, it should match the BGP announcements, otherwise it will be deemed as invalid.
|Wiki page||Date delivered||IPv4 invalid||IPv4 invalid - 1 week later||Decrease|
Table 3 — The IPv4 invalid figures for the dates of training and one week later.
Based on this summary data, it could be assumed that training does have a positive impact.
So, if your organization or network has not started to deploy RPKI you may want to attend some of the upcoming training events that APNIC is offering.
Or have a read of this resource by ICANN [PDF].
And, as always, check out the RPKI posts on the APNIC Blog.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.