RPKI ROA for IP resources in the IX segment

By on 24 Mar 2023

Category: Tech matters

Tags: , , , , , ,

Blog home

Resource Public Key Infrastructure (RPKI) has become a popular infrastructure for the certification of assigned and allocated IP address and Autonomous System Number (ASN) resources. If you are a resource delegate, or network operator and actively configuring Border Gateway Protocol (BGP) in the ISP and content delivery spaces, you might have already registered Route Origin Authorizations (ROAs) and deployed BGP route filters based on RPKI-based checks called RPKI Route Origin Validation (ROV).

Internet Exchange Points (IXPs) operate their own assigned and allocated networks; we call this the ‘IX segment’. The IX segment is an important network as a peering platform. Every participant in the IX is assigned IP addresses on this IX segment and uses them to connect to each other over the IX fabric (the switching layers, be they on copper or fibre). Because there are many eBGP sessions between ASes used for exchanging their traffic, it’s important that this segment is protected from mis-origination of BGP from the peerings operated in this IX (Figure 1).

Figure 1 — Correctly issuing ROAs helps prevent IX segment mis-origination.
Figure 1 — Correctly issuing ROAs helps prevent IX segment mis-origination.

I surveyed the status of RPKI ROA registration for IXPs operating in the Asia Pacific region and several IXPs in the European region on 17 February 2023. My first impression is that both regions lack a sense of unity, with RPKI ROA registration being inconsistent.

The survey revealed that there are clearly two types of IXPs — one has registered ROAs, and the other hasn’t (yet). Perhaps this divide is because issuing ROAs for IP resources in the IX segment is a relatively new thing. But among IXPs that have already registered ROAs, there are also some notable differences in the status of registration. As Tables 1 and 2 show, one point of difference is the registered prefix size inside the ROA (exact match and longest prefix match), and another difference is the ASN used for ROA registration.

IX name IP Prefix for IX Segment ROA
BBIX Tokyo 2001:de8:c::/64 None
BKNIX 2001:deb:0:68::/64 2001:deb::/48, maximum prefix length = /48, AS63528
Equinix Singapore 2001:de8:4::/64 2001:de8:4::/64, maximum prefix length = /64, AS0
GetaFIX Manila 2401:fdc0::/64 None
HKIX 2001:7fa:0:1::/64 2001:7fa:0:1::/64, maximum prefix length = /64, AS0
IIX-Jakarta 2001:7fa:2::/64 None
IX Australia (Sydney NSW) 2001:7fa:11:4::/64 None
JPNAP Tokyo  2001:7fa:7:1::/64  2001:7fa:7::/48, Maximum prefix length = /128, AS0
KINX  2001:7fa:8::/64 None
MegaIX Sydney 2001:dea:0:10::/64 2001:dea:0:10::/64, Maximum prefix length = /64, AS0
MyIX 2001:de8:10::/48 2001:de8:10::/48, maximum prefix length = /48, AS55822
NIXI Mumbai 2001:de8:1:1::/64 None
SGIX 2001:de8:12:100::/64 None
TPIX-TW 2406:d400:1:133:203:163:222:0/112 None
LINX LON1 2001:7f8:4::/64 None
AMS-IX 2001:7f8:1::/64 None
DE-CIX Frankfurt 2001:7f8::/64 None
JPIX TOKYO 2001:de8:8::/64 2001:de8:8::/64, maximum prefix length = /128, AS0

Table 1 — RPKI ROA Survey (IPv4).

IX name  IP Prefix for IX Segment  ROA
BBIX Tokyo, None
BKNIX, maximum prefix length = /23, AS0,, maximum prefix length = /23, AS63529
Equinix Singapore, maximum prefix length = /24, AS0
GetaFIX Manila, maximum prefix length = /24, AS137074
HKIX, maximum prefix length = /21, AS0
IIX-Jakarta None
IX Australia (Sydney NSW), maximum prefix length = /23, AS0
JPNAP Tokyo, Maximum prefix length = /32, AS7521
KINX, Maximum prefix length = /24, AS14828
MegaIX Sydney, maximum prefix length = /23, AS0
MyIX, maximum prefix length = /24, AS55822
NIXI Mumbai None
TPIX-TW, maximum prefix length = /24, AS10133
LINX LON1, maximum prefix length = /19, AS5459
AMS-IX, maximum prefix length = /21, AS1200
DE-CIX Frankfurt, maximum prefix length = /21, AS0

Table 2 — RPKI ROA Survey (IPv6).

Both IPv6 and IPv4 share similar results within IXPs.

Types of ROA registration

The types of ROA registration can be classified into three groups.

  1. ROA prefix size: There are two types — exactly matching size and larger size. A larger size means that an IXP operates a /24 IX network but has a /23 prefix assigned or allocated, and registered in their RPKI ROA.
  2. ROA maximum prefix length: This also has two types — one of these has equal length, and the other has a maximum prefix size longer than the prefix size.
  3. ASN used for ROA registration: Again there are two types — one type is using AS 0, and another is using your own ASN.

The use of AS 0 in RPKI is described in RFC 6483 which defines the semantics, in general, of ROAs. An important point to note is that prefixes registered with AS 0 in an RPKI ROA should not be used in a routing context without a more specific ROA which denotes the origin-as other than AS0. In other words, you should use AS 0 as the ASN for a prefix that isn’t to be seen on the global routing table when registering ROAs. So, If an IXP has created an RPKI ROA for the IX segment, the RPKI ROA of the IX segment can be checked by ISPs using RPKI ROV, thereby preventing trouble due to mis-origination advertisement because mis-originated routes will be seen as invalid and not received on ISP border routers as there will be no other ROA with another origin-as apart from AS0.

It is most important to issue ROAs with the correct prefix size, maximum prefix length, and ASN. If you have registered ROAs without these, the ROA will not prevent mis-origination if they specify prefix lengths that are not blocked by the ROA. Equally, manual route filter configuration is still necessary; don’t forget to keep your PeeringDB and Internet Routing Registry (IRR) entries up to date.

As this survey has shown, a wide variety of RPKI ROAs have been issued in the IXP segment but we can suggest two best practices — properly issue ROAs with AS 0 and the correct maximum length (for both IPv4 and IPv6), and if your IXP has already issued ROAs, please check whether it has AS 0 and the correct maximum length.

Correctly issuing ROAs help to secure global Internet routing. It’s time for the IX segment to do it properly.

Masataka presented this during the APRICOT 2023 Peering Forum 3. Watch the session now:

Masataka Mawatari is an engineer at JPIX in charge of IX network operations, route servers, and IPv6 deployment. He contributes to JANOG and the other network engineer communities.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *