Just this month, it was reported on the APNIC Blog that 50% of IPv4 routes in the global routing table now have Route Origin Authorizations (ROAs) that are considered valid. For IPv6 routes, the figure is only slightly higher at 52%. It’s a great milestone worth celebrating but if your home is only 50% ‘secure’ from burglary, how secure is it, really?
In the APNIC region and across the APNIC membership, Resource Public Key Infrastructure (RPKI) adoption has been strong but ROA signing has seen a slower, irregular, uptake.
APNIC Labs provides ongoing measurement of the two sides of current RPKI activity Internet-wide from the end-user perspective. The two measurements are for the production side, the evidence of ROA coverage of the prefixes used by end users, and the validation / consumer side — the evidence of routing that respects RPKI and will not go to a ‘bogus’ origin in BGP.
On the production side, the statistics show a continuous increase in ROA coverage worldwide from 20% in 2019 to almost 45% currently. While this differs slightly from other measurements, the overall intent is consistent — that providers are adopting RPKI and producing ROAs, which shows their delegation of authority over addresses and how they originate. This means that relying parties on the consumption side are able to infer origin BGP in almost half of all networks seen to be used.
On the consumption side, the statistics are less encouraging, with no clear signal across the global Internet that validation of RPKI is being adopted at scale. This may be due to the additional complexity in configuring BGP systems to process updates against the state of RPKI, or for other reasons related to risk management (of dropping routes, and the significance of traffic loss as a consequence).
Both measurements can be refined by region, economy, and by individual network provider (Autonomous System Number (ASN)) and are based on a daily collection of over 15 million samples collected through display advertising.
APNIC Academy provides training support on operational issues facing various ISPs. This training is provided in a localized and customized format with the help of APNIC Community Trainers wherever possible. This and a strong interest in NOGs across the region have helped to achieve uptake so far, but there’s more to do, particularly in emerging economies.
That is where the APNIC Foundation (Foundation) are doing their part. The Foundation runs projects focused on ongoing career development support for targeted groups in emerging economies and recently launched a project to assist network operators in South Asia — a region with some of the most pressing Internet challenges in the world and which is home to the world’s largest offline population.
The Foundation’s grants and awards program, the Information Society Innovation Fund (ISIF Asia), has been in operation for 15 years and distributed 145 grants to Asia Pacific organizations in that time — many of which have focused on securing the Internet, such as BGP monitoring efforts, encouraging uptake of bug bounty systems and open source lawful intercept technology.
It’s worth mentioning that recently, the United States Department of Commerce’s National Telecommunications and Information Administration (NTIA), along with several other bodies of the Department of Commerce, began implementing a new Internet routing security measure. While not strictly regulatory, this action aims to enhance security across their networks, sets an example for the industry, and helps fulfil a key objective of the US National Cybersecurity Strategy. It follows discussion on how regulating BGP routing security could potentially impact the global Internet.
NTIA has worked with stakeholders such as the Regional Internet Registry for North America (ARIN) and collaborated with initiatives like Mutually Agreed Norms of Routing Security (MANRS).
For decades, routing security — ensuring that Internet traffic reaches its intended destination — has been a persistent issue across the world. At the very least, this government-led initiative represents a significant effort to enhance Internet routing security and will perhaps serve as a call to action for other economies around the world, including those in Asia Pacific — the more involved in securing global routing, the more secure it will be.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.