CINXE.COM

<!DOCTYPE html>     <html lang="en-US">  <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width" /> <title>How We Measure: RPKI ROA Signing and Route Origination Validation | blabs</title> <link rel="profile" href="http://gmpg.org/xfn/11" /> <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.2/css/bootstrap.min.css"> <link rel="stylesheet" type="text/css" media="all" href="https://labs.apnic.net/blabs/wp-content/themes/apnic/style.css" /> <style> /* "nojs" css is embedded so it never fails to be applied. */ .js-off{display:none;} .nojs .js-on{display:none;} /* .js-on = show me if js is on/enabled */ .nojs .js-off{display:inherit;}/* .js-off = show me if js is off/disabled */ </style> <link rel="pingback" href="https://labs.apnic.net/blabs/xmlrpc.php" /> <meta name='robots' content='max-image-preview:large' /> <link rel="alternate" type="application/rss+xml" title="blabs » Feed" href="https://labs.apnic.net/index.php/feed/" /> <link rel="alternate" type="application/rss+xml" title="blabs » Comments Feed" href="https://labs.apnic.net/index.php/comments/feed/" /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/labs.apnic.net\/blabs\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.7"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://labs.apnic.net/blabs/wp-includes/css/dist/block-library/style.min.css?ver=6.7' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel="https://api.w.org/" href="https://labs.apnic.net/index.php/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://labs.apnic.net/index.php/wp-json/wp/v2/posts/1805" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://labs.apnic.net/blabs/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.7" /> <link rel="canonical" href="https://labs.apnic.net/index.php/2023/11/09/how-we-measure-rpki-roa-signing-and-route-origination-validation/" /> <link rel='shortlink' href='https://labs.apnic.net/?p=1805' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://labs.apnic.net/index.php/wp-json/oembed/1.0/embed?url=https%3A%2F%2Flabs.apnic.net%2Findex.php%2F2023%2F11%2F09%2Fhow-we-measure-rpki-roa-signing-and-route-origination-validation%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://labs.apnic.net/index.php/wp-json/oembed/1.0/embed?url=https%3A%2F%2Flabs.apnic.net%2Findex.php%2F2023%2F11%2F09%2Fhow-we-measure-rpki-roa-signing-and-route-origination-validation%2F&format=xml" /> <style type="text/css">.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style></head> <body class="post-template-default single single-post postid-1805 single-format-standard singular one-column content"> <div id="wrapper" class="nojs"> <script> // Embedded and no libs so it never fails to run (unless js is switched off). // Located here so there is no flicker in stuff being shown/hidden. document.getElementById('wrapper').className = document.getElementById('wrapper').className.replace(/nojs/gi,''); </script> <div class="navbar navbar-inverse navbar-fixed-top" role="navigation"> <div class="container"> <div class="navbar-header"> <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> </div> <div class="collapse navbar-collapse"> <ul class="nav navbar-nav"> <li id="global-apnic-navbar-link-blog"><a href="//blabs.apnic.net">Labs Blog Posts</a></li> <li id="global-apnic-navbar-link-presentations"><a href="//labs.apnic.net/presentations">Labs Presentations</a></li> <li id="global-apnic-navbar-link-measurement"><a href="//labs.apnic.net/measurements">Measurements and Data</a></li> </ul> </div> </div> </div> <header id="site-banner" class="container"> <h2 class="apnic"><span>APNIC</span></h2> <h2 class="labs"><span>Labs</span></h2> </header> <div id="page-wrapper" class="container"> <div id="page"> <div id="contents"> <div class="row"> <div class="col-md-offset-1 col-md-10"> <div> <div class="menu-main-container"><ul id="menu-main" class="nav nav-tabs"><li id="menu-item-9" class="menu-item menu-item-type-custom menu-item-object-custom current-post-parent menu-item-9"><a href="/">Home</a></li> <li id="menu-item-6" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-6 active "><a href="https://labs.apnic.net/index.php/category/routing/">Routing</a></li> <li id="menu-item-7" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-7"><a href="https://labs.apnic.net/index.php/category/security/">Security</a></li> <li id="menu-item-8" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-8"><a href="https://labs.apnic.net/index.php/category/dns/">DNS</a></li> <li id="menu-item-10" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-10"><a href="https://labs.apnic.net/index.php/category/ipv6/">IPv6</a></li> <li id="menu-item-11" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-11"><a href="https://labs.apnic.net/index.php/category/policy/">Policy</a></li> <li id="menu-item-332" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-332"><a href="https://labs.apnic.net/index.php/category/ip-addresses/">IP Addresses</a></li> </ul></div> </div> </div> </div> <div class="js-off alert alert-error"> <h3>Javascript is disabled</h3> <p>We would like to provide you with a better user experience. Please re-enable Javascript in your web browser.</p> </div> <div class="row"> <div class="col-md-offset-1 col-md-10"> <div id="primary"> <div id="content" role="main"> <nav id="nav-single"> <h3 class="assistive-text">Post navigation</h3> <span class="nav-previous"><a href="https://labs.apnic.net/index.php/2023/10/30/how-we-measure-dnssec-validation/" rel="prev"><span class="meta-nav">←</span> Previous</a></span> <span class="nav-next"><a href="https://labs.apnic.net/index.php/2023/11/16/ipv6-the-dns-and-happy-eyeballs/" rel="next">Next <span class="meta-nav">→</span></a></span> </nav> <article id="post-1805" class="post-1805 post type-post status-publish format-standard hentry category-operations category-routing"> <header class="entry-header"> <h1 class="entry-title">How We Measure: RPKI ROA Signing and Route Origination Validation</h1> <p class="entry-meta"> <span class="sep"></span><time class="entry-date" datetime="2023-11-09T09:19:03+00:00"> 9 Nov 2023</time> <span class="cat-links"> <span class="entry-utility-prep entry-utility-prep-cat-links">in</span> <a href="https://labs.apnic.net/index.php/category/operations/" rel="category tag">Operations</a>, <a href="https://labs.apnic.net/index.php/category/routing/" rel="category tag">Routing</a> </span> by <span class="sep"></span><span class="author-name">Geoff Huston</span> </header> <div class="entry-content"> <p><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></p> <style type="text/css">.small {font-size: smaller}.small5 {font-size: smaller; margin-left: 5em; text-align: left; font-family: monospace; }p {text-align: justify; }.quote {text-align: justify; font-family: Verdana, Arial, Helvetica, sans-serif; }.sidenote2 { color: rgb(80,80,80); background-color: #F5F0DA; margin-right: 5px; margin-left: 140px; padding: 10px; border: 1px #DFCE9D solid; font-size: smaller; }pre {margin-left: 2em; padding: 3px; font-family: Menlo,"Courier New", Courier, mono; font-size: smaller; }.indent5 { margin-left: 5em; }.i5 { margin-left: 5em; font-size: smaller; }.indent5 { margin-left: 5em;}.hang5 { margin-left: 10em; text-indent: -5em; }p.caption5 {text-align: left; margin-left: 5em; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: smaller; font-style:italic;}p.caption {text-align: center; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: smaller; font-style:italic;}table.inline { border-width: 1px; border-spacing: ; border-style: none; border-color: gray; border-collapse: collapse;background-color: white; text-align: right ;background-color: white; }table.inline th { border-width: 1px; padding: 2px; border-style: inset; border-color: gray; background-color: white; -moz-border-radius: ; font-style: bold; text-align: center; font-size: smaller;}table.inline td { border-width: 1px; padding: 2px; border-style: inset; border-color: gray; background-color: white; -moz-border-radius: ; vertical-align: top ; text-align: center; font-size: smaller; }table.nonline { border-width: 0px; border-spacing: ; border-style: none; border-color: gray; border-collapse: collapse;background-color: white; text-align: left; background-color: white;}table.nonline td { vertical-align: top ; text-align: left; font-size: smaller; }.ttc { color: rgb(100,100,100); margin-left: 5em; font-family: "Lucida Console", "Courier New", Courier; text-align: left; }.tx { margin-left: 0em; font-family: "Lucida Console", "Courier New", Courier, mono; text-align: left; }.ttb { margin-left: 5em; font-family: "Courier New", Courier; text-align: left; font-size: smaller; }iframe {margin: 0; padding: 0; border: none;}h4,h5,h6 { color: rgb(28,28,28); }</style> <p>At APNIC Labs we publish a number of measurements of the deployment of various technologies that are being adopted on the Internet. Here we will look at how we measure the adoption of the signing of <i>Route Origination Attestations</i> (ROAs) as part of the framework for securing inter-domain routing on the Internet using the digital credential framework provided by the <i>Resource Public Key Infrastructure</i> (RPKI).</p> <h3>RPKI and Securing Inter-Domain Routing</h3> <p>The Internet is an interconnected collection of component networks. Each of these component networks are separately managed as an <i>Autonomous System</i> (AS). Managing the in-between space between these networks is the role of Inter-Domain Routing. By its very nature, no network controls this inter-domain space. Each network advertises this network’s reachability of address prefixes to other networks and learns from the advertisements of other networks.</p> <p>To manage this routing space, we use the <i>Border Gateway Protocol</i> (BGP). This protocol is an instance of a Bellman-Ford distance vector routing algorithm. BGP allows a collection of connected devices (BGP speakers) to each learn the relative topology of the connecting network. The basic approach of this algorithm is very simple: each BGP speaker tells all its adjacent BGP neighbours about what it has learned using an <i>update</i>. If this new learned information alters the local view of the network, the local BGP view is updated, and all of this BGP speaker’s neighbours are informed of the new information. This is a lot like a social rumour network, where every individual who hears a new rumour immediately informs all their friends. BGP works in a very similar fashion: each time a neighbour informs a BGP speaker about some updated reachability information about an IP address prefix, the BGP speaker compares this new reachability information against its stored knowledge that was gained from previous announcements from other neighbours. If this new information provides a shorter path to the prefix, then the local speaker moves this prefix and associated next-hop forwarding decision to the local forwarding table and informs all its immediate neighbours of a new path to a prefix, implicitly citing itself as the next hop. In addition, there is a withdrawal mechanism, where once a BGP speaker determines that it no longer has a viable path to a given prefix, it announces a <i>withdrawal</i> for this prefix to all its neighbours. When a BGP speaker receives a withdrawal, it stores the withdrawal against this neighbour. If the withdrawn neighbour path happened to be the currently preferred next hop for this prefix, then the BGP speaker will examine its per-neighbour data sets to determine which stored announcement represents the best path from those that are still extant. If it can find such an alternative path, it will copy this into its local forwarding table and announce this new preferred path to all its BGP neighbours. If there is no such alternative path, it will announce a withdrawal to its neighbours, indicating that it no longer can reach this prefix.</p> <p>Like any rumour network, it is difficult to control the authenticity of information that is passed through the inter-domain routing space. Each BGP speaker receives information, performs a local process, and may or may not generate information to pass to its neighbours. This is a store/forward relay mode of information and there is no information that is passed through the routing space in an analogous manner as end-to-end TCP packets. Each BGP speaker operates in a manner that is opaque to all other BGP speakers. Individual BGP speakers may inject erroneous information into the routing domain, erroneously or deliberately, and absent of any other controls other BGP speakers will place the same level of trust in the authenticity of this routing information as it does to all other routing items that it learns. This has a number of impacts. Operational mishaps in routing configurations may have major impacts on the services that are provided over the Internet. Deliberate interference may result in misdirection of traffic, which also may result in disruption of services and potential compromise in the proper operation of other services.</p> <p>The question is: How can we secure the operation of this inter-domain routing process?</p> <div class="sidenote2"> <p>There are a number of parts to securing the inter-domain routing process:</p> <p>The first part concerns the <i>origination</i> of prefix information into the network. So, it’s necessary to get some answers to some questions about origination. Is this address prefix able to be used in the global Internet? Some addresses are in a <i>reserved</i> state, some are <i>unallocated</i>, some are intended for use in <i>private networks</i>, and some are intended for use in <i>multicast</i> networking. Once an address is established as <i>routable</i> its necessary to confirm that the holder of this address prefix has granted an authority to the network operator to announce this address prefix into the routing environment. In the Internet environment the entity who holds a network prefix is not necessarily the same entity as a network operator, so it’s necessary to refer to the address registry framework to confirm that the entity who is registered as the holder of the address prefix is the same entity that is granting his authority to advertise this prefix into the routing system. This aspect of secured routing is termed <i>Route Origination Validation</i>.</p> <p>The second part concerns the <i>propagation</i> of the route advertisement through the inter-domain routing space. Has a routing advertisement been altered during propagation through the inter-domain space in ways that do not conform to correct operation of the BGP protocol? In particular, does the route propagation sequence, as represented by the AS PATH attribute of a route object, match the actual propagation of the route object? This aspect of secured routing is termed <i>AS Path Validation</i>.</p> <p>The third part concerns the <i>conformance</i> of the route object to the routing policies of the sequence of networks that have propagated this route object. <i>Route Leaks</i> represent a common form of routing anomaly, where the route object has been propagated in a way that is contrary to local route policies. For example, a customer network may leak route objects learned from one transit provider to another.</p> <p>The last objective here is to ensure that the actual</p> <p>forwarding</p> <p>path used by packets to reach their addressed destination is the same as the path described in the route object. This is a somewhat challenging objective in that BGP is intended to aid packet switches to perform local switching decisions in a stateless manner, while the abstract model that is used by the routing process relies on a coordinated state within the network to maintain a path.</p> </div> <p>Here we are looking at the level of progress in deployment of the first objective here, namely the generation of ROAs and <i>origination</i>.</p> <h3>Measuring ROA Production</h3> <p>The first part of the measurement concerns the extent to which address prefix holders have taken up the option of publishing signed ROAs for all the address prefixes that they intend to have announced into the routing system. In many cases the address prefix holder and the network operator that manages the routing function are the same entity and the generation of these ROAs and the related advertisement of the address prefixes can be performed in a single process. However, a number of networks allow their customers to “bring your own addresses” and in such cases the generation of ROAs by the address hold is a distinct step. It is, in theory at any rate, a task that should not be outsources. The ROA is signed by the private key of the address holder, and if this function were to be outsourced to a third party, the address holder would in effect be passing effective control of the address block over to this third party.</p> <p>So, this part of the measurement task is to measure the extent to which address holders have published signed ROAs for their routed addresses.</p> <p>The way we perform this measurement is to use an RPKI client tool to collect the full set of validated ROA objects. The set will (hopefully) be the same for all RPKI clients at any given time so there is no need to perform this operation in multiple locations. A single data set is all we need as, at least in theory, the local RPKI cache maintenance code synchronises the local cache to the network-wide state of RPKI publication point repositories.</p> <p>We then assemble as large a set of prefix and origin AS pairs that have been announced into the default free zone (DFZ) as we can. The most convenient way to gather this data is from a BGP-speaking router. It is probably best that this is performed in a number of places at much the same time. While the objective of the BGP protocol is to flood routing information across the entire network, this propagation function is moderated by local routing policies, so each individual view of the routed space is somewhat unique to that BGP speaker and its position in the inter-domain topology. The view of the routed space is also moderated by networks that discard route objects that are inconsistent with the information in valid ROAs. This means that a large collection of BGP perspectives should provide a better insight into the routing space and ROAs, and ROAs that invalidate routes in particular. We use this aggregated collection of BGP dumps from the route collectors operated by Route Views and by the RIPE RIS service.</p> <p>For each address prefix we search through the list of validated ROAs to find a match against the address, prefix length and originating AS. If there is a match, we will label this prefix as valid. If there is no match, then we look to find an invalid match where there is a match for the address and prefix list but not the origin AS, or where the prefix length indicates a small prefix than that permitted by the ROA. Otherwise, the prefix is labelled as <i>unknown</i>.</p> <p>We also calculate a <i>visibility index</i> for the prefix which is a value between 1 and 10 to indicate the proportion of peer networks of the Route Views and RIS collectors that observe this prefix. As the number of networks that perform dropping <i>ROV-invalid</i> prefixes increases, the propagation of such prefixes is reduced, and they tend to have much lower values of this visibility index.</p> <p>We geolocate each prefix to a country and then we can assemble total counts for each country. We count the number of <i>valid</i>, <i>invalid</i> and <i>unknown</i> prefixes as a combined total, and separately for the IPv4 and IPv4 address families.</p> <p>We also calculate the <i>exposed span</i> of each address prefix, which is the total count of the individual address in each prefix, less the total span of all more specific address prefixes. Because of the differences in the propagation of individual address prefixes, and the intentional dropping of <i>ROV-invalid</i> prefixes, this address span calculation is specific to each individual BGP peer for each route collector. We simplify this metric by assuming a situation where every announced prefix from every BGP peer is included in this address span calculation. We can use the prefix geolocation information to generate per-country totals of this metric as well, but here the differences between IPv4 and IPv6 address families mean that a combined total of the address span view is not generated.</p> <p>As well as per-country views of ROA production, we generate per-network views, looking at the collection of routes originated by each network, again at both an address prefix level and an exposed address span level. There are some 75,000 networks within the Internet, and just a few hundred individual BGP peer of the route collectors. What that means is that when we construct a view of the routes originated by a network it is probably a view constructed at a distance, or a remote view. If any of the paths between a BGP route collector and the observed network perform actions such as invalid ROV dropping, then our remote view is then compromised to some extent. As the level of deployment of <i>ROV-invalid</i> filters increases, particularly in transit networks, then the capability of this route collector-based measurement to “see” <i>ROV-invalid</i> routes is reduced.</p> <p>The reports for the ROA production can be found at <a href="https://stats.labs.apnic.net/roas">https://stats.labs.apnic.net/roas</a>.</p> <p class="caption5"><a href="https://www.potaroo.net/ispcol/2023-11/roas-f1.png"><img decoding="async" src="https://www.potaroo.net/ispcol/2023-11/roas-f1.png" width="75%"></a><br /> <i>Figure 1 – Map of the relative level of ROA generation per country</i></p> <h3>Measuring <i>ROV-invalid</i> Filtering</h3> <p>We also measure the deployment of filtering (discarding) of <i>ROV-invalid</i> routes. As already noted, a comprehensive measurement would require a view of the BGP state within every AS, but such a view is not readily available to us. We have chosen to adopt a user-centric measurement instead, leveraging the ad-based measurement that I’ve described in the <a href="https://www.potaroo.net/ispcol/2023-10/measure-dnssec.html">previous measurement article</a>.</p> <p>Here we use a total of four URL targets in order to provide both control and test measurements.</p> <p>The first target is a time-variant target where we adjust the ROA at regular intervals such that the route to reach the server is valid or invalid depending on the day of the week and the time of day. The route to the web server has a valid ROA for twelve hours, then the ROA is replaced with one that contradicts the route to the web server. An ROV-aware network should pick up this change of the ROA status for this route and if it is performing <i>ROV-invalid</i> filtering it should drop the route to the server. We then cycle the ROA state again, but this time with a 36-hour period of valid and invalid ROV states. We then cycle the ROA state using a 24-hour interval for valid then invalid. This cycling of the ROV state between valid and invalid has a two-fold intention: to see which are the networks where the users cannot reach these beacons during their periods of invalid state, and secondly to look at the dynamic properties of the ROV system to see how quickly networks detect the change in the associated ROAs for the route, looking at both <i>valid-to-invalid</i> and <i>invalid-to-valid</i> transitions.</p> <p>To undertake this measurement, we first used the VULTR anycast network, where we have control of the BGP routing state for the server. This was configured as a relatively modest four-node anycast platform. As <i>ROV-invalid</i> filtering is increasingly deployed in transit networks our ability to clearly see all the way to the edge network and determine their ROV filtering behaviour becomes clouded by the behaviour of the transit networks on the path.</p> <p>To improve this situation, we now also use RPKI beacons operated by Cloudflare in their various points of presence. This has expanded the anycast network to some thousands of end points, but with Cloudflare we use permanently valid and invalid BGP routes. Here we have three target URLs in the measurement ad: a valid dual stack URL to determine reachability, a <i>ROV-invalid</i> IPv4-only URL and a <i>ROV-invalid</i> IPv6-only URL. This anycast service has reduced the number of transit networks between users and the beacon points and has provided a clearer (but by no means perfect) indication of whether a network is performing <i>ROV-invalid</i> filtering.</p> <p>This is a <i>user-centric</i> measurement rather than a <i>network-centric</i> measurement, and it looks at the proportion of users that cannot reach a destination if the only viable path to that destination entails following a <i>ROV-invalid</i> route. The global view of this metric over time is shown in Figure 2.</p> <p class="caption5"><a href="https://www.potaroo.net/ispcol/2023-11/roas-f2.png"><img decoding="async" src="https://www.potaroo.net/ispcol/2023-11/roas-f2.png" width="75%"></a><br /> <i>Figure 2 – Proportion of Internet users who are behind <i>ROV-invalid</i> Filtering</i></p> <p>It’s an interesting measurement result, in that unlike ROA production, this is not an “up and to the right” data series, and the observation that some 20% of users who cannot connect to <i>ROV-invalid</i> route destinations is the same as it was in mid 2020! This seems a little counter-intuitive, but it’s likely that as the density of interconnections increases over time, then the impact of a single transit network performing <i>ROV-invalid</i> route discard decreases.</p> <p>We perform the same analysis on a country-by-country basis, and the resultant map of where <i>ROV-invalid</i> route discard is taking place is shown in Figure 3.</p> <p class="caption5"><a href="https://www.potaroo.net/ispcol/2023-11/roas-f3.png"><img decoding="async" src="https://www.potaroo.net/ispcol/2023-11/roas-f3.png" width="75%"></a><br /> <i>Figure 3 – Per-Country map of proportion of national users who are behind <i>ROV-invalid</i> Filtering</i></p> <p>The analysis also extends to a per-network level of granularity, but this level of detail focus exposes an inherent issue in the measurement. While a network level measurement may purport to show whether or not the user’s network performs <i>ROV-invalid</i> route discard, the same outcome is achieved if the network’s transit network (or networks) perform <i>ROV-invalid</i> route discard. This is the case is any network in the path between the user’s network and the network that contains the target point. So, this is not in fact a network measurement but a path measurement.</p> <p>The task of measuring whether or not as network performs <i>ROV-invalid</i> route discard or not can use this same technique, but it requires the anycast cloud that contains the route targets to be located in the eBGP adjacent network to the network being measured, and this needs to be the case for all 75,000 networks! We will need to use an anycast configuration that contains service points in each of the 11,000 such immediately adjacent networks.</p> <p>This is probably too big an ask. An ideal measurement scheme is to take a target address within the network being measured and create a specific ROA that makes the target address <i>ROV-invalid</i>. A traceroute from the target out to any external point would require the TTL-exceeded messages to enter the network. If the network is <i>ROV-invalid</i> route dropping no TTL-exceeded messages would be received by the target from any external points in the traceroute path.</p> <p>The reports for user reachability of <i>ROV-invalid</i> destinations can be found at <a href="https://stats.labs.apnic.net/rpki">https://stats.labs.apnic.net/rpki</a>.</p> <p><i></i><i></i><i></i><i></i><i></i><i></i><i></i></p> </div> <footer class="entry-meta"> This entry was posted in <a href="https://labs.apnic.net/index.php/category/operations/" rel="category tag">Operations</a>, <a href="https://labs.apnic.net/index.php/category/routing/" rel="category tag">Routing</a> by <a href="https://labs.apnic.net/index.php/author/gih/">Geoff Huston</a>. Bookmark the <a href="https://labs.apnic.net/index.php/2023/11/09/how-we-measure-rpki-roa-signing-and-route-origination-validation/" title="Permalink to How We Measure: RPKI ROA Signing and Route Origination Validation" rel="bookmark">permalink</a>. </footer> </article> </div> </div> </div> </div> </div> </div> </div>  <div id="footer"> <div class="container"> <div class="row"> <div class="collapse navbar-collapse"> <ul class="nav navbar-nav"> <li id="global-apnic-navbar-link-apnic"><a href="//www.apnic.net/">APNIC</a></li> <li id="global-apnic-navbar-link-myapnic"><a href="//myapnic.net/">MyAPNIC</a></li> <li id="global-apnic-navbar-link-training"><a href="//training.apnic.net/">Training</a></li> <li id="global-apnic-navbar-link-conferences"><a href="//conference.apnic.net/">Conferences</a></li> <li id="global-apnic-navbar-link-icons" class="active"><a href="https://labs.apnic.net/">Labs</a></li> </ul> </div> <div class="col-sm-5 col-xs-6 col-left"> <div id="footer-stamp"> <p><strong>APNIC</strong><br/> Asia Pacific Network<br/> Information Centre</p> </div> </div> <div class="col-sm-3 col-xs-6 col-middle"> <div id="footer-contact"> <h2 class="h4">Contact us</h2> <p><a href="mailto:research@apnic.net">research@apnic.net</a><br/>Tel: +61 7 3858 3188</p> </div> </div> <div class="col-sm-4 text-right col-right"> <ul class="list-inline"> <li><a href="//www.youtube.com/user/apnicmultimedia"><img src="//labs.apnic.net/template-files/social-media/32/youtube.png" width="25" alt="YouTube" title="YouTube"/></a></li><li><a href="//www.flickr.com/photos/apnictraining/"><img src="//labs.apnic.net/template-files/social-media/32/flickr.png" width="25" alt="Flickr" title="Flickr"/></a></li><li><a href="//www.facebook.com/APNIC"><img src="//labs.apnic.net/template-files/social-media/32/facebook.png" width="25" alt="Facebook" title="Facebook"/></a></li><li><a href="//twitter.com/apnic"><img src="//labs.apnic.net/template-files/social-media/32/twitter.png" width="25" alt="Twitter" title="Twitter"/></a></li><li><a href="//www.linkedin.com/company/apnic"><img src="//labs.apnic.net/template-files/social-media/32/linkedin.png" width="25" alt="LinkedIn" title="LinkedIn"/></a> </li><li><a href="https://www.apnic.net/apnic-info/rss/apnic-news"><img src="https://labs.apnic.net/template-files/social-media/32/rss.png" width="25" alt="RSS" title="RSS"/></a></li> </ul> <div id="footer-copyright"> <p class="text-right">© 2015 APNIC | <a href="https://www.apnic.net/apnic-info/privacy">Privacy</a></p> </div> </div> </div> </div> </div> </div>  </div> </body> </html>