APNIC Training Delivery Manager Shane Hermoso presents on the status of RPKI deployment in the Asia Pacific and the importance of cleaning up invalids at VNIX-NOG 2023, Da Lat, Viet Nam from 5 to 6 October 2023.

1. 1 v1.1

2. 2 v1.1
State of RPKI in APAC:
Cleaning up Invalids
S he ry l (S hane ) He rm o so
O ct 2023

3. 3 v1.1
• RPKI in a nutshell
• RPKI Deployment Status & Success Stories
• RPKI Deployment – Vietnam Focus
• Challenges & Next Steps
Overview

4. 4 v1.1
RPKI in a nutshell

5. 5 v1.1
What is RPKI?
RPKI
robust security framework for verifying
the association between resource holders
and their Internet number resources
ROA
digitally signed, cryptographic
object that contains IP prefixes
mapped to an ASN
Image source: Cloudflare
Image source: Internet

6. 6 v1.1
Route Origin Authorization
What is contained in a ROA?
ü The AS number you have authorized
ü The prefix that is being originated from it
ü The most specific prefix (maximum length) that the AS may announce
For example:
“ISP A permits AS65551 to originate a route for the prefix198.51.100.0/24”
Who should create a ROA?
q Resource holders

7. 7 v1.1
• Hosted Model is where APNIC performs the CA functions
o Setup in MyAPNIC, then register ROAs
• Delegated model is where members operate the RPKI CA and
syncs with APNIC via the RPKI provisioning protocol (RFC 6492).
o Download/install a CA software, register CA via MyAPNIC
o Useful when:
- There’s a need to script or automate RPKI operations
- Have resources in multiple RIRs
RPKI Hosted vs Delegated Model

8. 8 v1.1
Step 1 – Create ROAs
If you are a resource holder of an IP address block,
create your ROAs now!
From APNIC or VNNIC portal:

9. 9 v1.1
Route Origin Validation
Valid
The prefix (prefix length) and AS pair
found in the database
Invalid
Prefix is found, but origin-AS is wrong,
OR
The prefix length is longer than the
maximum length
Not Found / Unknown
Neither valid nor invalid (perhaps not
created)
There are 3 validation states: Ex: This ROA is created
ASN Prefix Max Length
17862 203.176.189.0/22 23
With Origin Validation, these BGP routes
will have an RPKI state as follows:
ASN Prefix RPKI State
17862 203.176.189.0/22 VALID
17862 203.176.189.0/23 VALID
17862 203.176.189.0/24 INVALID
17861 203.176.189.0/22 INVALID
17862 203.176.189.0/21 NOT FOUND

10. 10 v1.1
• Many options to choose from:
o Routinator
o Rpki-client
o Fort
o OctoRPKI/GoRTR
• More mature – easier to install, better
documentation
• Considerations:
o Which validator to use?
o Do I need multiple validators?
o What happens when RTR session fails?
RPKI Validators

11. 11 v1.1
• Enable RTR on the router
• Make sure to understand the platform defaults
RPKI to Router Protocol (RTR)
router bgp 131107
bgp rpki server tcp <validatorIP> port <323/8282/3323> refresh <secs>

12. 12 v1.1
Step 2 – Implement ROV
Configure router to get validated routes from an RPKI cache (RTR session)
Apply rules/filters based on RPKI states
Setup your own RPKI validator

13. 13 v1.1
• Tag
o If you have downstream customers or run a route server (IXP)
• Modify preference values – RFC7115
• Drop Invalids
ROV – Acting on Validation states
[Valid > Not Found > Invalid]
[Valid (ASN:65XX0), Not Found (ASN:65XX1), Invalid (ASN:65XX2)]

14. 14 v1.1
Step 3 – ROV Filtering
Many providers are already
dropping invalid routes.
Are network operators in
Vietnam already doing this?
This example is from my hotel network J
https://isbgpsafeyet.com/

15. 15 v1.1
RPKI Deployment Status

16. 16 v1.1
RPKI Adoption Trends – ROA Count
https://rpki.cloudflare.com/?view=statistics
There are about 480k routes in the RPKI system.
47%
24%
20%
7%
2%
ROA
RIPE APNIC ARIN LACNIC AFRINIC

17. 17 v1.1
RPKI Adoption Trends – ROA Coverage
01 Oct 2020: Global coverage at 22.9%

18. 18 v1.1
RPKI Adoption Trends – ROA Coverage
01 Oct 2023: Global coverage at 40.3%

19. 19 v1.1
RPKI Adoption Trends – ROA Coverage
https://stats.labs.apnic.net/roa/XD
40.3
49.9
66.5
55.4
44.3
23.7
4.3 5.7
9.8
0
10
20
30
40
50
60
70
Global Asia South East Asia
% ROAs
Valid Unknown Invalid

20. 20 v1.1
13.5
16.9
18.6
47.2
62.2
66.5
60.9
69.3
73
28.5
31.7 33.1
0
10
20
30
40
50
60
70
80
1-0ct-2021 1-0ct-2022 1-0ct-2023
% ROA valids
East Asia South-East Asia South Asia Oceania
RPKI Valid ROA

21. 21 v1.1
85.4
81.6
78.8
50.2
34.7
23.7
36
28.1
25.2
67.4
64.5 65.3
0
10
20
30
40
50
60
70
80
90
1-0ct-2021 1-0ct-2022 1-0ct-2023
% ROA unknown
East Asia South-East Asia South Asia Oceania
RPKI Unknown ROA

22. 22 v1.1
1.1
1.5
2.5
2.6
3
9.8
3.1
2.5
1.8
4.1
3.8
1.6
0
2
4
6
8
10
12
1-0ct-2021 1-0ct-2022 1-0ct-2023
% ROA invalids
East Asia South-East Asia South Asia Oceania
RPKI Invalid ROA

23. 23 v1.1
93.4 93.3
90.2
87.8 87.1
76.1
67.6
63.6
48.6
41.6
39.4
6 6.1
9.1
11.7 11.5
22.8
32
35.9
50
57.9
60.5
0.6 0.6 0.6 0.6 1.4 1.1 0.3 0.4 1.4 0.5 0.2
0
10
20
30
40
50
60
70
80
90
100
Lao PDR Philippines Cambodia Vietnam Myanmar Singapore Malaysia Thailand Timor Leste Indonesia Brunei
% Valid % Unknown % Invalid
RPKI South-East Asia Leaderboard

24. 24 v1.1
Route Origin Validation (ROV) Filtering
https://stats.labs.apnic.net/rpki

25. 25 v1.1
19.43
47.3
34.7
31.29
22.2
11.29
0
5
10
15
20
25
30
35
40
45
50
World Oceania America Europe Africa Asia
% ROV Filtering
% ROV Filtering
ROV – Global Leaderboard

26. 26 v1.1
0
20
40
60
80
100
120
W
e
s
t
e
r
n
S
a
m
o
a
T
o
n
g
a
T
a
i
w
a
n
A
u
s
t
r
a
l
i
a
P
N
G
H
o
n
g
K
o
n
g
F
i
j
i
B
h
u
t
a
n
M
y
a
n
m
a
r
M
o
n
g
o
l
i
a
I
n
d
o
n
e
s
i
a
T
i
m
o
r
L
e
s
t
e
V
i
e
t
n
a
m
B
r
u
n
e
i
C
h
i
n
a
A
m
e
r
i
c
a
n
S
a
m
o
a
J
a
p
a
n
N
e
w
Z
e
a
l
a
n
d
S
i
n
g
a
p
o
r
e
K
i
r
i
b
a
t
i
% ROV filtering
% ROV
ROV – APAC Top 20

27. 27 v1.1
0
5
10
15
20
25
30
Myanmar Indonesia Timor Leste Vietnam Brunei Singapore Cambodia Philippines Lao PDR Thailand Malaysia
% ROV
% ROV
ROV – South-East Asia Leaderboard

28. 28 v1.1
RPKI Deployment – Vietnam Focus

29. 29 v1.1
ROA Coverage – Vietnam

30. 30 v1.1
ROA Coverage – Top ASNs

31. 31 v1.1
ROA Coverage – Unknowns

32. 32 v1.1
ROA Coverage – Invalids

33. 33 v1.1
ROV – Vietnam

34. 34 v1.1
ROV – Top ASNs

35. 35 v1.1
Challenges & Next Steps

36. 36 v1.1
• Fixing Invalids
o Common issue: Invalid AS & Max Length
o Especially for large providers, when they change size of prefix
announcements it needs to be updated in MyAPNIC
• Concerns about causing outage
o Sub-delegation causing invalid ASN, where delegated blocks to customers
are not updated
• Leased IP address blocks
o Mostly from another region
o Process to update the ROA
• Account-related issues
o Who can create ROA in the organization?
Common Challenges

37. 37 v1.1
• Max-length
o Make sure the max-length value covers your BGP announcements
• Minimal ROAs
o Reduce spoofed origin-AS attack surface
- ROAs should cover only those prefixes announced in BGP
Fixing Invalids – ROA Considerations
https://www.ietf.org/archive/id/draft-ietf-sidrops-rpkimaxlen-08.html

38. 38 v1.1
0
50
100
150
200
250
300
InvalidAS InvalidASML InvalidML
# Invalid ROAs
IPv4 IPv6
Invalid ROAs in Vietnam

39. 39 v1.1
Always check your ROA!
https://rpki-validator.ripe.net/ui/ https://rpki.cloudflare.com

40. 40 v1.1
• Or run a script that checks the validation state for your advertised
prefixes
Always check your ROA!
whois -h rr.ntt.net 2001:df2:ee00::/48
route6: 2001:df2:ee00::/47
descr: v6 aggregate
origin: AS45192
mnt-by: MAINT-AU-APNICTRAINING
last-modified: 2022-02-25T06:32:53Z
source: APNIC
rpki-ov-state: valid

41. 41 v1.1
• ROA with origin AS0 instead of a
real ASN
o Routes will be RPKI-invalid when
they would otherwise be RPKI-
unknown.
• Why use it?
o Prevent unused delegations from
being hijacked
o Mitigate leakage of private-use
public address space
• AS0 will never appear as a
functional origin in a ROA (see
RFC7607)
AS0 ROAs
Ex: For the following VRPs
VRPs
2.0.0.0/16-16, AS0
3.0.0.0/22-24, AS0
4.0.0.0/24-24, AS0
4.0.0.0/24-24, AS1234
With Origin Validation, these BGP routes
will have an RPKI state as follows:
ASN Prefix RPKI State
1234 1.0.0.0/24 NOT FOUND
1234 2.0.0.0/16 INVALID
1234 2.0.0.0/24 INVALID
1234 3.0.0.0/16 NOT FOUND
1234 4.0.0.0/24 VALID

42. 42 v1.1
• ASPA - Autonomous System Provider Authorisation
o https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-profile/16/
• ASPA indicates the ASNs allowed/authorized to propagate their
routes
• Supported in:
o Validators rpki-client and Routinator
o RPKI to Router Protocol (RTRv2)
o OpenBGPD
What’s next? AS Path Validation

43. 43 v1.1
• RIPE NCC starts ASPA pilot
• aspa-objects on test:
o AS 970
o AS 21957
o AS 15562
What’s next? AS Path Validation

44. v1.0
44
https://www.apnic.net/community/security/resource-certification/#routing

45. 45 v1.1
Thank You!
END OF SESSION
Thank You!
END OF SESSION

46. 46 v1.1
• Any questions?