This document discusses reducing invalid routes in the RPKI system by cleaning up RPKI invalids. It provides information on ROA adoption rates in Southeast Asia, including a table showing the rates for several countries. It then reviews what RPKI and ROAs are, how route origin validation works, and examples of valid and invalid validation results. The document suggests tools and services like ROA prevalidation, routing status alerts, and ROA alert filters that can help clean up RPKI invalids. It also provides a summary of creating ROAs and notes continuous improvements are being made to documentation.

1. 1
Cleaning up your RPKI invalids
Zen Ng
Senior Internet Resource Analyst
APNIC

2. 2
What has been discussed previously?
• ROA adoption rate in SEA and Malaysia.
• It was great! Thanks to all!
• Currently 95.74%. So far yet so close!
• While ROA stats are increasing, RPKI invalids still persists
• What should we do next? To clean up and reduce RPKI
invalids

3. 3
ROA adoption in SEA
3
Economy ROA adoption rate (%)
Philippines 96.73%
Malaysia 95.74%
Cambodia 93.43%
Myanmar 91.02%
Vietnam 88.73%
Singapore 83.50%
Lao PDR 77.81%
Thailand 66.86%

4. 4
4
Lets re-visit….What is RPKI?
A robust security framework for verifying the association
between resource holders and their Internet number
resources.
4

5. 5
5
Route Origin Authorization
What is contained in a ROA?
– The AS number you have authorized
– The prefix that is being originated from it
– The most specific prefix (maximum length) that the AS may
announce
For example: “ISP 4 permits AS65551
to originate a route for the prefix
198.51.100.0/24"
5

6. 6
6
Route Origin Validation
• Valid
– The prefix (prefix length) and AS pair found in the database
• Invalid
– Prefix is found, but origin-AS is wrong, OR
– The prefix length is longer than the maximum length
6

7. 7
7
Route Origin Validation
7
https://isbgpsafeyet.com/

8. 8
8
RPKI invalids
8

9. 9
9
RPKI invalids
9
Validation result IPv4 count
Invalid origin ASN 338
Invalid origin ASN and Max Length 192
Invalid Max Length 1694
Routeviews collector SG and Routunator

10. 10
Comparing to other countries
Validation result IPv4
count
MY ID SG
Invalid origin ASN 338 3 11 55
Invalid origin ASN and
Max Length
192 0 0 12
Invalid Max Length 1694 25 142 167

11. 11
11
ROA Prevalidation
11

12. 12
12
ROA Prevalidation
12
• Validate changes submitted via MyAPNIC to ensure
that they won’t cause problems in BGP
• Allows Members to override if necessary

13. 13
13
Routing Status Alerts
13
https://dash.apnic.net/

14. 14
14
Routing Status Alerts
14

15. 15
15
ROA alert filters
15

16. 16
IPv4 ROA coverage in Malaysia
https://stats.labs.apnic.net/roas
Around 20%
79.15%

17. 17
17
Creating your ROAs
17
Request a
Digital
Certificate
(2FA)
Corporate
Contact
approves
request
Install Digital
Certificate
Corporate
Contact gives
RPKI update
permission
Enable RPKI
in MyAPNIC Create ROA
Simplified …
Register for
MyAPNIC
Set up 2FA Enable RPKI
in MyAPNIC Create ROA

18. 18
18
Summary
• ROA Pre-validation feature
• Routing Status Alerts in Dash
• ROA Alert Filters in Dash
• Registry API
– https://blog.apnic.net/2022/03/22/apnic-registry-api/
• Continuos improvement on ROA guides and Help Centre
articles

19. 19
Questions?