Jordan Previtera, Internet Resource Analyst at APNIC, presented on 'Cleaning up your RPKI invalids' at PacNOG 35 held in Suva, Fiji from 23 to 27 June 2025.

1. 1
Cleaning up your RPKI invalids
Jordan Previtera
Internet Resource Analyst
APNIC

2. 2
2
What is RPKI?
A robust security framework for verifying the association
between resource holders and their Internet number
resources.
2

3. 3
3
Route Origin Authorization
What is contained in a ROA?
– The AS number you have authorized
– The prefix that is being originated from it
– The most specific prefix (maximum length) that the AS may
announce
"For example: “ISP 4 permits AS65551
to originate a route for the prefix
198.51.100.0/24"
3

4. 4
4
Route Origin Validation
• Valid
– The prefix (prefix length) and AS pair found in the database
• Invalid
– Prefix is found, but origin-AS is wrong, OR
– The prefix length is longer than the maximum length
4

5. 5
ROA uptake
https://stats.labs.apnic.net/roas

6. 6
6
Route Origin Validation
6
https://isbgpsafeyet.com/

7. 7
7
RPKI invalids
7
Validation result IPv4 count
Invalid origin ASN 126
Invalid origin ASN and Max Length 42
Invalid Max Length 860
Routeviews collector SG and Routunator

8. 8
8
ROA Prevalidation
8

9. 9
9
ROA Prevalidation
9
• Validate changes submitted via MyAPNIC to ensure
that they won’t cause problems in BGP
• Allows Members to override if necessary

10. 10
Improved DASH interface
• An online portal for APNIC
Members who can login through
MyAPNIC or dash.apnic.net
• Implemented for suspicious
traffic alerts
• Rapidly track and be alerted on
routing issues and suspicious
traffic on your network
• Compare your organization
against your economy or sub-
region​
• Generate reports for informed
decision-making
• Available for all APNIC
Members

11. 11
11
Routing status alerts in DASH
• RPKI ROA mismatches will show on this screen
• Could be for all your prefixes or the announcements you have from your ASN
• DASH will compare these against RPKI and IRR to find misalignments between these
• For this example, none of the prefixes associated with this account have any ROA mismatches or route object
mismatches

12. 12
12
Routing status alerts in DASH
12
https://dash.apnic.net/

13. 13
13
Routing status alerts in DASH
13
https://dash.apnic.net/

14. 14
14
Alerts for routing status in DASH

15. 15
15
ROA alert filters in DASH
15

16. 16
16
Alerts creation in DASH

17. 17
17
Alerts creation in DASH

18. 18
18
Alerts creation in DASH

19. 19
19
Alerts creation in DASH

20. 20

21. 21

22. 22
Thank you!