Mapping the RPKI unreachable IP address space.
In the previous post (see that for some more context) we analyzed RPKI INVALID IP address prefixes that are unreachable (no alternative route available) and used number of prefixes-origin pairs as primary metric, but argued that prefix-origin-pair-counts are not the best metric (many small prefixes can distort the picture) and left the task of analyzing unreachable networks by IP address space for the future:
Future Steps
add analysis based on IP space size (not just prefix-origin pair counts)
So this time, instead of using number of prefixes, we take the actual prefix size into account. We measure RPKI unreachable IP address space in number of /24 blocks for IPv4 and /48 blocks for IPv6 and put them on a global map.
Counting unique IP Addresses only
Since the same IP address space can be announced by multiple prefixes we make sure we count only unique (non-overlapping) unreachable IP address space.
This is probably best illustrated by an example. The following 3 prefixes are all INVALID (as seen in line 699 and following) but since all of them are contained in the first prefix we collapse them into one entry (the first one) to avoid counting the same IP address space multiple times.
115.168.0.0/14
115.168.0.0/17
115.168.37.0/24
Break down by RIR (IPv4)
In total there are more than 8700 /24 IPv4 blocks unreachable in an RPKI validating environment. If we break them down by RIR we can see that the APNIC region is most affected (The previous analysis by prefix-origin count suggested that the LACNIC region is most affected. IP address space is strictly a better metric).
Break down by RIR (IPv6)
In the IPv6 world, most unreachable IP space (>61%) is located in the RIPE region.
RPKI unreachable IPv4 Networks by Country
We used RIPEstat to map the announcing AS (not the IP address) to a country. More than 44% of unreachable IPv4 space is located in China. Other countries with a significant amount of unreachable prefixes are Argentina and Colombia.
Since ARIN was basically invisible in the RIR break down graph (Figure 1), we did not expect the US to show up that significantly in the per country distribution. After taking a closer look it turned out that most of the time where the geolocation for the ASN says “US” the issuing RIR was actually LACNIC (for IPv4).
Geo-location is never perfect, so take the maps bellow with a grain of salt.
RPKI unreachable IPv6 Networks by Country
Iran, Venezuela, the US and Australia have a significant portion of the unreachable IPv6 address space. For the US most of the time RIPE NCC is the issuing CA (explaining the low RIR fraction of ARIN again).
RPKI unreachable IPv4 Networks by (announcing) Autonomous System
RPKI unreachable IPv6 Networks by (announcing) Autonomous System
The cautious reader will spot “Bitcanal” on the 3. position above but a closer look suggests that they just messed up their ROAs since AS200775 and AS197426 both have the same name (Bitcanal).
Future Work
We currently count partial INVALIDs (example shown bellow) as complete INVALIDs, which causes a slight false-positive rate in number of unreachable IP space. Currently the following example is counted as two unreachable /24 blocks, but it should be counted as one unreachable /24 block.
For Network Operators
If you are a network operator and would like to know if your prefix reachability is affected by RPKI misconfigurations, you can search this list (data as of 2018–09–24) for your ASN or you can enter your ASN at the RIPE RPKI validator and inspect your prefixes manually.
Note that Cloudflare announced that they will enforce RPKI route origin validation by the end of 2018, which means that affected networks will not be able to talk to Cloudflare networks after that anymore — unless the BGP announcement or ROA is corrected.