Where are RPKI unreachable networks located?

nusenu
4 min readSep 25, 2018

--

Mapping the RPKI unreachable IP address space.

In the previous post (see that for some more context) we analyzed RPKI INVALID IP address prefixes that are unreachable (no alternative route available) and used number of prefixes-origin pairs as primary metric, but argued that prefix-origin-pair-counts are not the best metric (many small prefixes can distort the picture) and left the task of analyzing unreachable networks by IP address space for the future:

Future Steps

add analysis based on IP space size (not just prefix-origin pair counts)

So this time, instead of using number of prefixes, we take the actual prefix size into account. We measure RPKI unreachable IP address space in number of /24 blocks for IPv4 and /48 blocks for IPv6 and put them on a global map.

Counting unique IP Addresses only

Since the same IP address space can be announced by multiple prefixes we make sure we count only unique (non-overlapping) unreachable IP address space.

This is probably best illustrated by an example. The following 3 prefixes are all INVALID (as seen in line 699 and following) but since all of them are contained in the first prefix we collapse them into one entry (the first one) to avoid counting the same IP address space multiple times.

115.168.0.0/14                       
115.168.0.0/17
115.168.37.0/24

Break down by RIR (IPv4)

In total there are more than 8700 /24 IPv4 blocks unreachable in an RPKI validating environment. If we break them down by RIR we can see that the APNIC region is most affected (The previous analysis by prefix-origin count suggested that the LACNIC region is most affected. IP address space is strictly a better metric).

Figure 1: How are RPKI INVALID and unreachabIe IPv4 /24 blocks distribution across RIRs?

Break down by RIR (IPv6)

In the IPv6 world, most unreachable IP space (>61%) is located in the RIPE region.

Figure 2: How are RPKI INVALID and unreachabIe IPv6 /48 blocks distribution across RIRs?

RPKI unreachable IPv4 Networks by Country

We used RIPEstat to map the announcing AS (not the IP address) to a country. More than 44% of unreachable IPv4 space is located in China. Other countries with a significant amount of unreachable prefixes are Argentina and Colombia.

Since ARIN was basically invisible in the RIR break down graph (Figure 1), we did not expect the US to show up that significantly in the per country distribution. After taking a closer look it turned out that most of the time where the geolocation for the ASN says “US” the issuing RIR was actually LACNIC (for IPv4).

Geo-location is never perfect, so take the maps bellow with a grain of salt.

Figure 3: How does the geographical distribution of RPKI INVALID and unreachabIe IPv4 /24 blocks look like?
How does the geographical distribution of RPKI INVALID and unreachabIe IPv4 /24 blocks look like? (“EU” does not contain all EU countries.)

RPKI unreachable IPv6 Networks by Country

Iran, Venezuela, the US and Australia have a significant portion of the unreachable IPv6 address space. For the US most of the time RIPE NCC is the issuing CA (explaining the low RIR fraction of ARIN again).

How does the geographical distribution of RPKI INVALID and unreachabIe IPv6 /48 blocks look like?
How does the geographical distribution of RPKI INVALID and unreachabIe IPv6 /48 blocks look like?

RPKI unreachable IPv4 Networks by (announcing) Autonomous System

Autonomous Systems with the biggest fraction of RPKI INVALID and unreachable IPv4 address space.

RPKI unreachable IPv6 Networks by (announcing) Autonomous System

Autonomous Systems with the biggest fraction of RPKI INVALID and unreachable IPv6 address space.

The cautious reader will spot “Bitcanal” on the 3. position above but a closer look suggests that they just messed up their ROAs since AS200775 and AS197426 both have the same name (Bitcanal).

Bitcanal: Invalid prefix (2a00:4c80::/29) announced by AS200775 but ROA authorizes only AS197426.

Future Work

We currently count partial INVALIDs (example shown bellow) as complete INVALIDs, which causes a slight false-positive rate in number of unreachable IP space. Currently the following example is counted as two unreachable /24 blocks, but it should be counted as one unreachable /24 block.

For Network Operators

If you are a network operator and would like to know if your prefix reachability is affected by RPKI misconfigurations, you can search this list (data as of 2018–09–24) for your ASN or you can enter your ASN at the RIPE RPKI validator and inspect your prefixes manually.

Note that Cloudflare announced that they will enforce RPKI route origin validation by the end of 2018, which means that affected networks will not be able to talk to Cloudflare networks after that anymore — unless the BGP announcement or ROA is corrected.

--

--