Where are RPKI unreachable networks located?

Counting unique IP Addresses only

Since the same IP address space can be announced by multiple prefixes we make sure we count only unique (non-overlapping) unreachable IP address space.

115.168.0.0/14                       
115.168.0.0/17
115.168.37.0/24

Break down by RIR (IPv4)

In total there are more than 8700 /24 IPv4 blocks unreachable in an RPKI validating environment. If we break them down by RIR we can see that the APNIC region is most affected (The previous analysis by prefix-origin count suggested that the LACNIC region is most affected. IP address space is strictly a better metric).

Figure 1: How are RPKI INVALID and unreachabIe IPv4 /24 blocks distribution across RIRs?

Break down by RIR (IPv6)

In the IPv6 world, most unreachable IP space (>61%) is located in the RIPE region.

Figure 2: How are RPKI INVALID and unreachabIe IPv6 /48 blocks distribution across RIRs?

RPKI unreachable IPv4 Networks by Country

We used RIPEstat to map the announcing AS (not the IP address) to a country. More than 44% of unreachable IPv4 space is located in China. Other countries with a significant amount of unreachable prefixes are Argentina and Colombia.

Figure 3: How does the geographical distribution of RPKI INVALID and unreachabIe IPv4 /24 blocks look like?
How does the geographical distribution of RPKI INVALID and unreachabIe IPv4 /24 blocks look like? (“EU” does not contain all EU countries.)

RPKI unreachable IPv6 Networks by Country

Iran, Venezuela, the US and Australia have a significant portion of the unreachable IPv6 address space. For the US most of the time RIPE NCC is the issuing CA (explaining the low RIR fraction of ARIN again).

How does the geographical distribution of RPKI INVALID and unreachabIe IPv6 /48 blocks look like?
How does the geographical distribution of RPKI INVALID and unreachabIe IPv6 /48 blocks look like?

RPKI unreachable IPv4 Networks by (announcing) Autonomous System

Autonomous Systems with the biggest fraction of RPKI INVALID and unreachable IPv4 address space.

RPKI unreachable IPv6 Networks by (announcing) Autonomous System

Autonomous Systems with the biggest fraction of RPKI INVALID and unreachable IPv6 address space.
Bitcanal: Invalid prefix (2a00:4c80::/29) announced by AS200775 but ROA authorizes only AS197426.

Future Work

We currently count partial INVALIDs (example shown bellow) as complete INVALIDs, which causes a slight false-positive rate in number of unreachable IP space. Currently the following example is counted as two unreachable /24 blocks, but it should be counted as one unreachable /24 block.

For Network Operators

If you are a network operator and would like to know if your prefix reachability is affected by RPKI misconfigurations, you can search this list (data as of 2018–09–24) for your ASN or you can enter your ASN at the RIPE RPKI validator and inspect your prefixes manually.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store