RPKI is Coming of Age:
A Longitudinal Study of RPKI Deployment and Invalid Route Origins

Taejoong Chung^§, Emile Aben^†, Tim Bruijnzeels^‡,
Balakrishnan Chandrasekaran^-, David Choffnes^, Dave Levin⁺
, Bruce Maggs°^•, Alan Mislove^, Roland van Rijswijk-Deij^‡±,
John Rula^•, Nick Sullivan^※

^§Rochester Institute of Technology, ^†RIPE NCC, ^‡NLNetLabs, ^±University of Twente,
^-Max Planck Institute for Informatics, ^*Northeastern University,
⁺University of Maryland, ^°Duke University, ^•Akamai Technologies, ^※Cloudflare

About This Study

Despite its critical role in Internet connectivity, BGP remains highly vulnerable to attacks such as prefix hijacking, where an Autonomous System (AS) announces routes for IP space it does not control. To address this issue, the Resource Public Key Infrastructure (RPKI) was developed starting in 2008, resulting in deployment in 2011. This paper performs the first comprehensive, longitudinal study of the deployment and quality of RPKI. We use a unique dataset containing all RPKI Route Origin Authorizations (ROAs) from the moment RPKI was first deployed, more than 8 years ago. We combine this dataset with BGP announcements from more than 3,300 BGP collectors worldwide. Our analysis shows the after a gradual start, RPKI has seen a rapid increase in adoption over the past two years. We also show that although misconfigurations were rampant when RPKI was first deployed (causing many announcements to appear as RPKI invalid) they are quite rare today. We develop a taxonomy of invalid RPKI announcements, then quantify their prevalence. We further identify suspicious announcements indicative of prefix hijacking and present case studies of likely hijacks. Overall, we conclude that while misconfigurations do occur, RPKI is “ready for the big screen,” and routing security can be increased by dropping invalid announcements.

This paper will be published at IMC’2019 (Internet Measurement Conference) and you can download the paper here.

Datasets, tools, and source codes

To foster reproducibility and stimulate further research into the RPKI ecosystem, we publicly release the followings: (Please cite this study when using the datasets.)

1. RPKI datasets

Historical RPKI Objects (from RIPE NCC)
RPKI Validators (Routinator) and VRP producers (Ziggy)

For these two datasets, RPKI Archive describes the datasets and instruction.

2. BGP advertisements

In order to understand how ROAs affect routing table construction, we used three datasets:

Source	Start date	End date	# of VPs	# of Unique Prefixes	Link
`RouteViews`	2011-01-21	2018-12-27	23	958K	RouteViews
`RIPE-RIS`	2011-01-21	2018-12-27	24	905K	RIPE-RIS
`Akamai`	2017-01-21	2018-12-31	3,300	1.94M	N/A¹

¹Our Akamai dataset is provided under agreement with Akamai; unfortunately, we are not permitted to release this data.

3. Analysis and plotting source codes

For reproducibility of the IMC’19 paper, we share the analysis codes and plotting scripts here.

RPKI is Coming of Age: A Longitudinal Study of RPKI Deployment and Invalid Route Origins

Taejoong Chung§, Emile Aben†, Tim Bruijnzeels‡, Balakrishnan Chandrasekaran-, David Choffnes*, Dave Levin+, Bruce Maggs°•, Alan Mislove*, Roland van Rijswijk-Deij‡±, John Rula•, Nick Sullivan※

§Rochester Institute of Technology, †RIPE NCC, ‡NLNetLabs, ±University of Twente, -Max Planck Institute for Informatics, *Northeastern University, +University of Maryland, °Duke University, •Akamai Technologies, ※Cloudflare