Making sense of the Internet
Support the Research

Get data. Get insights. Help affect change.

View joining options
DNSRF Corporate Logo - words and line shorter version
Search
{item._type | case 'page' 'Web page' 'blog/blog' publication 'adnewsfeed/news' 'News' 'docs/article' 'Docs'}{item.section.title} / {item.chapter.title} / {item.topic.title}  | {category.title}
{item.publishDate | date 'DD MMM YYYY' | append ': '}
Media item

Live Indicators: ARIN and Global

RPKI Coverage in the ARIN Region

RPKI adoption analysis explores the extent to which organisations (autonomous systems) are protecting their assigned IP prefixes/resources. The indicator measures the percentage of unique Prefix/Origin AS pairs observed that are RPKI protected. A prefix that is covered by ROA is considered as protected. This means that operators running RPKI will be able to assess the validity of the announcement with that prefix. It must be noted that RPKI deployment depends on organisations issuing ROAs for their assigned resources, but also on operators conducting validation when routing information. 

RPKI Coverage Results

IPV4

Details
Description:

IPV6

Details
Description:

IPV4

Details
Description:

IPV6

Details
Description:

Search by geographic area in the ARIN Region

This report considers the 29 countries or geographic areas serviced by ARIN. Search for yours below to view and compare RPKI coverage results.

{countries | filter 'country' countrySelect | item 0| member 'name'}

IPv4

IPv6

For a full comparative view of global, ARIN and per country/geographic area RPKI coverage results, click here.

RPKI Validation Results in the ARIN Region

Using RPKI, a network operator can determine whether a given organisation is authorised to announce a prefix or set of prefixes. The indicator measures for all unique Prefix/Origin AS pairs observed, what percentage is valid, invalid and not found.

Valid means an AS is authorised to announce a specific set of prefixes; it also means that the organisation authorised to announce those prefixes has issued ROAs to protect its resources. Not found means that no information has been found to validate whether a specific organisation is allowed to announce a specific set of resources. This means that those resources are unprotected by RPKI and therefore, that these resources could be hijacked. It also means that the organisation allowed to announce those resources has not arranged for the ROAs to be published in order to protect them. Lastly, invalid means that the announcing autonomous system is not authorised to announce a specific prefix or set of prefixes. This could either be a misconfiguration or hijack. An operator would normally not trust or use routes where the ROA is assessed to be invalid. 

IPV4

Details
Description:

IPV6

Details
Description:

IPV4

Details
Description:

IPV6

Details
Description:

Search by geographic area in the ARIN Region

This report considers the 29 countries or geographic areas serviced by ARIN. Search for yours below to view and compare RPKI Validation results.

{countries | filter 'country' countrySelect | item 0| member 'name'}

IPv4

IPv6

For a full comparative view of global, ARIN and per country/geographic area RPKI validation results, click here.

RPKI Eligibility in the ARIN Region

To analyse the results presented in this report, readers must keep in mind that not all number resources (IPs or ASNs) in the ARIN region are eligible for ARIN’s Routing Security Services, including RPKI. As of 2023, 32% of ARIN’s number resources are ineligible for RPKI. Eligibility depends on whether Internet number resources are covered by a Registration Services Agreement (RSA) or Legacy Registration Agreement (LRSA). More information on these requirements is available here on the ARIN website. For example, RPKI coverage in the IPv4 space in the ARIN region may appear below the global average, but this has to do with RPKI service eligibility. Our study shows that, once legacy addressing resources are taken into account, RPKI adoption is in line with the rate of adoption in other RIRs.

Methodology

Data processing for this report has been conducted using the Data Analytics Platform (DAP.LIVE). The system provides open access to curated datasets related to the Internet’s unique identifier systems and building block technologies and offers user-friendly data analytics tools to facilitate its analysis. If you are interested in getting an account to query RPKI data, please email us to [email protected] (Subject Line: RPKI Data).

To develop the two indicators discussed above, the report looks at BGP announcements and classifies them according to their RPKI validity status. The analysis relies on the following data sources:

BGP announcements. The report uses RouteViews as a data source for BGP announcements. The analysis considers a total of 8 collectors from across the globe to ensure the report views the routing system from multiple vantage points. The analysis groups observed announcements by unique Prefix/Origin AS, which is the report’s basic unit of study. This is consistent with other initiatives such as MANRS ROA Stats Tool and the NIST and FORT monitors. 

Route Origin Validation (ROV) results. The DAP.LIVE runs Routinator, the RPKI validator developed by NLNet Labs, to determine global and RIR-level ROV results. Validation results can be either valid, invalid or not found. 

Geographical Data. To estimate the location of a given prefix, the report looks up the country for each prefix in the daily statistical data published by each RIR. This method has its limitations as it assumes network operators are hosting the ranges in the country in which they are located. Therefore, geographical data must be considered as an approximation. Particularly in small geographic areas, such as parts of the Caribbean, this may impact the accuracy of results.

Top