The RPKI project seeks to document the current state of RPKI adoption in the ARIN region, and provide a sense for the extent and impact of misconfigurations and hijacks. The report highlights both historical trends as well as geographic differences across countries within ARIN´s region of service.
This report is part of an initiative by the DNS Research Federation that seeks to promote routing security in the ARIN region by showcasing data on route hijacks and RPKI adoption, and encouraging greater academic and industry scrutiny over routing security practices.
Standards development bodies have long explored ways to render the routing system more secure. Resource Public Key Infrastructure (RPKI) has emerged as the preferred strategy for securing BGP routing, and the technology is actively being prompted by the Regional internet Registries, including ARIN.
RPKI works through a system of encrypted keys –public key infrastructure– to corroborate whether an Autonomous System is the legitimate holder of a specific range of IP addresses, and therefore, authorised to announce those prefixes. The regional internet registries –AFRINIC, APNIC, ARIN, LACNIC, and RIPE– act as certifying authorities in their respective regions, by issuing, upon request, certificates known as “Route Origination Authorizations” (ROAs) for IP address holders. ROAs serve to certify that a specific organisation or autonomous system is authorised to announce a specific set of IP addresses on the Internet. Network operators that want to ensure contents are routed to their correct destination rely on RPKI validators to identify invalid routes they should avoid. In other words, RPKI deployment depends on both organisations issuing ROAs for their assigned resources, and operators conducting validation when routing information.
Global uptake of RPKI
RPKI, however, has had a slow uptake across the world, including in North America and the Caribbean. According to RPKI data by the National Institute of Standards and Technology (NIST) for January 10, 2023, 70.61% of ARIN’s IPv4 Prefix-Origin Pairs and 49.45% of IPv6 Prefix-Origin Pairs were “not found” when conducting RPKI Route Origin Validation (ROV). This indicates that a significant percentage of operators in the ARIN region are not yet using RPKI to sign their resources.