You are here: Home > Participate > Join a Discussion > RIPE Mailing Lists > The routing-wg Archives

[routing-wg] state of RPKI-invalid objects in IRR databases (2022.05.16)

Previous message (by thread): [routing-wg] RIPE-84 talk about RIPE RPKI core
Next message (by thread): [routing-wg] New on RIPE Labs: An Introduction to IRR Explorer

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Job Snijders job at fastly.com
Mon May 16 16:31:19 CEST 2022

Dear all,

On the #DENOG IRC channel I was asked for current stats on the number of
RPKI-invalid IRR route/route6 objects in various databases as follow-up
to a talk at RIPE81 [0]. I figured I should share this with the WG too.

Below is a table with today's stats of number of invalid route/route6
objects when one applies the RFC 6811 origin validation algorithm with
as input prefix value in the "route:" attribute and the origin AS in the
"origin:" attribute.

                        invalids          invalids
    AFRINIC:       ipv4:     359  -  ipv6:     12  - authoritive
    ALTDB:         ipv4:       1  -  ipv6:    191  - note 4
    APNIC:         ipv4:   21861  -  ipv6:   1880  - authoritive
    ARIN:          ipv4:     814  -  ipv6:     65  - authoritive
    BBOI:          ipv4:      44  -  ipv6:      1
    BELL:          ipv4:     322  -  ipv6:      0
    JPIRR:         ipv4:      95  -  ipv6:      4
    LACNIC:        ipv4:       0  -  ipv6:      0  - authoritive (note 3)
    LEVEL3:        ipv4:   12925  -  ipv6:    182
    NTTCOM:        ipv4:   65513  -  ipv6:    730
    RADB:          ipv4:  208901  -  ipv6:  12829
    RGNET:         ipv4:       2  -  ipv6:      0
    RIPE:          ipv4:   28390  -  ipv6:   3518  - authoritive
    RIPE-NONAUTH:  ipv4:       5  -  ipv6:      0  - note 5
    TC:            ipv4:       0  -  ipv6:      0  - note 2

Some notes on the above table:

1) ARIN-NONAUTH is not listed, ARIN deprecated this IRR source a month
   ago [2].
2) TC achieved a perfect 0/0 score by using the IRRd v4 RPKI integration
   [3].
3) LACNIC's IRR service is an information proxy for RPKI ROAs valid
   under the LACNIC Trust Anchor. This by definition means that all IRR
   objects in the LACNIC IRR database are RPKI-valid.
4) ALTDB periodically runs a script to delete RPKI-invalid objects
5) RIPE-NONAUTH imposes a two week delay before deleting RPKI-invalid
   objects, so the 5 IPv4 objects currently marked as invalid with
   disappear in the next few days, unless the covering RPKI ROAs are
   withdrawn before the timer expires.

The stats are generated by downloading the IRR database dump for each
source and running a simple python script [1].

Kind regards,

Job

[0]: https://ripe81.ripe.net/presentations/59-IRRd-RIPE812.pdf
[1]: https://github.com/job/irr-nonauth-cleanup
[2]: https://www.arin.net/announcements/20220128-irr/
[3]: https://irrd.readthedocs.io/en/stable/admins/rpki/

Previous message (by thread): [routing-wg] RIPE-84 talk about RIPE RPKI core
Next message (by thread): [routing-wg] New on RIPE Labs: An Introduction to IRR Explorer

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ routing-wg Archives ]