The state of RPKI at Internet Exchange Points

RPKI (Resource Public Key Infrastructure) is the primary response to the issue of BGP hijacks on the internet. It works by cryptographically verifying that a network is authorized to announce a given route. Internet Exchange Points (IXPs) are typically assigned globally unique prefixes in order to keep members in the same layer 2 domain. Sometimes misconfigured routers leak these prefixes to their peers. When that happens, the prefix (and therefore IXP) becomes exposed to spurious traffic from the internet which leads to issues for the IXP and therefore the internet overall.

One solution to the issue of IXP route leaks is RPKI. RFC 7607 and RFC 6483 define the use of RPKI ROAs with origin AS0 to mark a prefix and all its more specific prefixes as not to be used in a routing context. The most important part of the ROA is that it exists at all and that the origin ASN will never be announcing the route. The current best practice is to use AS0 because there shouldn't ever be a router operating under AS0 on the internet. Some IXPs use their route server ASN for this purpose, but most IXP route servers shouldn't be making global announcements either. Best to follow the RFCs and use origin AS0.

Using PeeringDB data and OctoRPKI, I evaluated each listed IXP prefix's RPKI status and came up with following data. Out of the 1554 IXP prefixes that are reportedly not in the DFZ;

  • 377 have current covering ROAs
  • 1 is fully RFC 7607 compliant (maxLen 32/128 and origin AS0)
  • 101 have ROAs with origin AS0
  • 276 have ROAs with a different authorized origin ASN
  • 1177 have no covering ROA (NotFound)
  • 202 are IPv4 prefixes with valid ROAs
  • 175 are IPv6 prefixes with valid ROAs
  • 152 are in the RIPE TA
  • 90 are in the APNIC TA
  • 75 are in the LACNIC TA
  • 40 are in the ARIN TA
  • 20 are in the AFRNIC TA

If a prefix had multiple ROAs, I chose the "ROA of highest significance", being the ROA that would actually impact the announcement of a route. This loose calculation was based on maxLength and the less specific prefix. If there are multiple ROAs that effect the route announcement, they are included in the data above.

Just like RPKI for prefixes in the global table, current adoption is underwhelming. Only 24.26% of IXP prefixes are covered by a ROA that prevents leakage.

I would strongly suggest that IXP operators create AS0 ROAs for their prefixes in accordance with RFC 7607.

AS 0 in a Route Origin Attestation (ROA) is used to mark a prefix and all its more specific prefixes as not to be used in a routing context.  This allows a resource holder to signal that a prefix (and the more specifics) should not be routed by publishing a ROA listing AS 0 as the only origin.  To respond to this signal requires that BGP implementations not accept or propagate routes containing AS 0. - RFC 7607
By convention, an AS 0 ROA should have a maxLength value of 32 for IPv4 addresses and a maxlength value of 128 for IPv6 addresses; although, in terms of route validation, the same outcome would be achieved with any valid maxLength value, or even if the maxLength element were to be omitted from the ROA. - RFC 6483

As always, network operators should use RPKI ROV (Route Origin Validation) in their network to prevent propagation of these invalid routes. Stay safe, sign your prefixes, and reject RPKI invalids!

Show Comments