14 Jul

Tracking Indian RPKI data

So based on my friend – Abdul Awal’s tweet, I started looking at the latest RPKI ROA data for India. His Tweet came when I was in the middle of moving my blog from WordPress running over LXC containers to now WordPress over docker with bitnami’s image. Bit of optimisation is still pending.

Firstly I wanted to validate the claim. I have seen some data here and there but not comprehensive data to compare various countries across the region. So I thought to prepare it. As I started, I realised it makes more sense to write a tool and just automate it so that tool can lookup for data every day and keeps a webpage updated.

How can one compare RPKI ROAs across the region?

I thought of a few possible ways and settled for using APNIC’s delegation file to find ASNs and then looked for the announcement from those ASNs for selective countries. My code checked the data for Afghanistan, Pakistan, India, Nepal, Bhutan, Bangladesh, Sri Lanka, Myanmar, Thailand, China, Taiwan, Cambodia, Vietnam, Malaysia and Singapore.

Next step was to find prefixes. For this, I relied on RIPE RIS RRC01. It has got 27 full table feeds at the time of writing this blog post from its members.

Then to run validation, I relied on super fast RPKI API from my friend Louis. Results go into a database and next, Grafana to graphs this data.

And with only 12% valid signed prefixes (against total announcement) we are looking at pretty low levels of ROAs. 🙁
So Awal does indeed has a point. In comparison Bhutan is at 100% level, Nepal + Sri Lanka at a 90% level, Pakistan at 73% level, Myanmar at 79%. China seems to be doing equally bad at just 5% level. When I looked at data of unique ASNs visible in the routing table, it clearly seems like India, China and Japan are lagging.

Another noticeable thing here is that while India has 1873 unique ASNs and Japan has 3135 in comparison to only 629 in China but China has 427 million unique IPv4 addresses as visible in routing. India has only 47 million addresses announced by 1800+ ASNs.

I have published this and some more dedicated data on this page here which will be auto-updated every 24hrs (around 1 am IST). This also has a list of Indian invalids and I will try to use it to get active some cleanup done for the invalids.

Next logical steps for now…

  1. Contact 60 odd origin ASNs which are announcing 300 or so invalids in India and try to get those cleaned up.
  2. There seems to be zero documentation about RPKI on IRINN website. In fact, there’s not even a mention of RPKI on the IRINN website which is bad. I will try to reach out to friends at IRINN and will request them to put documentation about RPKI.
  3. Reaching out to telcos who hold a large set of IP blocks and will try to convince them for creating ROAs as the first logical step.

Limitation of this data

  1. I am looking at prefixes originated by Indian ASNs. Some of these prefixes might be originated outside of India. So a very small % of these numbers might be Indian prefixes which are used in the US or Europe by an Indian ASN (e.g a web hosting company).
  2. We miss a small % of prefixes in this data which are originated by non-Indian ASNs like Google, Cloudflare, Microsoft etc in India.
  3. I see what the collector gets. Thus hypothetically speaking if Tata, Airtel, Jio, Sify, BSNL and Vodafone/IDEA all start dropping invalids, I will not see any of these invalids while they may still exist. Though that’s the unlikely case because people will notice a drop in connectivity for all endpoints outside of India and that would anyway result in getting those fixed.

Finishing this at 5:24am. Time to get some sleep!