14 Jul

Tracking Indian RPKI data

So based on my friend – Abdul Awal’s tweet, I started looking at the latest RPKI ROA data for India. His Tweet came when I was in the middle of moving my blog from WordPress running over LXC containers to now WordPress over docker with bitnami’s image. Bit of optimisation is still pending.

Firstly I wanted to validate the claim. I have seen some data here and there but not comprehensive data to compare various countries across the region. So I thought to prepare it. As I started, I realised it makes more sense to write a tool and just automate it so that tool can lookup for data every day and keeps a webpage updated.

How can one compare RPKI ROAs across the region?

I thought of a few possible ways and settled for using APNIC’s delegation file to find ASNs and then looked for the announcement from those ASNs for selective countries. My code checked the data for Afghanistan, Pakistan, India, Nepal, Bhutan, Bangladesh, Sri Lanka, Myanmar, Thailand, China, Taiwan, Cambodia, Vietnam, Malaysia and Singapore.

Next step was to find prefixes. For this, I relied on RIPE RIS RRC01. It has got 27 full table feeds at the time of writing this blog post from its members.

Then to run validation, I relied on super fast RPKI API from my friend Louis. Results go into a database and next, Grafana to graphs this data.

And with only 12% valid signed prefixes (against total announcement) we are looking at pretty low levels of ROAs. 🙁
So Awal does indeed has a point. In comparison Bhutan is at 100% level, Nepal + Sri Lanka at a 90% level, Pakistan at 73% level, Myanmar at 79%. China seems to be doing equally bad at just 5% level. When I looked at data of unique ASNs visible in the routing table, it clearly seems like India, China and Japan are lagging.

Another noticeable thing here is that while India has 1873 unique ASNs and Japan has 3135 in comparison to only 629 in China but China has 427 million unique IPv4 addresses as visible in routing. India has only 47 million addresses announced by 1800+ ASNs.

I have published this and some more dedicated data on this page here which will be auto-updated every 24hrs (around 1 am IST). This also has a list of Indian invalids and I will try to use it to get active some cleanup done for the invalids.

Next logical steps for now…

  1. Contact 60 odd origin ASNs which are announcing 300 or so invalids in India and try to get those cleaned up.
  2. There seems to be zero documentation about RPKI on IRINN website. In fact, there’s not even a mention of RPKI on the IRINN website which is bad. I will try to reach out to friends at IRINN and will request them to put documentation about RPKI.
  3. Reaching out to telcos who hold a large set of IP blocks and will try to convince them for creating ROAs as the first logical step.

Limitation of this data

  1. I am looking at prefixes originated by Indian ASNs. Some of these prefixes might be originated outside of India. So a very small % of these numbers might be Indian prefixes which are used in the US or Europe by an Indian ASN (e.g a web hosting company).
  2. We miss a small % of prefixes in this data which are originated by non-Indian ASNs like Google, Cloudflare, Microsoft etc in India.
  3. I see what the collector gets. Thus hypothetically speaking if Tata, Airtel, Jio, Sify, BSNL and Vodafone/IDEA all start dropping invalids, I will not see any of these invalids while they may still exist. Though that’s the unlikely case because people will notice a drop in connectivity for all endpoints outside of India and that would anyway result in getting those fixed.

Finishing this at 5:24am. Time to get some sleep!

24 Feb

APNIC Hackathon at APRICOT 2018

APNIC and RIPE NCC are doing a hackathon at APRICOT 2018. It just started today with some light interaction with various participating members yesterday.
The theme of the hackathon is around IPv6. Many cool projects were suggested yesterday and teams started working today on certain shortlisted projects like:

  1. A tool for ranking CDNs – A tool based on RIPE Atlas data to rank CDNs based on latency across different regions.
  2. An IPv6 fun word game – Where anyone with a member account can suggest a word, and compete with other members who share more IPv6 addresses. It may include things like showcasing creative use of hexadecimal strings in an IPv6 address like Facebook popularly does face:b00c in their IPv6 pools.
  3. IPv4 and IPv6 network security  – Study of attacks and overall security in IPv6. It would involve study and possibly a report on various attack vectors in the IPv6 domain.
  4. A countrywide report on IPv6 deployment – I have yet to see how it is different from existing other reports.
  5. IPv6 tunnel detection – Figuring out where tunnels used and figuring out the IPv4 address of those endpoints via a javascript plugin and possibly comparing IPv4 Vs IPv6 performance.

Let’s see how things go in next 12hrs. Super fun. Things should show up on Github in next few hours. 🙂
Disclaimer and misc points:

  1. It’s a hackathon and final thing may vary greatly from the original idea. Let’s see how things evolve.
  2. The final tool which uses such idea/code may be awesome but for next 12hrs it will be more around proof of concept and small demo instead of a full-fledged tool in certain cases.
  3. I am part of the jury for the hackathon.


29 Mar

Host a RIPE Atlas probe!

RIPE NCC is running an excellent project called RIPE Atlas from few years. This is one of largest distributed network measurement projects where thousands of users host small devices called RIPE Atlas Probes on their networks, home connections, datacenters etc. These probes do measurement under both public and private category and make that data available publicly for use by network engineers and helps in optimizing routing.
This page shows detailed coverage statistics of the probes.
Here’s how a probe looks like

If you are in India and would like to host a probe, simply fill out this form and I will ship out the device. 🙂