Since the beginning of March, RPKI-based origin validation is deployed at all DE-CIX route servers. Through implementing this technical solution, we have increased the Internet routing security, assisting our customers and making the Internet a safer place by reducing the danger of route hijacks. Together with our customers, DE-CIX intensively discussed how to implement RPKI-based origin validation in conjunction with Blackholing: the option of strict RPKI origin validation filtering for non-Blackholes and loose RPKI origin validation filtering on Blackholes was finally selected and implemented.
Less than 1 percent of all routes are filtered out
After enabling RPKI-based origin validation, we closely monitored route servers and had a look at how many routes were accepted and how many were filtered out. The statistics differ slightly from exchange location to exchange location, but only in a scope of less than two percent. To give you an impression, let’s have a look at the numbers in Frankfurt as an example:
- 0.5 percent of all routes were filtered out due to the RPKI invalid status (in total 2,985 routes, thereof 2431 IPv4 routes and 554 IPv6 routes)
- 17.5 percent of all routes were covered by a valid ROA dataset (in total 91,461 routes, thereof 80,954 IPv4 routes and 10,507 IPv6 routes)
- 82 percent of all routes were not covered by any ROA (in total 430,798 routes, thereof 389,770 IPv4 routes and 41,028 IPv6 routes). These routes were distributed by the DE-CIX route servers if they were successfully verified against IRR databases.
We did not see any considerable influence on the traffic amount carried by our IXs at different locations after enabling RPKI-based origin validation, so the assumption is that the rejected routes do not carry substantial traffic.
More information about RPKI-based origin validation and how it works at DE-CIX
More information about RPKI-based Origin Validation in general can be found here. We answer questions like what RPKI is, why it is useful, how RPKI validation works, and how you can create ROAs for your prefixes. We also have a short FAQ that answers questions like what happens if you don’t have any ROAs and how you can check if your routes are still accepted.
We are very happy to have taken this important step to increase Internet routing security and prevent route hijacking.
In the next DE-CIX newsletter, we will give you some more information about how and what the DE-CIX route servers filter. If you are not subscribed to the DE-CIX newsletter yet, just let us know and we'll add you to the list.