Orbit

Hello everyone,

Last week while I looking around I saw RPKI-Monitor by NIST (a body of the US Govt) - https://rpki-monitor.antd.nist.gov

One of many graphs on their monitor shows the top 25 ASNs based on prefixes with RPKI valid. It's great that 4 Indian telcos/ISPs made it to that list - Tata Comm AS4755, Airtel Mobility AS45609, Sify AS9583 and BSNL AS9829.

[image: Screenshot 2021-03-01 at 2.12.57 AM.png]

This is really good and thanks to all the operators who have created RPKI ROAs.

*Where do we stand now? (latest data here -> *https://rpki.anuragbhatia.com ) As of now 43% of the Indian table is signed and in absolute numbers that is 19,353 prefixes. Unfortunately, we still lag behind our neighbours like Nepal (87%), Pakistan (88%), Sri Lanka (91%), Bangladesh (88%) etc. In percentage are still far off behind and the process of creating ROAs, promoting ROAs has to be continued.

Apart from signing our prefixes, we still lack in validating those signatures. The only known large Indian network that is dropping RPKI invalids to some extent is ACT. Our telcos are testing & very well aware of it and I hope there comes a point when they start dropping invalids. Considering fact that a very limited set of ASNs connect Indian networks to the outside world like AS4755, AS55836, AS9498, AS9829, AS55644/AS55410, AS9593 etc. As soon as some of them start rejecting RPKI invalids it will bring a major change. Invalids will just lose connectivity to a large part of the internet.

One interesting factor which might impact validation in the Indian context is AS6453 - that's Tata Comm's global ASN and a transit free network by design. As far as I can see invalids in their table have dropped significantly from 1200+ in Oct 2020 to around 400 now in Feb 2021. Technically Tata Comm AS4755 has only one upstream which is AS6453:

[image: Screenshot 2021-03-01 at 2.27.13 AM.png] https://bgp.he.net/AS4755#_graph4

Thus if AS6453 keeps doing what they are doing at some stage they will drop all invalids and in that case, none of the AS4755 downstream invalids will reach the default-free zone & vice-versa and that would bring some sort of protection to a significant number of Indian networks. While of course AS4755 might keep announcing/picking invalids to other networks locally and I hope they deploy RPKI validation across their Indian network as well.

With that being said - I will be talking about RPKI ROA updates https://2021.apricot.net/program/schedule-conference/#/day/10/securing-routing so far on Wednesday 3rd March at APRICOT 2021. Will be summarising work done by our Indian community so far as well as a bit on the tooling part on tracking the progress etc.

Thanks.