A first look at common RPKI publication practices
Moritz Müller-Brus, Lisa Bruder, Caspar Schutijser, Ralph Koning
TL;DR
The paper surveys current RPKI publication practices across public repositories to establish a baseline for BCP uptake and resilience. Using rpki-client-based measurements aligned with the SIDrops publication-server draft, it analyzes hostnames, ROA coverage, network placement, CDN use, delta management, and manifest/CRL timings. Key findings show broad adoption of core practices like same-origin URIs and delta updates, but wide variance in host naming, network separation, and CDN deployment, with AWS-hosted repositories driving notable deviations. The study provides actionable baselines and highlights areas where practice diverges, informing future measurements and guiding improvements once the RFC is finalized.
Abstract
The RPKI is crucial for securing the routing system of the Internet. With the RPKI, owners of Internet resources can make cryptographically backed claims, for example about the legitimate origin of their IP space. Thousands of networks use this information to detect malicious or accidental route hijacks. The RPKI consists out of 100 distributed repositories. However, public reports claim that some of these repositories are unreliable. A current Internet-Draft suggests best practices on how to operate these repositories, with the goal to improve deployment quality. Inspired by this draft, we take a first look at the operational practices of repositories of the RPKI. We mainly focus on the distribution of RPKI information. We find that there is a wide variety in deployment practices, of which some might risk the availability of parts of the information in the RPKI. This study creates a baseline for measuring the maturity of RPKI repositories in the future.