Alex Band

Resource Certification Statistics

Alex Band
Contributors: Emile Aben, Tim Bruijnzeels
0 You have liked this article 0 times.

Since we started providing the certification service on 1 January 2011, many LIRs made use of the service. In this article you can see some graphs showing the number of certificates in place today, as well as certified address space.

To provide our community with up-to-date information on resource certification , the RIPE NCC has started publishing statistics on the adoption and usage. Both, raw data and graphs are published and updated daily. In the graphs one can hover over the lines to see exact values for the certification systems at the RIRs. The methodology is described in footnote [1].

Number of Certificates on 11 April 2011

Figure 1: Number of certificates generated under the five RIR's trust anchors

Figure 1 above is a snapshot from the graph showing the number of certificates on 11 April 2011. If you click on the image it will take you to the up-to-date version at . The number of certificates for the RIPE NCC trust anchor on 11 April is 409. This is the number of LIRs who have generated a certificate for their Internet number resources in the Certification Portal . The vast majority has also created Route Origin Authorisation (ROA) objects using their certificate, indicating which Autonomous Systems are authorised to announce their IP address blocks.

IPv4 Address Space with ROA on 11 April 2011

Figure 2: Total amount of IPv4 address space covered by ROAs

Figure 2 is a snapshot showing the total amount of IPv4 address space covered by ROAs on 11 April 2011. In just three months, LIRs have created ROAs for over 54,000 IPv4 /24 equivalents (0.6% of IPv4 address space publicly announced as seen by the RIPE NCC Routing Information Service RIS ) and 13 million IPv6 /48 prefix equivalents.

In the RIPE NCC service region, the certification service has grown at a very healthy pace since it went live on 1 January 2011, with almost five new LIRs joining the service every single day. In the past few weeks we have reached a point where growth is leveling off a bit. We expect to see another spike in adoption in May when we launch the second deployment phase. At that time, our members have the ability to run their own certification system that securely interfaces with the RIPE NCC, through what is known as the up/down protocol. This will also be the point at which ARIN will launch their resource certification system, making it truly a global effort in making Internet routing more robust and secure.

We expect to see further expansion of the service as it becomes more mature. On the roadmap, we have planned a notification system that alerts the users when a ROA does not match real world routing, to prevent stale data in the repository and notify of accidental misconfiguration or possible hijacking. Also, we will build a comprehensive validation toolset that allows scripting and interaction with certification enabled routers through the RPKI-Router protocol . We are actively working with hardware vendors to deliver this functionality to the Internet community by the end of this year. By that time, we also plan to have the ability to certify other types of address space, such as Provider Independent and Legacy space. 

Resource certification is based on open IETF standards and aimed at making Internet routing more secure. It has broad support from the Internet community, the RIRs, ISPs, as well as hardware and software vendors. The adoption and usage of the hosted service thus far is very encouraging. We appreciate all feedback you may have, so we can work on making the system as useful as possible for you.


[1] Methodology

The RIPE NCC is validating the RIR Trust Anchors daily using the certification validator tool that was developed in house. The number of certificates refers to the number of validated Certificate Authority certificates under these Trust Anchors. This number includes the certificate used by the RIR. At this time none of the RIRs are supporting a recursive deployment where members can certify their own clients. So, in short: 200 certificates means 200 members are using the service. The IPv4 address space in ROAs is intended to give a quick feel for how much IPv4 space is actually covered by ROAs. It is calculated by summing up all the prefixes mentioned on validated ROAs found under a Trust Anchor, ignoring overlaps, and dividing this number by 256 to arrive at the number of /24s that are equivalent to this amount of space. Note that this does not mean that this number of distinct /24s are found on ROAs.


0 You have liked this article 0 times.

You may also like

View more

About the author

Alex Band Based in Amsterdam

Director of Product Development at NLnet Labs

Comments 1