Anastasiya Pak

Securing Internet Infrastructure in Central Asia

Anastasiya Pak
Contributors: Qasim Lone, Alex Semenyaka, Vahan Hovsepyan

16 min read

0

The third Central Asia Peering and Interconnection Forum (CAPIF 3) takes place next week in Bishkek, Kyrgyzstan. Experts from Central Asia and neighbouring regions will come together to strengthen regional Internet connectivity and promote digital growth. Ahead of the event, we examine the adoption of Internet technologies in the region.


Cкачайте перевод статьи на русский язык.

دانلود مقاله به زبان فارسی

Central Asia is a landlocked region of almost 80 million people whose countries share a long history of interconnection. In recent years, the region has seen sizeable socio-economic growth, expected to increase by a further 5% in 2024 according to EBRD. Over the same period, rapid digitalisation has brought the number of Internet users across the region to over 65 million (as of 2023). However, Internet connectivity and affordability still present challenges in some areas.

Looking at market development in each of the Central Asian countries, we see an overall trend towards higher market concentration. While this can potentially limit competition, it also presents a unique opportunity for technological advancement. On average, the top four Autonomous Systems (ASes) within each country in the region serve approximately 80% of the customer population, which means that the actions of a relatively small number of key players can drive major changes in technology adoption across the region.

Customer population in Central Asia (APNIC)

To better understand the technological landscape of the region's Internet infrastructure, our goal in this article is to examine key areas of technology adoption that have a significant bearing on the security, scalability, and future-readiness of the network - namely, Resource Public Key Infrastructure (RPKI) and Internet Protocol version 6 (IPv6).

By analysing the implementation of these critical technologies in Central Asia, we hope to highlight opportunities for strengthening the region's Internet infrastructure and supporting its continued digital growth.

Interconnection environment

Intra-regional cooperation has become stronger in Central Asia through such factors as trade, investment, and growth in tourism. From a technical perspective, it is also interesting to look at regional interconnection in terms of routing.

To do this, we turned to RIPE Atlas, taking all RIPE Atlas probes across Central Asia as both source and destination. Some additional hosts were used in Turkmenistan as there are no connected probes there. The same research was conducted two years ago, and presented at CAPIF 1, so this time we were able to see if any changes happened since then.

The map below illustrates data flows between Kazakhstan and Kyrgyzstan and also between Kazakhstan and Tajikistan, showing how Internet traffic between these countries takes multiple out-of-country detours. While the most direct route between Internet users in a country is always preferable, traffic often takes less efficient paths due to a lack of direct peering between the countries.

Please note that this data is based on the probe coverage. We still need more probes in the region! We strongly encourage people across Central Asia to contact the RIPE Atlas team if you’d like to host a physical or software probe.

Looking closer at developments since 2024, significant improvements can be observed between Uzbekistan and Turkmenistan, while the main routes between Kazakhstan and Kyrgyzstan could be still improved (see the graphs below).

Internet paths between Kazakhstan and Kyrgyzstan in 2022 and 2024
Internet paths between Uzbekistan and Turkmenistan in 2022 and 2024

Overall, visible progress has been made in localising the region's traffic and the diversification of routes between countries. There is room for improvement, however, as suboptimal traffic transit routes are still present in the region. Implementing more efficient peering policies and agreements could be an important step towards a better interconnection environment in the region.

CAPIF 3 provides the opportunity to strengthen and build new peering relationships with the attendees during the event. There is a dedicated one-hour long slot during CAPIF 3 for peering bilateral meetings. Check out this page to schedule your meetings at the event.

Securing Internet routing in Central Asia

Routing security is a foundational aspect of network security that ensures the integrity and resilience of global Internet traffic. As networks grow increasingly complex, the risk of route hijacking, prefix leaks, and BGP misconfigurations becomes more pronounced. These incidents can lead to significant outages, data interception, and even large-scale service disruptions.

To address these challenges, RPKI emerged as a critical security framework that helps network operators make more informed and secure routing decisions by providing a way to cryptographically verify the legitimacy of routing announcements. By deploying RPKI, network administrators can prevent malicious or accidental routing misconfigurations, enhancing both security and operational stability across the Internet's infrastructure.

Two key components of RPKI are:

  • Route Origin Authorisation (ROA) - a digitally signed object that specifies which Autonomous Systems (ASes) are authorised to announce specific IP address prefixes. ROAs serve as a trust anchor, allowing network operators to validate the origin of routing information.
  • Route Origin Validation (ROV) - the process of using ROAs to verify the validity of routing announcements. It classifies BGP routes into three states: Valid, Invalid, or Not Found, based on the existence and content of relevant ROAs.

The pre-RPKI era: A history of vulnerabilities

Before the implementation of RPKI, the Internet routing system was particularly vulnerable to both accidental misconfigurations and malicious attacks. A notable incident occurred in 2008 when Pakistan Telecom (PTCL) accidentally hijacked YouTube's IP addresses, causing a nearly two-hour global outage of the video-sharing platform. This event highlighted the fragility of the global routing system and the need for more robust security measures. In the years that followed, numerous other incidents involving major telecoms and tech giants further underscored the urgency of addressing BGP vulnerabilities.

Recent incidents and the impact of RPKI

Even in the RPKI era, routing incidents continue to occur, but their impact can be significantly mitigated. In the Cloudflare 1.1.1.1 incident on 27 June, 2024, a routing misconfiguration caused by an erroneous route advertisement led to service disruption. Route Origin Validation (ROV) could have prevented the propagation of this incorrect route, thereby mitigating the impact of this incident.

Another real-world scenario where ROV actually "saved the show" was when the government of Iraq attempted to block Telegram in July 2023. A misconfigured BGP route advertisement resulted in the blackholing of large portions of global Internet traffic. Networks with ROV in place rejected these incorrect routes, preserving service availability for their users. Telegram had created ROAs for its routes allowing ASes outside of Iraq to automatically reject the hijacks.

These examples highlight the importance of adopting RPKI in safeguarding against both accidental and intentional routing errors, ensuring uninterrupted Internet access.

BGP incidents in Central Asia

Border Gateway Protocol (BGP) incidents, specifically origin hijacks, have been observed across Central Asia and neighbouring regions. These incidents can result from either misconfigurations or malicious activities, potentially leading to the rerouting of Internet traffic.

An analysis of Cloudflare data on BGP incidents reveals intriguing patterns across this area. The data presented combines information on hijacked prefixes, number of attackers, and total incident count.

BGP incidents in Central Asia and neighbouring regions (1 Aug 2023 - 1 Aug 2024)

The map shows high figures for countries like China, while Central Asian countries show relatively lower numbers. The occurrence of BGP incidents, even if fewer in number, demonstrates the real possibility of events that can lead to significant disruptions in the region's Internet infrastructure. It's important to understand that even a single instance of prefix hijacking, whether due to misconfiguration or malicious intent, can cause widespread disruption or connectivity loss.

The global and interconnected nature of Internet routing emphasises the importance of strengthening BGP security. Proactive measures are essential not only to safeguard against local misconfigurations but also to mitigate the potential impact of incidents originating from neighbouring regions with higher reported incidents. To understand the routing security of the region, we will first analyse the ROA coverage followed by ROV adoption in Central Asia.

ROA coverage in Central Asia

The adoption of ROAs has been gaining significant momentum worldwide. Recently, the global Internet community reached a crucial milestone: according to the NIST RPKI Monitor, more than 50% of the global IPv4 address space is now covered by ROAs. This marks a turning point in global routing security efforts, reflecting a growing awareness among network operators of the importance of RPKI in preventing BGP hijacks and misconfigurations.

In the context of Central Asia, ROA coverage presents a varied landscape. The adoption rates across countries in the region range from as low as 10% to nearly 100% for both IPv4 and IPv6 address spaces. This wide variation suggests that while some networks in Central Asia are at the forefront of adopting these security measures, others are still in the early stages of implementation.

ROA coverage in Central Asia and other countries

Much of the coverage we see in Kyrgyzstan and Turkmenistan has been achieved in the past two years. In Kyrgyzstan, Mega-line covered their IPv4 allocations with ROAs in March and December 2022, and Kyrgyztelecom covered all their allocations with ROAs in May that same year. Turkmentelecom covered all their remaining space with ROAs in May 2023, which resulted in almost 100% of the v4 space being covered by ROAs (see graph).

IPv4 ROA coverage in Kyrgyzstan and Turkmenistan

Uzbekistan had a higher level of fluctuation in coverage, which spiked in April 2019, when Sarkor Telecom covered their space with ROA, and recently in May 2024 by Turon Media. In Tajikistan there was a 10% increase in ROA coverage recently when Zet Mobile (formerly known as Tacom) covered their /18 space with ROAs.

IPv4 ROA coverage in Uzbekistan and Tajikistan

ROV in the interconnectivity ‘map’

As the ‘second step’ in ensuring routing security through RPKI, ROV verifies that route announcements adhere to the authorisations specified by ROAs.

We analysed the deployment of ROV in the region using RoVISTA, which calculates scores based on the number of RPKI-invalid prefixes an AS can reach. We assessed ROV impact from the perspective of network centrality, utilising AS Hegemony methodology to measure the centrality of autonomous systems within a country. We visualised the results as follows, with the size of each AS effectively indicating how central a role it plays in Internet routing.

The visualisations reinforce the point that a relatively small group of ASes in the region play a particularly important role in the routing landscape. ROV deployment is especially important for such networks. Not only does it help protect their customers, but when these large ASNs implement ROV, they inherently safeguard smaller, directly connected networks against routing threats like BGP hijacking. This collateral benefit signifies the importance of ROV adoption by major network operators to enhance the overall security ecosystem of interconnected networks.

As we see, however, most of the central networks across Central Asia are not yet implementing ROV, even in places where ROA coverage is solid. This may be due to a knowledge gap around ROV deployment, a common issue flagged by respondents to the latest RIPE NCC survey from across the RIPE NCC service region.

The good news is that action on the part of a few highly centralised networks could have a major impact on BGP security across the whole region. In Kyrgyzstan, for instance, implementation of ROV by a few ASes - e.g. ElCat (AS8449), IPNET (AS61010) and AKNET (AS 12764) - would go a long way toward enhancing network security in the country.

Government-led initiatives for RPKI adoption

The adoption of RPKI, including the implementation of ROA and ROV, is increasingly recognised as crucial not only by network engineers but also at the government level. Just this month, the White House released a roadmap advocating for RPKI as a mature solution to address BGP vulnerabilities. This comprehensive plan outlines actions for all network providers, including those managing enterprise networks or holding IP address resources. The U.S. government's commitment is evident in its goal to secure over 60% of its advertised IP space under Registration Service Agreements (RSA) by the end of the year, paving the way for widespread ROA implementation across federal network hub.

Furthermore, regulatory bodies like the U.S. Federal Communications Commission are taking proactive steps, proposing that providers prepare and annually update BGP security risk management plans. These plans are expected to include strategies for ROA registration and ROV deployment, underscoring the growing recognition of RPKI's crucial role in securing Internet infrastructure at a national level.

For Central Asian countries, these developments highlight the potential for policymakers to play a pivotal role in enhancing routing security. By implementing similar initiatives, governments in the region can take several important steps. They can establish clear guidelines and timelines for RPKI adoption among Internet service providers and other network operators.

IPv6 uptake in the region

With the rapid economic development of the Central Asian region, investing in future-proof solutions seems a viable strategy. To be ready for growth, apart from security strategies, investing in capacity expansion strategies to accommodate more users is crucial. This is where IPv6 comes into play. As the long-term sustainability of IPv4-only networks remains a concern for the industry, the transition to IPv6 is the real viable solution that allows the Internet to continue growing over the long term.

We looked into the capability and adoption of IPv6 in the region. On average, the percentage of IPv6-capable ASNs (defined here as the percentage of ASNs routing at least one IPv6 prefix) remains low in Central Asia (at around 18%). For comparison, the EU average is around 39%, highlighting the significant gap in IPv6 readiness. The IPv6 capability slightly increased in Kazakhstan, Tajikistan, and Uzbekistan compared to last year, indicating some progress, albeit incremental.

While IPv6 capability measures whether allocated IPv6 prefixes are actively announced in global routing tables, IPv6 adoption shows if users can actually use IPv6 on their networks. This distinction is crucial for understanding the real-world implementation of IPv6.

Recent data from major Content Delivery Networks (CDNs) reveals varying levels of IPv6 adoption across Central Asia and neighbouring regions. Kazakhstan leads the region with adoption rates between 13% (Facebook) and 17% (Cloudflare and Google), reflecting differences across networks within the country. Kyrgyzstan follows with around 4% adoption, while Uzbekistan stands at approximately 3%. Both countries show lower implementation levels compared to Kazakhstan. Turkmenistan and Tajikistan lag significantly, with a very low level of adoption, indicating substantial challenges in IPv6 implementation.

Interestingly, neighbouring Iran, though not part of Central Asia, shows notably higher but inconsistent adoption rates: 76% (Facebook), 22.6% (Cloudflare) and 16% (Google). These significant discrepancies highlight the importance of understanding the measurement methodologies used by different CDNs. Cloudflare calculates the IPv6 percentage as (IPv6 requests/requests for dual-stacked content), providing a specific metric of IPv6 usage among clients capable of using both IPv4 and IPv6. For Google and Facebook, it's not very clear how they are calculating adoption rates, which could contribute to the variations between their reported figures.

Despite the differences in measurement approaches, ranging from IPv6 capability to adoption based on traffic patterns, the numbers consistently indicate low IPv6 adoption rates across Central Asia.

The RIPE NCC 2023 Survey provides insights into the factors impacting the slower adoption of IPv6 across Europe, the Middle East, and Central Asia. According to the survey:

  • Ensuring feature parity between IPv4 and IPv6 is the primary issue when implementing IPv6 for 46% of respondents overall, rising to over half of those in Central Europe (54%) and Eurasia (56%).
  • Managing misconceptions is also a common problem, with 41% of respondents indicating they needed to change the IPv4 mindset within the organisation, particularly in Germany (56%) and Poland (61%).
  • About 40% of respondents found it challenging to gather knowledge on specific implementations to assist their deployment, suggesting that more information and/or education is required.

The data underscores the complex landscape of IPv6 adoption not only in Central Asia, with varying progress across countries. This situation calls for concerted efforts to promote IPv6 adoption through policy initiatives, infrastructure investments, and increased awareness.

If you wish to upgrade your knowledge about IPv6 and RPKI, check out the courses in the RIPE NCC Academy. We also published our IPv6 Fundamentals course in Russian. And we'll host the IPv6-related trainings in Bishkek, right after CAPIF 3 - register here.

Final remarks

Adopting key technologies like RPKI and IPv6 is an important step in ensuring a secure and stable Internet in Central Asia. As the region experiences rapid digital growth, addressing routing vulnerabilities through ROV and increasing IPv6 uptake are essential steps. While progress has been made in implementing ROAs, particularly in countries like Kyrgyzstan and Turkmenistan, challenges such as knowledge gaps and concerns about ROV remain. By prioritising these improvements, Central Asian networks can better prepare against routing threats and ensure long-term digital resilience.

We would love to hear your thoughts, chat with us at CAPIF 3. This research will be presented by Qasim Lone from the RIPE NCC on Tuesday, 24 September.

0

You may also like

View more

About the author

Anastasiya Pak Based in Amsterdam

Anastasiya Pak is the Marketing & Communications Officer at the RIPE NCC. Before joining the RIPE NCC, Anastasiya led the Communications Department at an international education NGO. She began her career as a TV journalist in Uzbekistan, covering international politics and diplomacy, UN discussions, and other topics related to international political and economic affairs. Anastasiya holds a Bachelor's Degree in International Relations from the University of World Economy and Diplomacy and a Joint Master's in Journalism, Media, and Globalisation from the University of Amsterdam and Aarhus University.

Comments 0