Kjerstin Burdiek

RIPE NCC Days Baltics: Insights into Regional Resilience

Author image
Kjerstin Burdiek(RIPE NCC staff)
Contributors: Anastasiya Pak, Romain Bosc, Alex Semenyaka, Emile Aben

14 min read

Article lead image

On 3-4 June 2026, we convened in Riga, Latvia for RIPE NCC Days Baltics. 76 participants from nine countries participated in sessions covering important topics in network operations, with a special focus on resilience for a region that has seen repeated network disruptions in recent years.


At RIPE NCC Days Baltics, network engineers and other operators from Latvia, Lithuania, Estonia and neighbouring countries gathered to discuss the main trends and developments affecting the region’s Internet.

Resilience through collaboration and capacity-building

A common thread through the meeting was the topic of the need for resilience. The Baltic region has experienced several disruptions to its Internet, both at the infrastructure and the network levels.

At the physical layer, the region's connectivity to the wider Internet depends on submarine cables. The outages of several of these cables in the Baltic region during the winter of 2024-2025 brought that topic to the attention of a wider audience. In his presentation about these outages, the RIPE NCC's Emile Aben showed that RIPE Atlas measurements indicate that the Internet routed around this damage. The data indicates that only some of the paths between countries that were measured saw a slight increase in latency, but no increased packet loss was observed. This event highlighted the importance of resilience not only in infrastructure but also in routing, as packets were able to move along alternative routes.

This theme was expanded on during a panel session featuring Dmitrijs Nikitins, Chief Technology Officer at Tet, Agnese Zariņa, Director of the Communications Department at the Ministry of Transport of Latvia, Baiba Kaskina, General Manager at CERT.LV, Evijs Taube, Member of the Management Board at LVRTC, and Hisham Ibrahim, Chief Community Officer at the RIPE NCC.

From left to right: moderator Romain Bosc, RIPE NCC, and panellists Agnese Zariņa, Dmitrijs Nikitins, Baiba Kaskina, Evijs Taube (holding a piece of a damaged Baltic Sea cable) and Hisham Ibrahim

With the significant increase in cyberattacks across the region and the geopolitical landscape becoming more volatile, speakers emphasised that developing cross-border resilience has become a top priority in recent years. The resilience of Ukraine’s communications infrastructure during the ongoing war provides an example several speakers referenced in their comments. They mentioned how their organisations had adapted their systems by studying the efforts of Ukrainian operators.

The protection of submarine cables was also discussed, with panellists describing recent improvements in real-time monitoring and emergency repair. For enhancing both security and resilience, they stressed the importance of good practices in the implementation of Internet standards, such as RPKI and ASPA, to prevent BGP prefix hijacks and route leaks and proactively testing equipment and networks in live environments. Diversifying routes and cross-border connections and having disaster recovery sites outside of the country were also noted as important. Speakers pointed to potential pitfalls, such as the persistence of network bottlenecks, poor IT security and critical dependencies making it sometimes difficult to properly manage risks, for example in cases of software outages or failures in the electrical grid.

Finally, speakers stressed the need for effective information-sharing frameworks and ensuring visibility into networks to be able to respond quickly to incidents. They also highlighted the importance of fostering regional and international cooperation, supporting a competitive and diverse connectivity environment and recognising the essential roles of public-private collaboration and technical coordination in maintaining collective resilience.

Another organisation looking at network resilience and cybersecurity is BEREC, the Body of European Regulators for Electronic Communications. Zdravko Jukić, Deputy Executive Director at HAKOM, presented some of BEREC’s latest activities, with a focus on recent developments led by the Cybersecurity and Resilience Working Group, where he serves as co-chair. In addition, Zdravko discussed the possible new tasks and evolving role of national regulators in light of the changing regulatory landscape. He mentioned various initiatives, including the recent publication of BEREC’s assessment reports on two major legislative proposals: the revision of the Cybersecurity Act (CSA2) and the Digital Networks Act (DNA). In particular, the DNA proposal introduces the creation of a pan-European preparedness plan to strengthen cyber resilience in which BEREC would play a key role.

The Baltic region at a glance

Building resilience requires first having insight into networks and their vulnerabilities. According to Alex Semenyaka of the RIPE NCC, some of these vulnerabilities in the region include the low number of cross-border connections, some of which are submarine cables. This factor, combined with the underutilisation of local traffic exchange points, leads to high amounts of tromboning and very abnormal paths going as far away as Venezuela and India, as well as routes going through Russia and the United States.

This effect can be seen in the image below showing Estonia-Latvia-Estonia routes. Overall, traffic with neighbouring countries is particularly vulnerable due to reliance on submarine cables. Inside the region, paths from Estonia to Lithuania are complex due to their lack of shared border, though Lithuania has the highest overall diversification of external connections. Local traffic is often handled by global players, which is problematic as these entities are not interested in localisation, only optimising throughput. A solution here could be the development of Latvia as a regional hub by strengthening IXPs (Eric Andrei Băleanu shared Romania’s experience here) and increasing network monitoring. This last part can be accomplished by making use of the RIPE NCC’s tools like RIS, RIPE Atlas and RIPEstat.

Resource holdership

Overall, as presented by the RIPE NCC’s Anastasiya Pak, the Baltic region represents a mature and highly connected Internet ecosystem with a substantial number of Autonomous System Numbers (ASNs) and continued IPv6 allocation activity.

Lithuania stands out in terms of registered allocated resources, particularly IPv4 and IPv6 allocations, which are significantly higher than in the other two countries analysed, Latvia and Estonia. Latvia differs from the other Baltic countries in terms of the number of End Users (176) and sponsored resources (121 IPv4 and 26 IPv6 Assignments). While it has the smallest membership base (63 members) among the three countries, it has a comparatively larger number of End Users. Estonia maintains the largest number of members in the region.

The statistics in the image above are all derived from RIPE NCC registration data that uses 2-letter ISO-3166 codes as the unique identifier for countries. As explained in our 2023 article on Country Codes in the RIPE Database, these codes indicate in which country the resource holder is legally based.

Routing security

Internet routing determines how data packets get forwarded across the Internet. The global infrastructure behind this relies on the Border Gateway Protocol (BGP), a protocol infamously designed with few if any inbuilt safeguards, leaving it prone to misconfigurations and hijacking events. In this section, Anastasiya and the research team examined BGP incidents across the Baltic states over the past year against uptake of RPKI.

RPKI allows IP address holders to publish Route Origin Authorisations (ROAs) specifying authorised origin ASes. Using Route Origin Validation (ROV), networks check BGP announcements against these ROAs to reject unauthorised origins and mitigate prefix hijacks and certain misconfigurations.

The chart below shows the number of BGP route origin incidents in the Baltics over the past year as seen by the Global Routing Intelligence Platform (GRIP). Each incident is counted once per country, using GRIP’s unique event ID together with the set of ASNs involved (both originating and covered/affected). The number of incidents seen for the past year in the countries analysed varies, with the highest number of incidents observed for Latvia (918). It is important to note that even a small number of BGP events have the potential to disrupt connectivity, misdirect traffic and undermine the reliability of a country’s Internet.

Routing security adoption across the Baltics continues to develop steadily, with increasing deployment of Resource Public Key Infrastructure (RPKI) and, again, growing operational focus on routing resilience. ROA coverage is especially high for IPv4 space. Interestingly, in Lithuania, there is a relatively high level of ROA coverage for IPv6, even with the large number of resources registered in Lithuania.

Looking into Latvia’s ROA coverage over time, the team found that Tet covered their IPv4 space with ROAs in March 2022, contributing to the increase of the overall coverage from 66% to 83%. In December 2021, Bite covered their IPv6 space with ROAs, increasing the coverage from 15% to 30%.

ROA coverage for government domains

The graph below shows the amount of IP addresses behind particular government domains that are and are not covered by valid ROAs. To do this, Anastasiya and the research team extracted the relevant BGP routing data from RIS and then validated against the RIPE NCC’s RPKI Validator, categorising each prefix as Valid (properly authorised), Invalid (violating a ROA), or Not-Found (lacking RPKI protection). IP addresses resolving to these domains that fell under RPKI Invalid or Not-Found prefixes, without being covered by a more specific Valid ROA, were classified in the respective category

For each domain, the research team resolved both IPv4 and IPv6 addresses and checked whether the resulting endpoints were covered by valid ROAs. Many of these domains are likely hosted behind CDNs or other third-party platforms. That means the ROA status reported may reflect the routing security practices of the hosting provider. This analysis is domain-based and limited to the ROA status of the resolved endpoints. In future reports, the team plans to expand the analysis with a more detailed examination that distinguishes between government-operated infrastructure and externally hosted services. These preliminary findings should be interpreted with caution, as the domain set is incomplete and no assessment was made of the specific function or criticality of the services involved.

Overall, there are robust routing security practices for government infrastructure, as most of the IP addresses resolved to government domains in the Baltic countries are covered by ROAs.

ASPA

Autonomous System Provider Authorisation (ASPA) is a relatively new addition to RPKI that helps address routing incidents by enabling validation of AS path relationships, another step towards robust routing security. As reported here on RIPE Labs, operators can now create and manage ASPA objects alongside ROAs in the RIPE NCC’s RPKI Dashboard.

Looking at the figures below, it's worth noting that, at this early stage, even relatively small changes will significantly affect the rate of ASPA implementation going forward. Nevertheless, the variation across the region already highlights differing levels of engagement with this new routing security mechanism and suggests there is substantial room for growth in the coming years.

ROV

We examined network centrality using AS Hegemony methodology, which measures how much a country's routing depends on each autonomous system (AS). The larger the node, the more central the AS is within the Latvian network. Colour shows two things at once: whether the AS is registered inside or outside the country, and whether it is protected by Route Origin Validation (ROV), the routing-security check that rejects BGP announcements from unauthorised origins, either through its own filtering or that of its upstreams. Grey nodes are those with no ROV data.

To explore the following data in more detail, see our interactive version of these plots (in Flourish Studio).

Latvia's most central networks are also where ROV would have the greatest effect. Major ASNs such as Tet (AS12578), Bite Latvija (AS2588) and Bite Lietuva (AS13194) lie on a large share of the paths toward Latvian networks, yet none are currently ROV-protected.

Deployment by networks this central, whether by the operators themselves or their upstreams, would drop routes with an Invalid origin before they propagate to the many smaller networks beneath them, the collateral benefit that makes adoption here so valuable. Interestingly, AS5518, also Tet, is ROV-protected, whether through its own filtering or its upstream, even though Tet's main network (AS12578) is not. Overall, the Latvian connectivity landscape is characterised by locally registered ASes playing a central role in the country's routing, so its resilience to origin hijacks rests heavily on the ROV posture of a few domestic incumbents.

Among Lithuania's most central ASes, Telia Lietuva (AS8764), or its upstream, deploys ROV. This drops routes with an Invalid origin before they reach the networks downstream of it, protecting them against both malicious prefix hijacks and accidental misconfigurations. Deploying ROV at central local networks such as Bite Lietuva (AS13194) and Baltneta (AS15440), which are not yet protected, would improve routing security across much of Lithuania's network landscape.

In Estonia, many of the central networks are ROV-protected, whether by themselves or via their upstreams, including Telia Eesti (AS3249), Arelion (AS1299) and the Estonian Information System Authority (AS8240). Unlike Latvia, where the most central networks are locally registered, several of Estonia's most central networks are foreign-registered, such as CITIC (AS3327) and RETN (AS9002), alongside well-known Tier-1 carriers.

IPv6

The team also calculated the percentage of ASes in each country that announce both IPv4 and IPv6 addresses, as well as those that announce only IPv6 compared to those that announce only IPv4. Here, IPv6 capability only indicates that the addresses are being routed – a step towards adoption. As can be seen, Latvia is quite low in terms of IPv6 capability.

While IPv6 capability indicates the readiness of networks to use IPv6, actual adoption is not easy to measure. We looked at measurements reported by some major Content Delivery Networks (CDNs) on IPv6 adoption in the region. These levels vary, with Estonia leading in this area.

At the meeting, several panellists discussed the challenges and motivations for adopting IPv6. Alex Pavlov, LIVAS NET SIA, noted his organisation was running dual stack, because although Latvia generally had sufficient IPv4, it was worth ensuring externally connecting devices were IPv6-prepared. Ervins Gailiss, CircleK A/S, said his organisation was considering implementing IPv6 due to their growing network but still looking for the best way to do so. Ties de Kok of the RIPE NCC said that he used dual stack regularly and noted that it is fine until something breaks, so IPv6-only with a transition mechanism would be preferred. While all acknowledged that IPv6 is needed, panellists pointed out that there are still open questions about the best way to implement it, as every organisation has different needs. One challenge is legacy equipment that is running on IPv4, which would either need to be replaced–difficult if on a fixed hardware cycle–or adapted to dual stack. Networking procedures would also need to be updated. Moderator Alex Semenyaka, RIPE NCC, noted that the RIPE NCC offers courses on IPv6 implementation and the different methods to suit an organisation’s needs.

Building community, in the Baltic region and beyond

Another important factor for resilience is not only shoring up technical practices but also building human networks to share experiences and best practices. The RIPE NCC‘s Registry Services can assist operators in becoming a RIPE NCC member, placing resource requests and keeping registration information up to date. The RIPE NCC Academy e-learning platform offers courses on topics ranging from routing to Internet governance. Operators can engage with the RIPE NCC and each other through RIPE Working Groups, mailing lists, the RIPE NCC Forum and more. And it is also important for operators to get involved in the RIPE community so they can contribute to policy development, gain professional contacts and take part in discussions.

The RIPE community and RIPE NCC will return to the Baltic region with more support in building resilience, security and capacity at RIPE 94 in Vilnius, Lithuania from 24-28 May 2027. We hope to see you there!

You may also like

View more

About the author

Author image

Kjerstin Burdiek is a Communications Officer at the RIPE NCC. Prior to joining the RIPE NCC in 2021, she contributed to policy research and strategic communications at a think tank. In her educational background, she explored the intersection of linguistics and political science. She currently focuses on communications around Internet governance and developments in the technical community.

Comments 0