IP Address Space Covered by Certificates

The Resource Certification (RPKI) service was launched at the beginning of 2011. The system enables network operators to perform BGP origin validation, which means that they can securely verify if a BGP route announcement has been authorised by the legitimate holder of the address block.

Using their resource certificate, network operators can create cryptographically validatable statements about the route announcements they authorise to be made with the prefixes they hold. These statements are called Route Origin Authorisations (ROAs). A ROA states which Autonomous System (AS) is authorised to originate a certain IP address prefix.

So far, 10% of the RIPE NCC membership has opted into requesting a Resource Certificate. In the graph below, you can see the number of IPv4 prefixes (blue) and IPv6 prefixes (red) that have been certified by RIPE NCC members using their certificate. More than 900 IPv4 prefixes are certified. That means that more than 10% of the IPv4 address space the RIPE NCC is maintaining is covered by certificates. For IPv6, around 250 prefixes are certified. This is a relatively high number compared to the total number of IPv6 prefixes in the routing system.

Figure 1: Number of IPv4 and IPv6 prefixes covered by certificates in the RIPE NCC service region

On the RIPE NCC website you can find more information about certification . You can also find more RPKI related statistics .