Demystifying RPKI-Invalid Prefixes: Hidden Causes and Security Risks
Weitong Li
Network and Distributed System Security (NDSS) Symposium 2026 · Day 3 · Network Security
**RPKI (Resource Public Key Infrastructure)** is the primary mechanism for securing BGP routing, allowing resource owners to create cryptographically signed **Route Origin Authorizations (ROAs)** that specify which Autonomous Systems are authorized to announce specific IP prefixes. Yet despite growing RPKI deployment (now covering **55% of routable IPv4 prefixes**), over **7,000 RPKI-invalid prefixes** appear in global routing tables every day -- and this number is not decreasing. This talk investigates why these invalid prefixes exist, expanding on prior work that explained approximately 80% of them as misconfigurations. By identifying previously undocumented causes including **IP tunneling transit**, **direct IP leasing**, and **broker-mediated IP leasing**, the researchers explain **97%** of daily RPKI-invalid prefixes as misconfigurations rather than actual hijacks. Critically, the research reveals that even when alternate valid paths exist, **18% of invalid routes** cause **path divergence** -- traffic flowing through unintended paths that degrade performance, bypass security defenses like DDoS protection, and in IP leasing cases create **man-in-the-middle opportunities**.
AI review
A thorough investigation of why 7,000+ RPKI-invalid prefixes appear daily, identifying new misconfiguration categories including IP leasing and tunneling transit. The finding that 18% of invalid routes cause path divergence with man-in-the-middle potential in leasing scenarios is operationally relevant for anyone doing network-layer attacks or defense.