RPKI-Invalid Routes Persist: How Opaque Transit & IP Leasing Undermine BGP Security for Telecoms

Source: Internet Society Pulse – “Demystifying RPKI-Invalid Prefixes: Hidden Causes and Real Risks”, 15 May 2026.

A new study from Virginia Tech and CableLabs reveals that despite the widespread adoption of the Resource Public Key Infrastructure (RPKI), thousands of Border Gateway Protocol (BGP) routes remain marked as RPKI-invalid with no meaningful decline. The research identifies two major, commercially-driven root causes: opaque IP transit services and IP address leasing. For telecom operators and internet infrastructure providers, this persistence of invalid routes represents a critical operational blind spot, introducing measurable latency penalties—exceeding 100 milliseconds for two in five affected prefixes—and undermining the very security RPKI was designed to enforce. This analysis moves beyond simple misconfiguration to expose systemic friction between modern network business models and routing security protocols.

RPKI’s Growing Coverage vs. Persistent Invalidity: The Telecom Data

The Resource Public Key Infrastructure (RPKI) has achieved significant traction within the global telecom and ISP community as a foundational tool for securing the Border Gateway Protocol (BGP). By allowing Autonomous Systems (ASes) to cryptographically sign Route Origin Authorizations (ROAs), RPKI provides a mechanism for networks to validate that a BGP announcement for an IP prefix originates from an authorized AS. This is a direct countermeasure against route hijacks and prefix mis-origination, threats that can lead to traffic interception, blackholing, and widespread service disruption. According to the study’s data, over 50% of internet routes are now covered by RPKI ROAs, representing exponential growth in adoption over recent years.

However, the operational reality for network engineers is more complex. The research, analyzing data from the global routing table, found that over 6,000 routes are marked as RPKI-invalid on any given day, with tens of thousands observed over a longitudinal study. Critically, this number of invalid routes has not shown a “meaningful decline” despite the surge in RPKI coverage. For network operations centers (NOCs) and security teams at telecom operators, this means a constant background noise of invalid route announcements that must be interpreted—distinguishing between legitimate commercial arrangements and potential security incidents. The default RPKI validation state is a binary “valid” or “invalid”; it does not provide context for *why* a route is invalid, leaving operators to investigate manually or risk dropping legitimate traffic.

The technical implication is that a significant portion of the global routing table exists in a state of perceived insecurity. Networks that have deployed RPKI-based Route Origin Validation (ROV) and configured their routers to reject or depreference invalid routes may be inadvertently filtering traffic destined for prefixes caught in these commercial arrangements. The study’s finding that invalid routes persist at scale indicates that the industry’s move towards a “default reject” policy for invalid routes, while security-best-practice, is encountering real-world economic and operational friction.

Commercial Practices vs. Routing Security: Opaque Transit and IP Leasing

The Virginia Tech/CableLabs research drills down beyond simple human error or misconfiguration between related ASes (e.g., a parent and subsidiary company). It identifies two prevalent commercial models as primary, hidden drivers of RPKI invalidity. These are not attacks, but standard business operations that clash with the assumptions of the RPKI framework.

1. Opaque IP Transit and Service Chaining: Modern telecom and cloud service portfolios increasingly include services that decouple the control plane from the data plane. Key examples are:
DDoS Mitigation Services: Providers like Cloudflare, Akamai, or specialized telecom security units often act as a “scrubbing” center. To mitigate an attack, a customer’s traffic is routed through the provider’s AS. The provider announces the customer’s prefix (originating it from their own AS) to absorb the attack traffic, then cleans and tunnels it back to the customer’s actual network. From a BGP and RPKI perspective, the observed origin AS for the prefix is the mitigation provider, not the customer’s authorized AS listed in the ROA. The route is thus RPKI-invalid, even though the service is functioning as designed.
Traffic Engineering & Tunneling: Similar mechanics apply to various traffic optimization, anycast, or private backbone services. A carrier may announce a client’s prefix from multiple global points of presence (PoPs) for performance reasons, while the actual origin network is elsewhere. This creates a mismatch between the ROA’s authorized origin and the BGP-advertised origin.

For operators, this creates a dilemma. The RPKI-invalid state correctly flags a deviation from the cryptographic authorization, but that deviation is a paid-for, value-added service. Disabling the service or reconfiguring routers to accept the invalid route both present risks.

2. IPv4 Address Leasing: The exhaustion of the IPv4 free pool has created a vibrant secondary market and leasing economy. Companies needing IPv4 space often lease prefixes from holders (other telecoms, enterprises, etc.) rather than undergoing a costly transfer or waiting for IPv6 deployment. In a typical lease, the legal owner of the prefix retains control of the Regional Internet Registry (RIR) records and, by extension, the RPKI ROA. The lessee, however, configures their own routers to announce the prefix from their own AS.

The RPKI system sees a prefix announced by AS B, but the ROA only authorizes AS A (the lessor). Result: RPKI-invalid. The root cause is a coordination gap—the business transaction for IP resources is not automatically reflected in the routing security infrastructure. Updating the ROA requires action from the lessor, who may be disincentivized due to operational overhead or concerns about permanently ceding control. This is a systemic issue for Mobile Network Operators (MNOs), Internet Service Providers (ISPs), and cloud providers expanding in regions where IPv4 addresses are scarce and expensive.

Measurable Impact: Latency, Reachability, and Operational Cost for Networks

The persistence of RPKI-invalid routes is not merely a theoretical security concern; it has tangible performance and cost implications for telecom networks. The study employed rigorous measurement techniques to quantify the impact on end-users and network paths.

Latency Inflation: The most striking finding is the performance penalty. Researchers measured latency changes for traffic paths affected by RPKI-invalid prefixes. The data shows that two in every five affected prefixes (40%) incur latency increases exceeding 100 milliseconds. In some cases, the increase was over 300ms. For latency-sensitive applications—voice over IP (VoIP), video conferencing, financial trading, real-time gaming, and 5G network slicing—such increases are catastrophic to quality of service (QoS). This latency inflation occurs because networks implementing ROV may reroute traffic through longer, less optimal paths to avoid the invalid origin, or the traffic may be delayed as routers process the exception.

Reachability and Blackholing Risk: Networks that adopt a strict “reject on invalid” policy risk completely blackholing traffic to prefixes involved in opaque transit or leasing. This leads to customer complaints, service degradation, and costly troubleshooting sessions. The alternative—maintaining a “prefer valid” or “ignore RPKI state” policy—dilutes the security benefits of deploying RPKI in the first place, leaving the network vulnerable to actual hijacks that also present as invalid.

Operational and Support Costs: For tier-1 and tier-2 transit providers, the constant churn of invalid routes increases the complexity of support and peering relationships. Network engineers must spend time investigating whether an invalid route is a legitimate commercial arrangement or a nascent hijack attempt. This diverts resources from proactive network management and security hardening. For internet exchange point (IXP) operators and route server administrators, it complicates the filtering recommendations provided to members.

Strategic Implications for Telecom Operators and Infrastructure Providers

The findings force a strategic reevaluation for telecom executives, network architects, and regulators. The path to a fully secure global routing system is not just about deploying RPKI; it requires aligning commercial practices with security frameworks.

For Mobile Network Operators (MNOs) & ISPs: Operators leasing IPv4 addresses must formalize RPKI management into their lease agreements. Contracts should mandate that the lessor either updates the ROA to include the lessee’s ASN or delegates RPKI management rights. The operational cost of not doing so is the latency and reachability impact measured in the study. Furthermore, operators offering DDoS mitigation or anycast-based services must develop clear internal documentation and external communication for peers, explaining that their prefixes may appear invalid due to the service architecture. They may need to pursue “maxLength” ROAs that allow for origin flexibility, though this weakens security.

For Transit & Backbone Providers: Carriers must refine their route filtering policies. A binary accept/reject based on RPKI state may be too crude. Advanced routing policies that incorporate threat intelligence feeds, historical data, and customer whitelists for known service arrangements will be necessary. Investment in automation tools that can classify the likely cause of RPKI invalidity (e.g., “likely DDoS mitigation,” “likely leased prefix”) will reduce operational overhead and improve decision speed.

For African & MENA Telecom Markets: These regions, experiencing rapid digital growth but often facing IPv4 scarcity and reliance on complex transit arrangements, are particularly vulnerable. The prevalence of IP leasing and the use of international DDoS scrubbing services could lead to a higher proportion of RPKI-invalid routes originating from or destined for these regions. Regional Internet Registries (RIRs) like AFRINIC and national regulators have a role to play in promoting education and best practices around RPKI management in lease contracts. The performance penalty of invalid routes could disproportionately affect connectivity quality in these emerging markets.

For the Industry & Standards Bodies: The research highlights a need for potential extensions or adjuncts to the RPKI standard. Concepts like “delegated ROAs” for leasing, or standardized BGP community attributes to signal “invalid-but-authorized” states for service chaining, could be explored. However, any such changes must be weighed against the risk of re-introducing ambiguity into a security system designed for cryptographic certainty.

Conclusion: Navigating the Friction Between Business and Security

The Virginia Tech study provides a crucial reality check for the telecom industry. The deployment of RPKI is a major success for routing security, but its effectiveness is being subtly undermined by the very innovation and market dynamics that define the modern internet. Opaque transit services and IP address leasing are not fringe activities; they are central to business models for security, scalability, and resource optimization.

Going forward, network operators cannot treat RPKI as a “set and forget” technology. It requires active, continuous management that intersects with legal, commercial, and product teams. The measured latency penalties of 100ms+ provide a concrete business case for investing in this coordination. The goal must evolve from simply achieving high RPKI coverage percentages to achieving high rates of *accurate* RPKI validation—where the cryptographic data reflects the operational reality.

For the global telecom infrastructure, the next phase of BGP security will involve building processes and perhaps technical adaptations that reconcile economic necessity with cryptographic truth. Until then, a significant portion of the internet’s routes will remain in a security gray area, with network engineers on the front line, manually distinguishing between a paid service and a potential hijack.