We learned from Cloudflare's https://isbgpsafeyet.com/ that some ASes have deployed RPKI Origin Validation (ROV). However, we downloaded BGP collection data from RouteViews and RipeRis platforms and found that some ROV-ASes can announce some invalid routes. For example, from RIB data at 2022-10-31 00:00:00, 13 out of 17 ASes which declared to deploy ROV announced invalid routes, and we list the number of related prefixes for each AS below.
ASN 3356 1299 174 2914 6939 3257 6453 3491 9002 5511 7922 13335 16509
pref# 7 23 31 4 361 15 273 16 2 56 17 10 5
As a comparison, we count the invalid routes the non-ROV ASes (also declared in
https://isbgpsafeyet.com/) announces, as below:
ASN 6762 6461 1273 12956 12389 20485 701 7473 9009
pref# 597 603 587 11 161 162 559 492 380
We can see that ROV ASes announced apparently fewer invalid routes compared to the non-ROV ASes, though they did not filter all the invalids.
AS6939 announced apparently more invalid routes compared with other ROV-ASes. We learned from the discussions two years ago (https://mailman.nanog.org/pipermail/nanog/2020-June/108309.html) that AS6939 uses reactive ROV. I.e., route collectors identify invalid routes, write them into scripts and send to routers, who then send "withdrawals" of the invalids based on the scripts.
However, for the BGP collection time 2022-10-31 00:00:00, we downloaded the two-hour updates afterwards, and found very few withdrawals from AS6939 about those invalid routes in the first hour. In the second hour, AS6939 withdraws hundreds of invalid prefixes, but most of these withdraws are followed by another invalid announcement with the same prefix and same invalid origin AS.
Can anyone help us to correctly interpret this case? Thank you very much.