Khwaja Zubair Sediqi after successfully defending his PhD thesis. Photo: MPI-INF/Philipp Zapf-Schramm
On Tuesday, 17 February 2026, Khwaja Zubair Sediqi sucessfully defended his thesis titled: "Unexpected Routes: BGP Prefixes Beyond Recommended Practices”. From March 2020 until July 2025 he was a PhD student in the department "Internet Architecture" supervised by its head Prof. Anja Feldmann. The doctoral degree is awarded by Saarland University.
Abstract of the thesis:
The Internet is composed of a vast collection of interconnected networks, also known as Autonomous Systems (ASes). ASes use Border Gateway Protocol (BGP) to exchange the reachability information of IP prefixes. The Resource Public Key Infrastructure (RPKI) enhances BGP security by providing cryptographically verifiable objects that confirm the ownership of the IP prefix by an AS. A set of well-documented best practices and guidelines for route announcements governs the Internet’s interdomain routing between ASes. For proper operation of Internet routing, adherence of network operators to the recommended norms and best practices is important. Among these best practices are the recommendations for using prefix lengths up to /24 for IPv4 and up to /48 for IPv6, single origin AS for IP prefix announcement, and registering a single prefix per Route Origin Authorization (ROA) object in RPKI.
However, not all network operators follow these recommendations and instead their route announcement might be based on their policies, business needs, or technical limitations. Deviating from best routing practices can lead to routing inconsistency, complicate prefix origin validation, and disrupt network performance. This dissertation examines the routing ecosystem for violations of aforementioned best practices. We define these cases as “unexpected routes” because they represent routes that are less anticipated and remain underexplored in prior research.
First, we examine the routing ecosystem of the Internet for IP prefix sizes that are too specific. More precisely, we focus on IP prefixes more specific than /24 in IPv4 (i.e., /25 to /32) and than /48 for IPv6 (i.e., /49 to /128), and we refer to these prefixes as Hyper- specific Prefixes (HSPs). We analyze over eleven years of BGP data from well-known route collector projects to understand the evolution, examine their BGP communities and CIDR sizes to understand the reasons for HSP existence, and the potential role they might serve in Internet routing. Our findings show that most HSPs are accidental (internal) route leaks, or infrastructure peering subnets, and BGP blackholing.
Next, we examine the origin AS for IP prefixes announced via BGP to the Internet. Using single-origin AS for a prefix is recommended; however, the routing ecosystem of the Internet exhibits several thousand prefixes having Multi Origin AS (MOAS) prefixes. We analyze MOAS prefixes, using over six years of daily BGP Routing Information Base (RIB) snapshots from route collectors to examine the lifespan, propagation pattern, and potential relationship between the origin ASes of MOAS prefixes and the reason for MOAS prefixes’ existence on the Internet. Our findings reveal that mergers of companies are the largest contributors to MOAS prefixes, and examining their CIDR size reveals their potential usage for fine-grained traffic engineering. Hypergiants, including Google and Amazon, are also among the user of MOAS prefixes.
Then, we analyze the potential relationship between IPv4 and IPv6 address families at the prefix level. We use DNS records hosted on IPv4 and IPv6 prefixes and apply the Jaccard similarity index, as a suitable approach, to identify pairs of IPv4 and IPv6 prefixes having a similar set of DNS records on their IPs and refer to them as sibling prefix pairs. We identify 76k IPv4-IPv6 sibling, and 60% of sibling prefixes are registered to the RPKI.
Finally, we examine the current ROA structure across five RIRs’ RPKI trees for single prefix per ROA recommendation and analyze the RPKI validation delay by setting a testbed. We find that current ROA structure across five RIRs is not the same, and the network delay and cryptographic verification of ROAs are the main delay contributors in RPKI synchronization process.