Indonesia went from under 1% RPKI adoption in 2021 to more than 90% coverage in 2026, and that should end a lot of very respectable conference talk about how operators simply need more reminders. They had reminders. What changed was that routing security stopped being a poster slogan and started looking like an operational deadline with peers, exchanges, and reputational pressure attached.
Indonesia Turned RPKI Into a Requirement
APNIC’s APRICOT 2026 Routing Security SIG recap is unusually useful because it explains the mechanics, not just the applause line. IDNIC and the local community pushed outreach, flagged insecure announcements, used badges and direct nudges, and kept the issue visible until ignoring it became harder than fixing it. That is how adoption actually moves in network operations: not through moral encouragement, but through repeated friction aimed at the laggards.
The decisive step was the Indonesian Internet Exchange choosing to drop invalid routes at its route reflectors. Once an exchange with nearly 800 participating ASNs and 15 interconnection points makes insecure routing harder to pass through the room, RPKI stops being a nice engineering objective and becomes part of staying connected. Funny how fast best practice improves when it starts affecting traffic.
Exchange Policy Beats Another Webinar
This is the part many markets prefer not to say out loud. Operators do not usually move because a standards body produced another cleanly worded reminder to enable ROV. They move when the local peering environment creates consequences, when peers can see who is behind, and when the work lands on an actual operational backlog instead of a someday list.
That is the broader lesson for network operators and enterprise buyers watching routing resilience. Adoption is a coordination problem before it is a technical one. If exchanges and registries leave RPKI as optional hygiene, the market behaves accordingly. If they turn it into table stakes, deployment accelerates.
Tooling Matters Because Fear Is Rational
None of this means operators were irrational for moving slowly. Creating ROAs can touch delegated space, DDoS workflows, disaster recovery origins, and ancient routing habits nobody wants to break on a Friday afternoon. ARIN and Internet2’s recent tool work matters for exactly that reason: the barrier is often not disagreement with RPKI, but fear of getting it wrong once or twice in a career and wearing the outage.
That also connects to address operations more broadly. Teams managing address inventory already know that registration data, routing policy, and real-world usage drift apart over time. RPKI deployment gets much easier when those records are clean enough that engineers are not guessing which origin should be signed.
90% Coverage Changed the Timing
The Indonesian example also exposes why deadline-based campaigns work better than generic awareness pushes. APNIC said it made sense for IIX to stop accepting invalids once ROA coverage was around 89% to 90%, because enforcement at that point cleaned up the tail instead of detonating the room. After that shift, presentation data cited by APNIC showed Indonesian routing tables at roughly 90% valid, 10% unknown, and 0% invalid for IPv4, while IPv6 sat at 92% valid, 8% unknown, and 0% invalid.
Set against a worldwide ROV adoption level of about 26.6%, that is the real 2026 routing-security story. Indonesia did not discover a new principle. It proved the old one network people keep relearning: communities move when expectations are visible, deadlines are real, and insecure behavior becomes operationally inconvenient.
FAQ
Why Is Indonesia’s RPKI Story Important in 2026?
Because it shows large-scale adoption came from exchange policy, community pressure, and direct operator engagement rather than another generic reminder to enable ROV.
What Did IIX Do to Accelerate RPKI Adoption?
The Indonesian Internet Exchange chose to drop invalid routes at its route reflectors, turning routing security from recommendation into a practical requirement for participants.
What Is the Difference Between ROA and ROV?
ROAs are signed objects that authorize which ASN may originate a prefix, while ROV is the filtering process that checks whether announced routes are valid, invalid, or not found.
Why Do Operators Delay RPKI Deployment?
Because incorrect ROAs can create outages, especially where delegated space, DDoS mitigation, and backup origin paths complicate what should be authorized.
