Home

RPKIbased

RPKIbased refers to systems, deployments, and practices that rely on the Resource Public Key Infrastructure (RPKI) to validate the origin of IP prefixes in BGP. The RPKI framework uses digitally signed certificates issued by the Regional Internet Registries (RIRs) to bind IP resources to their legitimate holders. Route Origin Authorizations (ROAs) are data objects that authorize specific autonomous systems to originate particular prefixes.

Route validation checks observed BGP announcements against the ROA set. Validators determine whether a route is

The primary benefits of RPKIbased approaches include reduced risk of prefix hijacking and improved auditability of

Challenges and considerations include the need to maintain up-to-date ROAs for all active prefixes, potential false

RPKIbased practices are commonly used for origin validation, route filtering, and, in some environments, for integrated

valid,
invalid,
or
unknown
based
on
whether
the
origin
AS
matches
an
approved
authorization.
Network
operators
can
apply
policies
that
block
or
deprioritize
invalid
routes,
prefer
valid
ones,
or
generate
alerts
depending
on
the
validation
outcome.
interdomain
routing.
They
provide
a
common,
cryptographic
basis
for
verifying
route
origins,
which
can
enhance
trust
among
networks
and
IXPs.
Adoption
is
growing
among
large
operators
and
many
Internet
exchange
points,
but
global
deployment
remains
uneven,
and
some
networks
rely
on
traditional
filtering
or
manual
verification.
positives
from
incomplete
or
misconfigured
ROAs,
and
the
operational
overhead
of
running
validators
and
updating
policies.
The
reliance
on
a
small
set
of
issuing
authorities
and
validator
services
can
introduce
centralized
points
of
failure
or
trust
concerns,
and
there
are
policy
and
privacy
considerations
for
some
networks.
decision-making
in
routing
platforms
and
software-defined
networks.
See
also
BGP,
ROA,
Route
Origin
Validation.