RPKI: Securing BGP with Route Origin Validation
How Resource Public Key Infrastructure (RPKI) prevents BGP hijacking by cryptographically validating which ASes are authorized to originate prefixes.
The BGP Hijacking Problem
BGP was designed in an era of implicit trust. Any AS can announce any prefix, and neighboring routers accept it by default. This has led to:
- Pakistan Telecom hijacking YouTube (2008) — AS 17557 announced YouTube's prefix, taking it offline globally.
- Amazon Route 53 hijack (2018) — Attackers rerouted cryptocurrency traffic through a BGP hijack.
- Thousands of smaller incidents — Route hijacks happen daily, most going unnoticed.
What Is RPKI?
RPKI (Resource Public Key Infrastructure) is a framework that lets resource holders (RIRs, ISPs) cryptographically attest to the relationship between IP prefixes and the ASes authorized to originate them.
The key building block is the ROA (Route Origin Authorization):
ROA: {
Prefix: 203.0.113.0/24
MaxLength: /24
Origin AS: 64512
Signed by: ARIN certificate chain
}
How ROV Works
Route Origin Validation (ROV) is the process of checking received BGP routes against published ROAs:
Received BGP route: 203.0.113.0/24 from AS 64512
Check ROA database:
→ ROA exists for 203.0.113.0/24, AS 64512, maxLen /24
→ Origin AS matches, prefix length within maxLength
→ Result: VALID ✓
| State | Meaning | Recommended Action |
|---|---|---|
| Valid | Route matches a ROA | Accept (prefer over others) |
| Invalid | Route conflicts with ROA | Reject |
| NotFound | No ROA exists | Accept (with lower preference) |
Creating ROAs
ROAs are created through your Regional Internet Registry (RIR):
- ARIN —
rpki-dashboard.arin.net - RIPE NCC —
my.ripe.net→ "Create ROA" - APNIC —
myapnic.net→ RPKI - LACNIC —
milacnic.lacnic.net - AFRINIC —
my.afrinic.net
Running a Validator
To validate routes, your router needs access to an RPKI validator:
# Install Routinator (popular open-source validator)
apt install routinator
# Initialize TAL (Trust Anchor Locator) files
routinator init --accept-arin-rpa
# Start serving validated ROA data (RTR protocol)
routinator server --rtr 0.0.0.0:3323 --http 0.0.0.0:8323
Configuring Your Router
# Cisco IOS-XR: Configure RPKI cache server
router bgp 64512
rpki server 10.0.0.100
transport tcp port 3323
address-family ipv4 unicast
# Drop RPKI-invalid routes
route-policy REJECT-INVALID in
Current Adoption
As of 2026, RPKI adoption has crossed critical mass:
- 70%+ of IPv4 space is covered by ROAs.
- Major networks (Cloudflare, Google, AWS, NTT) reject RPKI-invalid routes.
- If you have not created ROAs for your prefixes, you are at risk of having your routes rejected.