IPFYI
🗺️ BGP & Internet Routing 10 분 소요

RPKI: Securing BGP with Route Origin Validation

How Resource Public Key Infrastructure (RPKI) prevents BGP hijacking by cryptographically validating which ASes are authorized to originate prefixes.

The BGP Hijacking Problem

BGP was designed in an era of implicit trust. Any AS can announce any prefix, and neighboring routers accept it by default. This has led to:

  • Pakistan Telecom hijacking YouTube (2008) — AS 17557 announced YouTube's prefix, taking it offline globally.
  • Amazon Route 53 hijack (2018) — Attackers rerouted cryptocurrency traffic through a BGP hijack.
  • Thousands of smaller incidents — Route hijacks happen daily, most going unnoticed.

What Is RPKI?

RPKI (Resource Public Key Infrastructure) is a framework that lets resource holders (RIRs, ISPs) cryptographically attest to the relationship between IP prefixes and the ASes authorized to originate them.

The key building block is the ROA (Route Origin Authorization):

ROA: {
  Prefix: 203.0.113.0/24
  MaxLength: /24
  Origin AS: 64512
  Signed by: ARIN certificate chain
}

How ROV Works

Route Origin Validation (ROV) is the process of checking received BGP routes against published ROAs:

Received BGP route: 203.0.113.0/24 from AS 64512

Check ROA database:
  → ROA exists for 203.0.113.0/24, AS 64512, maxLen /24
  → Origin AS matches, prefix length within maxLength
  → Result: VALID ✓
State Meaning Recommended Action
Valid Route matches a ROA Accept (prefer over others)
Invalid Route conflicts with ROA Reject
NotFound No ROA exists Accept (with lower preference)

Creating ROAs

ROAs are created through your Regional Internet Registry (RIR):

  • ARINrpki-dashboard.arin.net
  • RIPE NCCmy.ripe.net → "Create ROA"
  • APNICmyapnic.net → RPKI
  • LACNICmilacnic.lacnic.net
  • AFRINICmy.afrinic.net

Running a Validator

To validate routes, your router needs access to an RPKI validator:

# Install Routinator (popular open-source validator)
apt install routinator

# Initialize TAL (Trust Anchor Locator) files
routinator init --accept-arin-rpa

# Start serving validated ROA data (RTR protocol)
routinator server --rtr 0.0.0.0:3323 --http 0.0.0.0:8323

Configuring Your Router

# Cisco IOS-XR: Configure RPKI cache server
router bgp 64512
  rpki server 10.0.0.100
    transport tcp port 3323

  address-family ipv4 unicast
    # Drop RPKI-invalid routes
    route-policy REJECT-INVALID in

Current Adoption

As of 2026, RPKI adoption has crossed critical mass:

  • 70%+ of IPv4 space is covered by ROAs.
  • Major networks (Cloudflare, Google, AWS, NTT) reject RPKI-invalid routes.
  • If you have not created ROAs for your prefixes, you are at risk of having your routes rejected.

관련 항목

Autonomous System (AS) 용어집 BGP 용어집 Default Route 용어집 Gateway 용어집 Hop 용어집 OSPF 용어집 Router 용어집 Routing Table 용어집 TCP vs UDP 비교 HTTP vs HTTPS 비교 HTTP/2 vs HTTP/3 비교 IMAP vs POP3 비교