Resource Public Key Infrastructure (RPKI)

  1. What is RPKI?
  2. Why do we need RPKI?
  3. What is a ROA?
  4. How do I validate ROAs?

What is RPKI?

Resource Public Key Infrastructure (RPKI) is a public key infrastructure framework designed to secure the Internet’s routing infrastructure, specifically the Border Gateway Protocol. RPKI provides a way to connect Internet number resource information (such as IP Addresses) to a trust anchor. Using RPKI, legitimate holders of number resources are able to control the operation of Internet routing protocols to prevent route hijacking and other attacks. More information.

Why do we need RPKI?

Routing protocols are potentially at risk of attacks that can harm individual users or network operations as a whole. RPKI was specified by the IETF to provide a secure means to certify the allocation of Internet number resources, as a step towards securing routing. The Internet Architecture Board considers “a properly designed and deployed RPKI an absolute prerequisite to having a secure global routing system, which is in turn a prerequisite to having a reliable worldwide Internet.”

What is a ROA?

A ROA or Route Origin Authorization is an attestation of a BGP route announcement. It attests that the origin AS number is authorized to announce the prefix(es). The attestation can be verified cryptographically using RPKI.

How do I validate ROAs?

You can validate ROA objects using relying-party software. Here is a list of software packages which you can consider running. These systems are written and maintained by third parties and APNIC is not responsible for the code.

Dragon Research Labs RPKI ToolkitA full blown system which includes production, publication and validation software. written in Python. Tested to inter-operate with APNIC production systems. includes BGP RTR support.
RIPE’s RPKI ValidatorJava code which includes a validator, and BGP RTR protocol support.
NLNet Labs “Routinator” validation softwareA Validation system written in rust, currently implementing BGP RTR support. Future work will include production and publication software.
Relying Party Security Technology for Internet RoutingA Java system written at BBN and maintained by Declan Ma at zDNS for validation.

For further assistance, please contact the
APNIC Helpdesk:

+61 7 3858 3188
Multi-language phone support

Bahasa Indonesia, Bengali, Cantonese, English, Filipino (Tagalog), Hindi, and Mandarin.

+ 61 7 3858 3199