What is RPKI? Securing BGP Routing
RPKI (Resource Public Key Infrastructure) is a security framework that helps protect BGP routing from hijacks and misconfigurations. It provides a way for networks to cryptographically prove that they are authorized to announce specific IP address blocks, and for other networks to verify those claims.
The Problem: BGP Has No Built-In Security
BGP was designed in the late 1980s, when the internet was a small, trusted community. The protocol has no built-in mechanism to verify whether a network is actually authorized to announce a particular IP prefix. Any autonomous system can, in principle, announce any prefix — and other networks will accept it.
This has led to real-world incidents:
- 2008: YouTube hijack — Pakistan Telecom announced YouTube's IP space, diverting global traffic to Pakistan and making YouTube unreachable worldwide for several hours.
- 2018: Amazon Route 53 hijack — Attackers redirected traffic to Amazon's DNS service to steal cryptocurrency from MyEtherWallet users.
- 2021: Facebook outage — An internal configuration error caused Facebook to withdraw all its BGP routes, making Facebook, Instagram, and WhatsApp unreachable for approximately six hours.
These incidents demonstrate why verifying the legitimacy of BGP announcements is critical.
How RPKI Works
RPKI adds a layer of cryptographic verification to BGP. Here is how it works:
1. Route Origin Authorizations (ROAs)
The holder of an IP address block creates a Route Origin Authorization (ROA) — a digitally signed statement that says: "AS number X is authorized to announce prefix Y with a maximum prefix length of Z."
For example, Google might create a ROA stating: "AS15169 is authorized to announce 8.8.8.0/24."
2. Certificate Chain
ROAs are signed using certificates issued by the Regional Internet Registries (RIRs: ARIN, RIPE, APNIC, AFRINIC, LACNIC). The certificate chain goes from the RIR down to the IP address holder, creating a verifiable trust hierarchy rooted in the organizations that allocate internet number resources.
3. Route Origin Validation (ROV)
Networks that implement RPKI can perform Route Origin Validation on every BGP route they receive. By checking the route against published ROAs, they determine the validation state of each route.
RPKI Validation States
When a BGP route is validated against RPKI, it receives one of three states:
- Valid — A ROA exists, and the route's origin AS and prefix match the ROA. This means the announcement is authorized. When you look up an IP address in our looking glass, valid routes are marked with a green RPKI badge.
- Invalid — A ROA exists, but the route does not match — either the origin AS is wrong, or the prefix is more specific than the ROA allows. This is a strong signal of a hijack or misconfiguration. Invalid routes are marked with a red INVALID RPKI badge.
- Not Found (Unknown) — No ROA exists for this prefix. The route cannot be validated either way. This is the state for prefixes whose holders have not yet deployed RPKI.
RPKI Deployment Progress
RPKI adoption has grown significantly in recent years. Major networks including Cloudflare (AS13335), Google (AS15169), and many large ISPs now perform Route Origin Validation and reject RPKI-invalid routes. According to NIST, over 40% of global prefixes now have valid ROAs.
However, adoption is uneven. Some regions and network types have much higher coverage than others. Full protection requires both:
- ROA creation — IP address holders publishing ROAs for their prefixes
- ROV enforcement — Networks filtering or deprioritizing RPKI-invalid routes
Beyond RPKI: BGPsec and ASPA
RPKI only validates the origin of a route — it does not verify the entire AS path. Two emerging standards aim to address this:
- BGPsec — Cryptographically signs each hop in the AS path. While technically complete, it has seen limited deployment due to performance concerns.
- ASPA (Autonomous System Provider Authorization) — A lighter-weight approach where ASes publish their authorized upstream providers, enabling detection of route leaks and path manipulation.
Check RPKI Status
When you look up any IP address or prefix, the looking glass automatically checks the RPKI validation status. Try these lookups to see RPKI in action: