Understanding RPKI and ROA

Learn about Route Origin Authorization and how it secures BGP routing.

What is RPKI?

Resource Public Key Infrastructure (RPKI) is a cryptographic framework designed to secure the internet's routing infrastructure. It provides a way to connect Internet number resource information (such as IP addresses and ASNs) to a trust anchor, enabling network operators to verify the legitimacy of BGP route announcements.

Why RPKI Matters

RPKI adoption is growing rapidly. Major networks and IXPs are increasingly filtering routes based on RPKI validation. Without proper ROA records, your IP announcements may be rejected by many networks.

What is a ROA?

A Route Origin Authorization (ROA) is a cryptographically signed object that states which Autonomous System (AS) is authorized to originate a particular IP address prefix. ROAs are the core building blocks of RPKI.

A ROA contains three key pieces of information:

  • Prefix: The IP address block (e.g., 192.0.2.0/24)
  • Maximum Length: The maximum prefix length that can be announced
  • Origin AS: The ASN authorized to announce this prefix

RPKI Validation States

When a network validates a BGP announcement against RPKI, there are three possible outcomes:

check_circle

Valid

ROA exists and matches the announcement

cancel

Invalid

ROA exists but doesn't match (likely hijack)

help_outline

Not Found

No ROA exists for this prefix

How RPKI Works with Leased IPs

When you lease IP addresses through our marketplace, the ROA creation process works as follows:

  1. Lease Agreement: You lease the IP range and provide your ASN
  2. ROA Request: You request a ROA through your lease management dashboard
  3. IP Holder Creates ROA: The IP holder creates an ROA record in the RIR's RPKI system
  4. Propagation: The ROA propagates through the RPKI infrastructure (usually within hours)
  5. Announce: You can now announce the IP range with RPKI-valid status

Benefits of RPKI/ROA

  • Protection Against Hijacking: Makes unauthorized route announcements detectable
  • Improved Acceptance: Your routes are more likely to be accepted by major networks
  • Industry Standard: Shows you follow best practices for network security
  • Required by Many Providers: Some networks only accept RPKI-valid routes

ROA Management Best Practices

Do's and Don'ts

Do:

  • Request ROA creation immediately after leasing
  • Use the correct maxLength for your announcements
  • Verify ROA status before announcing routes
  • Update ROAs when your ASN changes

Don't:

  • Announce routes before ROA is active
  • Use a different ASN than in the ROA
  • Announce more-specific prefixes than maxLength allows
  • Forget to request ROA removal when lease ends

Checking RPKI Status

You can verify the RPKI status of IP prefixes using various online tools:

  • RIPE RIPEstat: stat.ripe.net
  • Cloudflare RPKI Portal: rpki.cloudflare.com
  • Hurricane Electric BGP Toolkit: bgp.he.net

Troubleshooting RPKI Issues

Route shows as Invalid
Check that your ASN matches the ROA. Verify you're not announcing a more-specific prefix than allowed by maxLength.
ROA not propagating
ROA propagation can take up to 24 hours. Contact the IP holder if the ROA doesn't appear after this time.
Multiple ROAs conflict
If there are multiple ROAs for the same prefix, ensure all are valid for your ASN or request removal of outdated ones.

RPKI Resources

open_in_new Cloudflare RPKI Portal open_in_new RIPE RIPEstat

Related Guides