RPKI (Resource Public Key Infrastructure)
What is RPKI (Resource Public Key Infrastructure)?
RPKI (Resource Public Key Infrastructure)A cryptographic infrastructure standardized by the IETF that lets resource holders publish signed Route Origin Authorizations (ROAs) for their IP prefixes, so BGP routers can drop or deprioritize obviously invalid route announcements.
Resource Public Key Infrastructure (RPKI) is a hierarchical certificate-based infrastructure, standardized in RFCs 6480-onwards, that lets Internet number-resource holders cryptographically authorize which AS numbers may originate BGP routes for their IPv4 and IPv6 prefixes. Each Regional Internet Registry (ARIN, RIPE NCC, APNIC, LACNIC, AFRINIC) anchors an RPKI hierarchy under which resource holders issue Route Origin Authorizations (ROAs) tying a prefix to an origin ASN and a maximum prefix length. ISPs and IXPs run RPKI validators (Routinator, rpki-client, Fort, RPKI-validator-3) that download and verify the global ROA tree and feed validated state to BGP routers via the RPKI-to-Router (RTR) protocol; routers then mark incoming announcements as VALID, INVALID, or NOT FOUND and apply policy (typically rejecting INVALID). RPKI deployment took years to gain traction but accelerated after high-profile BGP hijacks (YouTube/Pakistan, MyEtherWallet 2018, Telstra/Cloudflare incidents) and is now considered baseline operational hygiene for transit ASNs. Many large content networks (Cloudflare, Google, Amazon) reject RPKI-invalid routes by default.
● Examples
- 01
An ISP runs Routinator and configures its border routers to drop any BGP announcement that is RPKI-invalid, blocking accidental prefix-hijacks from misconfigured customers.
- 02
An enterprise publishes ROAs for its IP space so that a hijacker announcing a more-specific from a different ASN gets dropped by RPKI-validating transit providers.
● Frequently asked questions
What is RPKI (Resource Public Key Infrastructure)?
A cryptographic infrastructure standardized by the IETF that lets resource holders publish signed Route Origin Authorizations (ROAs) for their IP prefixes, so BGP routers can drop or deprioritize obviously invalid route announcements. It belongs to the Network Security category of cybersecurity.
What does RPKI (Resource Public Key Infrastructure) mean?
A cryptographic infrastructure standardized by the IETF that lets resource holders publish signed Route Origin Authorizations (ROAs) for their IP prefixes, so BGP routers can drop or deprioritize obviously invalid route announcements.
How does RPKI (Resource Public Key Infrastructure) work?
Resource Public Key Infrastructure (RPKI) is a hierarchical certificate-based infrastructure, standardized in RFCs 6480-onwards, that lets Internet number-resource holders cryptographically authorize which AS numbers may originate BGP routes for their IPv4 and IPv6 prefixes. Each Regional Internet Registry (ARIN, RIPE NCC, APNIC, LACNIC, AFRINIC) anchors an RPKI hierarchy under which resource holders issue Route Origin Authorizations (ROAs) tying a prefix to an origin ASN and a maximum prefix length. ISPs and IXPs run RPKI validators (Routinator, rpki-client, Fort, RPKI-validator-3) that download and verify the global ROA tree and feed validated state to BGP routers via the RPKI-to-Router (RTR) protocol; routers then mark incoming announcements as VALID, INVALID, or NOT FOUND and apply policy (typically rejecting INVALID). RPKI deployment took years to gain traction but accelerated after high-profile BGP hijacks (YouTube/Pakistan, MyEtherWallet 2018, Telstra/Cloudflare incidents) and is now considered baseline operational hygiene for transit ASNs. Many large content networks (Cloudflare, Google, Amazon) reject RPKI-invalid routes by default.
How do you defend against RPKI (Resource Public Key Infrastructure)?
Defences for RPKI (Resource Public Key Infrastructure) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for RPKI (Resource Public Key Infrastructure)?
Common alternative names include: Resource Public Key Infrastructure, RPKI ROA.
● Related terms
- network-security№ 108
BGP Hijacking
An attack in which an autonomous system announces IP prefixes it does not legitimately own, attracting and potentially intercepting global Internet traffic.
- network-security№ 109
BGP Route Leak
An unintended BGP propagation in which an autonomous system advertises routes outside the intended business relationship, often steering global traffic into the wrong AS.
- network-security№ 174
Certificate Authority (CA)
A trusted entity that issues and signs digital certificates, binding cryptographic public keys to verified identities such as domain names or organisations.
- network-security№ 981
Public Key Infrastructure (PKI)
The combined system of policies, software, hardware and trusted authorities used to issue, distribute, validate and revoke digital certificates that bind identities to public keys.
- network-security№ 380
DNSSEC
A set of DNS extensions that uses digital signatures to let resolvers verify the authenticity and integrity of DNS records.
- network-security№ 1385
X.509 Certificate
A standard structure for a digital certificate that binds a public key to an identity through a signature from a trusted certificate authority.