RPKI (Resource Public Key Infrastructure).

A cryptographic infrastructure standardized by the IETF that lets resource holders publish signed Route Origin Authorizations (ROAs) for their IP prefixes, so BGP routers can drop or deprioritize obviously invalid route announcements. Cette notion relève de la catégorie Sécurité réseau en cybersécurité.

A cryptographic infrastructure standardized by the IETF that lets resource holders publish signed Route Origin Authorizations (ROAs) for their IP prefixes, so BGP routers can drop or deprioritize obviously invalid route announcements.

Resource Public Key Infrastructure (RPKI) is a hierarchical certificate-based infrastructure, standardized in RFCs 6480-onwards, that lets Internet number-resource holders cryptographically authorize which AS numbers may originate BGP routes for their IPv4 and IPv6 prefixes. Each Regional Internet Registry (ARIN, RIPE NCC, APNIC, LACNIC, AFRINIC) anchors an RPKI hierarchy under which resource holders issue Route Origin Authorizations (ROAs) tying a prefix to an origin ASN and a maximum prefix length. ISPs and IXPs run RPKI validators (Routinator, rpki-client, Fort, RPKI-validator-3) that download and verify the global ROA tree and feed validated state to BGP routers via the RPKI-to-Router (RTR) protocol; routers then mark incoming announcements as VALID, INVALID, or NOT FOUND and apply policy (typically rejecting INVALID). RPKI deployment took years to gain traction but accelerated after high-profile BGP hijacks (YouTube/Pakistan, MyEtherWallet 2018, Telstra/Cloudflare incidents) and is now considered baseline operational hygiene for transit ASNs. Many large content networks (Cloudflare, Google, Amazon) reject RPKI-invalid routes by default.

Les défenses contre RPKI (Resource Public Key Infrastructure) combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.

Noms alternatifs courants : Resource Public Key Infrastructure, RPKI ROA.