RPKI (Resource Public Key Infrastructure).

A cryptographic infrastructure standardized by the IETF that lets resource holders publish signed Route Origin Authorizations (ROAs) for their IP prefixes, so BGP routers can drop or deprioritize obviously invalid route announcements. サイバーセキュリティの ネットワークセキュリティ カテゴリに属します。

A cryptographic infrastructure standardized by the IETF that lets resource holders publish signed Route Origin Authorizations (ROAs) for their IP prefixes, so BGP routers can drop or deprioritize obviously invalid route announcements.

Resource Public Key Infrastructure (RPKI) is a hierarchical certificate-based infrastructure, standardized in RFCs 6480-onwards, that lets Internet number-resource holders cryptographically authorize which AS numbers may originate BGP routes for their IPv4 and IPv6 prefixes. Each Regional Internet Registry (ARIN, RIPE NCC, APNIC, LACNIC, AFRINIC) anchors an RPKI hierarchy under which resource holders issue Route Origin Authorizations (ROAs) tying a prefix to an origin ASN and a maximum prefix length. ISPs and IXPs run RPKI validators (Routinator, rpki-client, Fort, RPKI-validator-3) that download and verify the global ROA tree and feed validated state to BGP routers via the RPKI-to-Router (RTR) protocol; routers then mark incoming announcements as VALID, INVALID, or NOT FOUND and apply policy (typically rejecting INVALID). RPKI deployment took years to gain traction but accelerated after high-profile BGP hijacks (YouTube/Pakistan, MyEtherWallet 2018, Telstra/Cloudflare incidents) and is now considered baseline operational hygiene for transit ASNs. Many large content networks (Cloudflare, Google, Amazon) reject RPKI-invalid routes by default.

RPKI (Resource Public Key Infrastructure) に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。

一般的な別名: Resource Public Key Infrastructure, RPKI ROA。