RPKI (Resource Public Key Infrastructure).

A cryptographic infrastructure standardized by the IETF that lets resource holders publish signed Route Origin Authorizations (ROAs) for their IP prefixes, so BGP routers can drop or deprioritize obviously invalid route announcements. Pertence à categoria Segurança de rede da cibersegurança.

A cryptographic infrastructure standardized by the IETF that lets resource holders publish signed Route Origin Authorizations (ROAs) for their IP prefixes, so BGP routers can drop or deprioritize obviously invalid route announcements.

Resource Public Key Infrastructure (RPKI) is a hierarchical certificate-based infrastructure, standardized in RFCs 6480-onwards, that lets Internet number-resource holders cryptographically authorize which AS numbers may originate BGP routes for their IPv4 and IPv6 prefixes. Each Regional Internet Registry (ARIN, RIPE NCC, APNIC, LACNIC, AFRINIC) anchors an RPKI hierarchy under which resource holders issue Route Origin Authorizations (ROAs) tying a prefix to an origin ASN and a maximum prefix length. ISPs and IXPs run RPKI validators (Routinator, rpki-client, Fort, RPKI-validator-3) that download and verify the global ROA tree and feed validated state to BGP routers via the RPKI-to-Router (RTR) protocol; routers then mark incoming announcements as VALID, INVALID, or NOT FOUND and apply policy (typically rejecting INVALID). RPKI deployment took years to gain traction but accelerated after high-profile BGP hijacks (YouTube/Pakistan, MyEtherWallet 2018, Telstra/Cloudflare incidents) and is now considered baseline operational hygiene for transit ASNs. Many large content networks (Cloudflare, Google, Amazon) reject RPKI-invalid routes by default.

As defesas contra RPKI (Resource Public Key Infrastructure) costumam combinar controles técnicos e práticas operacionais, conforme detalhado na definição acima.

Nomes alternativos comuns: Resource Public Key Infrastructure, RPKI ROA.