RPKI (Resource Public Key Infrastructure).

A cryptographic infrastructure standardized by the IETF that lets resource holders publish signed Route Origin Authorizations (ROAs) for their IP prefixes, so BGP routers can drop or deprioritize obviously invalid route announcements. 它属于网络安全的 网络安全 分类。

A cryptographic infrastructure standardized by the IETF that lets resource holders publish signed Route Origin Authorizations (ROAs) for their IP prefixes, so BGP routers can drop or deprioritize obviously invalid route announcements.

Resource Public Key Infrastructure (RPKI) is a hierarchical certificate-based infrastructure, standardized in RFCs 6480-onwards, that lets Internet number-resource holders cryptographically authorize which AS numbers may originate BGP routes for their IPv4 and IPv6 prefixes. Each Regional Internet Registry (ARIN, RIPE NCC, APNIC, LACNIC, AFRINIC) anchors an RPKI hierarchy under which resource holders issue Route Origin Authorizations (ROAs) tying a prefix to an origin ASN and a maximum prefix length. ISPs and IXPs run RPKI validators (Routinator, rpki-client, Fort, RPKI-validator-3) that download and verify the global ROA tree and feed validated state to BGP routers via the RPKI-to-Router (RTR) protocol; routers then mark incoming announcements as VALID, INVALID, or NOT FOUND and apply policy (typically rejecting INVALID). RPKI deployment took years to gain traction but accelerated after high-profile BGP hijacks (YouTube/Pakistan, MyEtherWallet 2018, Telstra/Cloudflare incidents) and is now considered baseline operational hygiene for transit ASNs. Many large content networks (Cloudflare, Google, Amazon) reject RPKI-invalid routes by default.

针对 RPKI (Resource Public Key Infrastructure) 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: Resource Public Key Infrastructure, RPKI ROA。