RPKI and ROA are security systems that verify the legitimacy of BGP route announcements. Understanding them is essential for anyone announcing IP prefixes on the internet.
What is RPKI?
RPKI (Resource Public Key Infrastructure) is a cryptographic framework that secures internet routing by verifying that an autonomous system is authorized to announce specific IP prefixes.
It addresses a fundamental vulnerability in BGP: without RPKI, any network could claim to own any IP address range, potentially hijacking traffic.
Understanding ROAs
A ROA (Route Origin Authorization) is a cryptographically signed object that states which AS is authorized to announce a specific IP prefix.
A ROA Contains:
- The IP prefix (e.g., 192.0.2.0/24)
- The authorized ASN
- Maximum prefix length allowed
RPKI Validation States
When networks check routes against RPKI, they get one of three validation states.
ROA exists and matches the announcement
No ROA exists for this prefix
ROA exists but doesn't match (potential hijack)
Why ROAs Matter
Valid ROAs are increasingly important for reliable connectivity.
- Prevent Hijacking: Cryptographic proof you're authorized to announce prefixes
- Better Routing: Major networks prefer or require valid ROA routes
- Industry Standard: Expected practice for professional network operations
ROAs and IP Leasing
When you lease IP addresses from IP Market, we create ROA records authorizing your ASN to announce the leased prefixes.
This ensures your announcements are validated and your traffic routes reliably across networks that enforce RPKI.