RPKI and ROA are security systems that verify the legitimacy of BGP route announcements. Understanding them is essential for anyone announcing IP prefixes on the internet.
Що таке RPKI?
RPKI (Resource Public Key Infrastructure) is a cryptographic framework that secures internet routing by verifying that an autonomous system is authorized to announce specific IP prefixes.
It addresses a fundamental vulnerability in BGP: without RPKI, any network could claim to own any IP address range, potentially hijacking traffic.
Understanding ROAs
A ROA (Route Origin Authorization) is a cryptographically signed object that states which AS is authorized to announce a specific IP prefix.
A ROA Contains:
- IP префікс (наприклад, 192.0.2.0/24)
- Авторизований ASN
- Maximum prefix length allowed
RPKI Validation States
Коли мережі перевіряють маршрути через RPKI, вони отримують один із трьох станів валідації.
ROA exists and matches the announcement
Для цього префіксу не існує ROA
ROA exists but doesn't match (potential hijack)
Чому ROA важливі
Valid ROAs are increasingly important for reliable connectivity.
- Prevent Hijacking: Cryptographic proof you're authorized to announce prefixes
- Better Routing: Major networks prefer or require valid ROA routes
- Industry Standard: Expected practice for professional network operations
ROAs and IP Leasing
Коли ви орендуєте IP-адреси в IP Market, ми створюємо записи ROA, що авторизують ваш ASN для анонсування орендованих префіксів.
This ensures your announcements are validated and your traffic routes reliably across networks that enforce RPKI.