CONCEPT Cited by 1 source
RPKI (Resource Public Key Infrastructure)¶
RPKI is the public-key infrastructure that lets holders of Internet number resources (ASNs, IP prefixes) cryptographically attest to who is authorized to do what with them. Its primary production consumer is Route Origin Validation (ROV) in BGP; emerging consumers include ASPA for path validation and RFC 9234 for BGP roles.
See Cloudflare's RPKI portal for a live deployment view.
Primitives¶
- Trust anchor: each of the five RIRs (ARIN, RIPE, APNIC, LACNIC, AFRINIC) operates a trust anchor for resources allocated from its pool.
- Certificate: each resource holder receives a certificate binding their public key to the resources they are allocated.
- ROA (Route Origin Authorization): the holder of a prefix signs an object declaring "AS X is authorized to originate this prefix (and optionally more-specifics up to maxLength L)."
- ASPA (Autonomous System Provider Authorization): the holder of an ASN signs an object declaring "these ASNs are my authorized upstream providers."
- RP (Relying Party) software: routers or validator-caches fetch, validate, and feed signed objects into the BGP decision process (e.g. Routinator, OctoRPKI, rpki-client).
What RPKI-backed ROV protects against¶
ROV rejects routes whose origin AS is not a valid ROA signer for the prefix. This prevents route misorigination / hijacks — someone announcing a prefix they don't hold. ROV does not protect against route leaks where the origin is correct but the path is wrong; that's what ASPA is for.
Seen in¶
- sources/2026-01-08-cloudflare-a-closer-look-at-a-bgp-anomaly-in-venezuela — Cloudflare: "RPKI Route Origin Validation (ROV) by making sure the originator of a prefix is who rightfully owns it... In the case of the BGP anomaly described in this post, the origin AS was correct as AS21980 and only the path was anomalous. This means ROV wouldn't help here."