RPKI

Home > Services > RPKI
RPKI

About RPKI

What is RPKI?

Resource Public Key Infrastructure (RPKI) is a public key infrastructure framework designed to secure the Internet’s routing infrastructure, specifically the Border Gateway Protocol. RPKI provides a way to connect Internet number resource information (such as IP Addresses) to a trust anchor. Using RPKI, legitimate holders of number resources are able to control the operation of Internet routing protocols to prevent route hijacking and other attacks.¬†More information.

Why do we need RPKI?

Routing protocols are potentially at risk of attacks that can harm individual users or network operations as a whole. RPKI was specified by the IETF to provide a secure means to certify the allocation of Internet number resources, as a step towards securing routing. The Internet Architecture Board considers a “properly designed and deployed RPKI an absolute prerequisite to having a secure global routing system, which is in turn a prerequisite to having a reliable worldwide Internet.”

What is ROA?

A ROA or Route Origin Authorization is an attestation of a BGP route announcement. It attests that the origin AS number is authorized to announce the prefix(es). The attestation can be verified cryptographically using RPKI.

How does SGIX validate IRR and RPKI?

Any routes that the peer announces will be RPKI validated and checked against Internet Routing Registry (IRR) data. The AS-SET that peer provides to us will be recursively resolved. Then filtering is executed as follows:

  1. The origin ASN needs to be in the AS-SET that is well maintained and all downstream ASNs are included.
  2. Is the route a blackhole?

if yes, the route undergoes loose RPKI validation filtering (origin only):

  • If the result is RPKI Valid, the route is accepted.
  • if the result is RPKI Invalid, the route is rejected.
  • If the result is RPKI NotFound/Unknown, router server checks if the route is resolvable for its origin ASN (check if a proper route object exists) and it might get accepted or rejected.

if no, the route undergoes strict RPKI validation filtering (origin and maxLength):

  • If the result is RPKI Valid, the route is accepted.
  • if the result is RPKI Invalid, the route is rejected.
  • If the result is RPKI NotFound/Unknown, router server checks if the route is resolvable for its origin ASN (check if a proper route object exists) and it might get accepted or rejected.