{ "@context": "https://schema.org", "@type": "DefinedTerm", "@id": "https://hostdir.net/glossary/route-origin-authorisation", "name": "Route Origin Authorisation", "alternateName": [ "ROA" ], "description": "A Route Origin Authorisation (ROA) is a cryptographically signed RPKI object that specifies which autonomous system (AS) is authorised to originate a given IP prefix, enabling BGP origin validation.", "url": "https://hostdir.net/glossary/route-origin-authorisation", "inDefinedTermSet": "https://hostdir.net/glossary", "termCode": "route-origin-authorisation", "mainEntityOfPage": "https://hostdir.net/glossary/route-origin-authorisation", "license": "https://creativecommons.org/licenses/by/4.0/", "_hostdir": { "kind": "glossary-term", "slug": "route-origin-authorisation", "canonical": "https://hostdir.net/glossary/route-origin-authorisation", "term": "Route Origin Authorisation", "category": "Networking & Routing", "category_slug": "networking-routing", "summary": "A Route Origin Authorisation (ROA) is a cryptographically signed RPKI object that specifies which autonomous system (AS) is authorised to originate a given IP prefix, enabling BGP origin validation.", "definition": "A Route Origin Authorisation (ROA) is a digitally signed record in the Resource Public Key Infrastructure (RPKI). It binds a specific IP prefix (or a range of prefixes via a maximum length) to a single autonomous system number (ASN) that is allowed to originate that prefix in BGP. The ROA is created by the prefix holder, signed with the private key corresponding to the resource certificate for that prefix, and published in a public RPKI repository.\n\nWhen a network operator deploys RPKI-based route origin validation (ROV), their routers fetch ROAs from the repositories and compare incoming BGP updates against them. For each prefix, the router checks whether the originating AS in the update matches the ASN listed in any valid ROA for that prefix. The result is one of three states: valid (match), invalid (no matching ROA or AS mismatch), or not-found (no ROA exists). Routes marked invalid can be rejected or given lower preference, helping to prevent prefix hijacking and accidental misannouncements.\n\nROAs are a foundational component of RPKI-based BGP security. They address only the origin of a route, not the full AS path. For path validation, the BGPsec protocol extends RPKI certificates to sign each AS hop. ROAs are defined in RFC 6482 and their use in BGP origin validation is specified in RFC 6811. Adoption of ROAs has grown steadily since 2010, with major network operators and cloud providers publishing ROAs for their prefixes.", "examples": "A network operator owns the prefix 198.51.100.0/24 and wants only AS 64496 to originate it. They create an ROA with AS 64496, prefix 198.51.100.0/24, and maximum length /24. Later, a different AS (64497) announces 198.51.100.0/24. A router performing ROV checks the ROA, sees the origin AS mismatch, and marks the route as invalid. The operator can then discard that route, preventing a potential hijack.", "key_facts": [ "ROAs are signed using the private key of the prefix holder's RPKI resource certificate.", "Each ROA contains an AS number, a prefix, and an optional maximum prefix length.", "ROAs are published in RPKI repositories and fetched by routers via the RPKI-to-Router (RTR) protocol.", "ROAs only validate the origin AS; they do not protect against AS path manipulation.", "A BGP route is considered invalid if its origin AS does not match any valid ROA for that prefix." ], "related_terms": [ "Resource Public Key Infrastructure (RPKI)", "Route Origin Validation (ROV)", "BGP", "BGPsec", "Prefix Hijacking", "Autonomous System (AS)", "Resource Certificate" ], "references": [ { "title": "RFC 6480: An Infrastructure to Support Secure Internet Routing", "url": "https://datatracker.ietf.org/doc/rfc6480/" }, { "title": "RFC 6482: A Profile for Route Origin Authorizations (ROAs)", "url": "https://datatracker.ietf.org/doc/rfc6482/" }, { "title": "RFC 6811: BGP Prefix Origin Validation", "url": "https://datatracker.ietf.org/doc/rfc6811/" } ], "word_count": 240, "license": "CC BY 4.0", "license_url": "https://creativecommons.org/licenses/by/4.0/", "attribution": "HostDir Glossary — https://hostdir.net/glossary/route-origin-authorisation" } }